LC_MAIN
and LC_UNIXTHREAD
binary types, as long as the pre-text section is large enough for the malicious payload. This method is included in the Backdoor-Factory (BDF) which supports x86 and x64 chipsets for Mach-O and the LC_MAIN
and LC_UNIXTHREAD
formats within a FAT file. When patching these processes one does not need to be concerned about signing as this is only a function of applications and enforced by imported dylibs on signed applications. The OS X kernel does not enforce code signing for executable binaries as of the writing of this paper. BDF reduces the number of load commands for each code signing library and thereby un-signs the binary as default behavior. This technique has been know for some time./sbin/launchd
/usr/libexec/xpcproxy
/usr/sbin/sshd
/usr/bin/awk
/sbin/init
on Linux. Since launchd executes before other security implementations, such as antivirus, whitelisting, and application based network filters, it can avoid detection. Further, removing an infected launchd binary is troublesome; without launchd, OS X will not successfully boot. An example of an infection process is demonstrated in a video, with the script available on github./usr/bin/awk
. Launchd executes an ntp script /bin/sh /usr/libexec/ntpd-wrapper
which contains awk. This script is executed with root privileges, therefore so is awk. See the demo video for both the pathcing of awk and sshd.