knockknock-osxreverser2021

Knock Knock! Who’s There? - An NSA VM

by osxreverser

December 17, 2021

https://reverse.put.as/2021/12/17/knock-knock-whos-there/

Notes
NSA Equation Group
Shadow Brokers
reverse engineer
dewdrop
macOS malware
0xOpoSec
BSidesLisbon
slides not published for con presentations due to dewdrop being active at the time of the writing
BPF
Project Zero
NSO exploit VM https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
BPF malware
Solaris Linux FreeBSD, HP-UX, JunOS, OS X
SIGINT
FX
cd00r
port knocking
rootkits
netstat
magic packet
sniffer
libpcap
callback
gdb
watchdog process
/dev/null
signal handler
core dump
string obfuscation
xor encryption
Unicorn Engine
deobfuscation
Unicorn String Deobfuscator https://github.com/gdbinit/unicorn_string_deobfuscator
Lamberts obfuscation
delambert IDA plugin https://github.com/gdbinit/delambert
code reuse as attribution
shellcode
emulator
Unicorn emulator
The Lamberts
Trammell’s infinite loop trick https://trmm.net/Thunderstrike_31c3/
debugger
EIP
Bindiff
Diaphora
obfuscation to avoid library identification
pcap_compile
bytecode
pcap_setfilter
bpf_program structure
IDA pro
Ethernet DLT_EN10MB
decompiler
bpftools https://github.com/cloudflare/bpftools
Cloudflare
TCP UDP ICMP
raw packets
DNS SMTP SIP
PIX firewall
SYN packet
RST packet
SMTP HELO
CORDIALFLIMSY - codename for packet format including trigger and payload
RC5 RC6 constant 0x61C88647 https://securelist.com/the-equation-giveaway/75812/
callback address and port
packet capture
Kaspersky Lab
Stephen Checkoway Equation Group RC6 analysis https://web.archive.org/web/20170415153830/https://www.cs.uic.edu/~s/musings/equation-group-rc6/
clang
xcode
gcc
struct pcap used to date the malware sample to ~2007
anti-debugging
internet-wide scanning

---