Little Snitch Detection in Malware

I’m a security Analyst that does research both for his job and for the fun of it. My main focus is with Mac OSX. This post is going to cover OSX. Same concepts can be applied to Linux and if I feel up to it i’ll add Windows as well.

What is Little Snitch?

Little Snitch tracks connections made by programs. It’s main purpose is to let you decide if a connection out or in is something that you want. This can help block C2’s (command and control servers), tracking, malware keep-alive beacons, etc. This makes for something attackers might want to check to see if it’s running on a host prior to exploiting a system. In my research so far i’ve come across at least two malware strains as well as multiple Metasploit modules that search for Little Snitch running by default, and if it is running or installed the malware or exploit exits. Malware authors, hackers, and professional Red Teamers obviously don’t want to get caught, and OPSEC is of the upmost importance. So to thwart attacks we can go about it in two ways. One we can simply buy and install Little Snitch for around $50. Not to expensive for a little extra security. Two we can fake that we have it, as most malware samples are not very sophisticated. The malware that i’ve seen looking for Little Snitch is Devilrobber and Elanor but also worth mentioning I know Empire also does a check as well.

Is Little Snitch Installed?

I’ve seen a couple of ways that malware goes about looking to see if Little Snitch is present.

Directories

Does a directory exist? In a particular malware sample I was able to see exactly how it looked for Little Snitch. In this particular case it used a bash command ! to see if the directory was present.

$ ! /bin
bash: /bin: Is a directory

In the particular malware case it’s looking for the directory /Library/Little Snitch/. So on OSX

$ ! /Library/Little Snitch/
bash: /Library/Little Snitch/: is a directory

Malware exits.

Files

Does a file exist? In another malware sample i’ve seen it looking for a certain file for Little Snitch Little Snitch.kext

if [-e /Library/Little Snitch/Little Snitch.kext]; then
	exit
fi

Process

A bunch of metasploit modules by default look for Little Snitch. Lets look at Empire as an example

launcherBase += "cmd = \"ps -ef | grep Little\ Snitch | grep -v grep\"\n"

and

launcherBase += "if re.search(\"Little Snitch\", out):\n"

Faking Little Snitch

So as you see we don’t actually need to buy Little Snitch to thwart unsophisticated attacks. We just need to pretend like we have it.

mkdir /Library/Little Snitch/
touch /Library/Little Snitch/Little Snitch.kext
#!/usr/bin/env python
from time import sleep
while True:
sleep(300)

We need to run the python script to ensure it doesn’t show up as a .py file or as /usr/bin/python Little Snitch.py So we’ll need to copy the binary for python to the path for our script

cp /bin/python /Users/<username>/bin/Little\ Snitch

Making Sure Little Snitch is Real

First lets make sure the directory is not empty

#!/usr/bin/env python
from subprocess import call
num_files = call("ls -l <directory> | wc -l", shell=True)
if int(num_files) > 0:
	do something evil
else:
	exit()

Next lets also make sure there is something in these files and they’re not just empty

#!/usr/bin/env python
import os, random
from subprocess import call
file = random.choice(os.listdir("/Library/Little Snitch/"))
not_empty = call("cat /Library/Little Snitch/$file | wc -l")
if int(not_empty) > 10:
	do something evil
else:
	exit()

One of the easiest ways I can think of but again not full proof would be

#!/usr/bin/env python
from subprocess import call
file_exists = call("test /bin/Little Snitch && echo \"found\" || echo \"not found\"")

Now for defensive purposes /bin/ is writable so it could be faked. There are a multitude of examples that malware authors or Red Teamers can do to figure out if Little Snitch is actually installed or not. Other ways could be getting the md5 and comparing it.

Conclusion

As Pen Testers or Red Teamers we need to be careful how we go about our attacks. Defensive security is becoming more aware and the license for Little Snitch is not expensive. Especially when you’re faking it. It’s a total back and forth and as you can see it’s not easy to determine if a program truly exists and if it’s truly running. The best thing to note is in my experience most analyst don’t really pay attention to Little Snitch or have it Silent Mode to allow all connections. I’d imagine it being pretty safe depending on your target to not do the check.

comments powered by Disqus