OverSight: Exposing Spies on macOS


One of the most insidious actions of malware is abusing the video and audio capabilities of an infected host to record an unknowing user. Macs of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, and others, all attempt to spy on OS X users.

And as was recently shown by the author, more advanced malware could piggyback into legitimate webcam sessions in order to covertly record the local user. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.

After examining various ‘webcam-aware’ OS X malware samples and describing the technical details of the piggyback attack, the talk will dive into OverSight.

OverSight is a free tool that implements various novel protection mechanisms in order to alert Mac users of any code that attempts to access the mic or webcam (even via the stealthy piggyback attack). We’ll dive into the design and technical details of tool, describing various components for the first time.

Following this, we’ll look at an interesting case study, where OverSight discovered that a popular mac application was continuing to record, even when the user turned it off. Yikes!  Finally, the talk will conclude by discussing future trends of both webcam/mic aware macOS malware and defensive detection methodologies. With such insights, we’ll strive to keep macOS users protected and secure!

Location: Track 1 Date: April 14, 2017 Time: 3:00 pm - 4:00 pm Patrick Wardle