Advanced Guide to Understanding OS X Malware

Jun 25, 2014 - 12 Comments

Synack Presentation on Understanding OS X Malware persistence

Note: This is an advanced topic aimed at expert Mac users. Macs are generally thought of as secure, certainly at least compared to the alternative world of Windows. But the reality is that while Macs are generally more secure than Windows, there is still legitimate potential for malware getting through to OS X, despite GateKeeper, XProtect, sandboxing, and code signing. That’s what this excellent presentation from Patrick Wardle, the Director of Research at Synack, a cyber security solutions provider, explains quite well, offering a thoughtful and detailed look of the current security implementations built into OS X, and how they could be circumvented by malicious intent to attack a Mac. Additionally, the Synack overview goes further and provides an open source script called KnockKnock, which displays all OS X binaries that are set to execute upon system boot, potentially helping advanced users to examine and verify if anything shady is running on a Mac.

The excellent document, titled “METHODS of MALWARE PERSISTENCE on OS X”, is broken into five major parts:

  • Background on OS X built-in protection methods, including GateKeeper, Xprotect, sandboxing, and code signing
  • Understanding the Mac boot process, from firmware to OS X
  • Methods of getting code to persistently run on reboot and user log in, including kernel extensions, launch daemons, cron jobs, launched, and startup & login items
  • Specific OS X Malware examples and how they function, including Flashback, Crisis, Janicab, Yontoo, and rogue AV products
  • KnockKnock – an open source utility that scans for dubious binaries, commands, kernel extensions, etc, which can help advanced users in detection and protection

In case it wasn’t already obvious; this is all fairly advanced, aimed at expert users and individuals in the security industry. The average Mac user is not the target audience for this presentation, document, or KnockKnock tool (but they can follow some general tips for Mac malware protection here however). This is a technical document that outlines some very specific potential attack vectors and possible threat entrants to OS X, it’s truly aimed at advanced Mac users, IT workers, security researchers, systems administrators, and developers who want to better understand the risks posed to OS X, and learn ways to detect, protect, and guard against those risks.

The entire Synack Malware presentation is 56 detailed pages long in an 18MB PDF file. Additionally, the KnockKnock python script is available on GitHub for usage and exploration. Both of these are well worth a look for advanced Mac users looking to better understand risks to OS X, pass it along!

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Mac OS X, Security

12 Comments

» Comments RSS Feed

  1. Paul says:

    For the curious, these were slides to a presentation at Shakacon, an IT security conference in good old Hawaii (don’t you wish you were going to conferences in Hawaii too?)

    More info about Shakacon can be found here:

    http://www.shakacon.org/

    Also, Synack is venture backed, founded by former NSA workers:

    https://www.synack.com/

    Finally, an interesting article from the New York Times discussing Synack and other infosec companies here:

    http://www.nytimes.com/2013/08/23/technology/the-pentagon-as-start-up-incubator.html?pagewanted=all&_r=0

  2. Anonymous says:

    This is great Paul, thanks for the heads up. This will hopefully serve as a wakeup call to complacency derived from being constantly told “the Mac doesn’t get viruses”.

    I just hope people don’t delete important binaries that are meant to start up ;-)

    • AJ says:

      No kidding, but I think the article has plenty of mentions for “advanced” users to hopefully prevent the average Joe from dumping kexts at random.

  3. Chris Cheng says:

    Very interesting read. Thanks for this.

  4. patrick wardle says:

    Mahalo for the great writeup about my talk and linking to the slides/KnockKnock! I hope they provide some detailed insight into the world of OS X malware and that KnockKnock can help us all keep our Macs secure. I’m working on a GUI version so that it’s a little more user friendly – stay tuned!

    • Paul says:

      Thanks for the excellent presentation and slides Patrick! Please do keep us posted about a GUI version of KnockKnock, that would be fantastic!

    • Howard says:

      For those of us not familiar with Python, can you kindly give instructions on what to do with the files once the “knockknock-master.zip” is unzipped. Many thanks!

      • dn says:

        prefix the script with python command like this:

        python knockknock.py

        “python knockknock.py -h” will display the help data

        This is best for experienced command line users at the moment, if the producer is making a GUI app most should wait for that.

  5. Lonny says:

    Can you shed any light on ZEOBIT Mackeeper software ads ? When you get those ads does it mean that your MAC is also infected ?

    • PH says:

      No, the MacKeeper ads do not mean you’re infected with anything, it’s just simple ad targeting technology. Basically they are paying for ads that are geared towards Mac users running various versions of OS X, their target audience. Kind of like Nike targeting ads to people who are looking for shoes, or Amazon using ad targeting to show you ads for stuff you were browsing on their site for.

      I have no direct experience with MacKeeper so it’s hard to say much about their app, but I’ve found that many of the third party anti-malware and anti-virus apps are unnecessary for my own uses. Sophos offers a free anti-virus app for Mac http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx but since there aren’t many viruses it’s not really that useful either. If anyone has direct experience with MacKeeper it would be good to hear, I believe they charge a fee for the service.

      Just take precautions, like don’t use Java, Flash, don’t download and install random stuff you don’t trust, don’t join untrusted networks if you’re going to do banking, etc, those will keep you fairly secure. And update your Mac system software through Apple when updates are available too.

  6. OT says:

    One of the top sites on Mac Malware and Adware and their prevention and removal is http://www.thesafemac.com/.

  7. adam says:

    Nice News,
    Thanks

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates