Advanced Guide to Understanding Mac OS X Malware
Note: This is an advanced topic aimed at expert Mac users. Macs are generally thought of as secure, certainly at least compared to the alternative world of Windows. But the reality is that while Macs are generally more secure than Windows, there is still legitimate potential for malware getting through to Mac OS X, despite GateKeeper, XProtect, sandboxing, and code signing.
That’s what this excellent presentation from Patrick Wardle, the Director of Research at Synack, a cyber security solutions provider, explains quite well, offering a thoughtful and detailed look of the current security implementations built into Mac OS X, and how they could be circumvented by malicious intent to attack a Mac.
Additionally, the Synack overview goes further and provides an open source script called KnockKnock, which displays all Mac OS X binaries that are set to execute upon system boot, potentially helping advanced users to examine and verify if anything shady is running on a Mac.
The excellent document, titled “METHODS of MALWARE PERSISTENCE on OS X”, is broken into five major parts:
- Background on Mac OS X built-in protection methods, including GateKeeper, Xprotect, sandboxing, and code signing
- Understanding the Mac boot process, from firmware to Mac OS X
- Methods of getting code to persistently run on reboot and user log in, including kernel extensions, launch daemons, cron jobs, launched, and startup & login items
- Specific Mac OS X Malware examples and how they function, including Flashback, Crisis, Janicab, Yontoo, and rogue AV products
- KnockKnock – an open source utility that scans for dubious binaries, commands, kernel extensions, etc, which can help advanced users in detection and protection
In case it wasn’t already obvious; this is all fairly advanced, aimed at expert users and individuals in the security industry. The average Mac user is not the target audience for this presentation, document, or KnockKnock tool (but they can follow some general tips for Mac malware protection here however).
This is a technical document that outlines some very specific potential attack vectors and possible threat entrants to Mac OS X, it’s truly aimed at advanced Mac users, IT workers, security researchers, systems administrators, and developers who want to better understand the risks posed to Mac OS X, and learn ways to detect, protect, and guard against those risks.
- Synack Presentation: OS X Malware Persistence (direct PDF doc link)
- KnockKnock: script to display persistent binaries that are set to execute on OS X boot (open source on Github)
The entire Synack Malware presentation is 56 detailed pages long in an 18MB PDF file.
Additionally, the KnockKnock python script is available on GitHub for usage and exploration.
Both of these are well worth a look for advanced Mac users looking to better understand risks to Mac OS X, pass it along!
Thanks for all this, Im so glad I stumbled across this. Except as you’ve stated, this is meant for advanced users. And yes true, Mac’s dont tend to get virus’, however whose to say that if one did it would neccesarly happen to an advanced user? what then? Because I have been trying to deal with this situation for almost 2 years, and I promise its not some bad link I clicked on, or even malware or adware, of the engineers and mac experts I have talked to, this is something no one has ever seen and seemingly shouldn’t be possible. Ive come a long way but Im far from advanced. But it is virtually impossible to find help, because Im not a large company or a developer no one will even so much as look at my Mac. which is really all it would take, 5 minutes and its apparent, all my browsers all my users, invalid certificates… Ive done 5 erase reinstalls of OS X ( from servers) without putting anything back on from back up( apple store did 3 for me) changed ISP companies 4 times, completely new email address’, new apple ID, new passwords, new computer! the last one completely taken over…. to was forensically diagnosed to have been remotely accessed then when we replaced the hard drive, we went to try to investigate the infected one, and it was locked up with a encrypted passcode from firevault that I never put on it. no ones been able to access it since. the new hard drive same things started happening, and eventually it completely just was fried. Now my new Macair, same story…. Apple can’t explain it, Ie worked with kaspersky, F-Secure ( they wanted me to mail them my computer) Ive tried filing a police report, it somehow got “lost” ,Im connecting to a proxy somehow without being configured to do so, and with an ISP that doesn’t support proxy servers. However from their end everything looks great.
I do have good reason to suspect I know a who and a why, and they’d have resources very powerful.
I suppose y question in , what does someone like me do? I don’t know how to write code and all that, python somehow is installed on my mac, I didn’t instal it. Just like theres files upon files, password protected archives in my user folder under “iTunesControl” that my virus scanner can’t scan because I don’t have the password. almost every browser, every website every user, I get invalid cert. Im talking root certificates SHA 2,3, 256 from Microsoft, Versign. etc.
I need some help, and would think someone would be interested in how this is happening its so rare. Im told my only hope is an external firewall of the not so “buy in the store” type.
One of the top sites on Mac Malware and Adware and their prevention and removal is http://www.thesafemac.com/.
Can you shed any light on ZEOBIT Mackeeper software ads ? When you get those ads does it mean that your MAC is also infected ?
No, the MacKeeper ads do not mean you’re infected with anything, it’s just simple ad targeting technology. Basically they are paying for ads that are geared towards Mac users running various versions of OS X, their target audience. Kind of like Nike targeting ads to people who are looking for shoes, or Amazon using ad targeting to show you ads for stuff you were browsing on their site for.
I have no direct experience with MacKeeper so it’s hard to say much about their app, but I’ve found that many of the third party anti-malware and anti-virus apps are unnecessary for my own uses. Sophos offers a free anti-virus app for Mac http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx but since there aren’t many viruses it’s not really that useful either. If anyone has direct experience with MacKeeper it would be good to hear, I believe they charge a fee for the service.
Just take precautions, like don’t use Java, Flash, don’t download and install random stuff you don’t trust, don’t join untrusted networks if you’re going to do banking, etc, those will keep you fairly secure. And update your Mac system software through Apple when updates are available too.
Mahalo for the great writeup about my talk and linking to the slides/KnockKnock! I hope they provide some detailed insight into the world of OS X malware and that KnockKnock can help us all keep our Macs secure. I’m working on a GUI version so that it’s a little more user friendly – stay tuned!
Thanks for the excellent presentation and slides Patrick! Please do keep us posted about a GUI version of KnockKnock, that would be fantastic!
For those of us not familiar with Python, can you kindly give instructions on what to do with the files once the “knockknock-master.zip” is unzipped. Many thanks!
prefix the script with python command like this:
“python knockknock.py -h” will display the help data
This is best for experienced command line users at the moment, if the producer is making a GUI app most should wait for that.
Very interesting read. Thanks for this.
This is great Paul, thanks for the heads up. This will hopefully serve as a wakeup call to complacency derived from being constantly told “the Mac doesn’t get viruses”.
I just hope people don’t delete important binaries that are meant to start up ;-)
No kidding, but I think the article has plenty of mentions for “advanced” users to hopefully prevent the average Joe from dumping kexts at random.
For the curious, these were slides to a presentation at Shakacon, an IT security conference in good old Hawaii (don’t you wish you were going to conferences in Hawaii too?)
More info about Shakacon can be found here:
Also, Synack is venture backed, founded by former NSA workers:
Finally, an interesting article from the New York Times discussing Synack and other infosec companies here: