• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Security

The Empty OS X Security Toolbox: Mac Malware Persistence Is Scary Easy

By Owen Lystrup
Posted on April 24, 2015
Updated on October 15, 2020

Share

Facebook0Tweet0LinkedIn0

As illustrated recently, Apple is growing its share of the PC economy, making it inevitable for attackers to  target Mac users more. To prevent getting caught, malware needs to maintain persistence. And in OS X, it’s incredibly easy.
Most major antivirus software companies have an offering for virus and malware detection in OS X. Sophos, eSET, Symantec, Bitdefender, and others all offer scanning and detection for Mac. However, Synack, Inc. Director of Research Patrick Wardle displayed at RSA 2015 how he built a practical test to see which malware solutions were up to the task.
Results were pretty startling. None of them caught his malware. Not one of the major antivirus or anti-malware companies’ solutions alerted to–let alone blocked–its install or the malware’s persistence. The only major provider Wardle did not test was McAfee, he said.3rd-party "security"
Malicious persistence is essentially the act of making code, scripts, or apps launch or execute after rebooting, and not getting caught. This is essential to malware, because malware foiled by rebooting would be mostly useless.
Apple’s Built-In Protection
Apple has a number of malware and virus protections written into OS X, which is part of why Macs are typically regarded as safer than Windows machines. But it’s also due to Apple’s marketing and an incorrect mindset. “Apple use to have a slogan on their web sites that said ‘Macs don’t get viruses,’ [which is] not true,” Wardle said. “They just don’t get PC viruses.”
Without going into each one of a Mac’s built-in security features in detail, the components in question are: Gatekeeper, Xprotect, OS X (app) Sandbox, and code signing. There are other security features in OS X as well. Mac firewall, Filevault, and Parental Controls are some examples. These protections operate at different levels to prevent attackers or malicious software from doing things they’re not supposed to. Wardle’s research is disconcerting because the exploits found in it affect the most basic levels of OS X.
Apple’s Built-In Fail
Some of these built-in defenses need merely an OS settings change, recompiling of a kext entry, or a change in an app’s name to allow the malware to install, get root access, and persist despite updates or reboots.
As a single example, of the 20 or so scenarios Wardle demonstrated, is getting a malicious app to run but appear legitimate. And in OS X it’s easy. How easy?
“It’s trivial,” Wardle said.
Apps that run in OS X have a hash that verifies their legitimacy. Apps are signed through the development process using a developer’s key. Unlike in iOS, OS X allows apps that are unsigned to run without blocking them. So how does an attacker compromise an app and make it look legitimate to the OS? Simply remove the signature.

figure5-Wardle
Image from Virus Bulletin.

Wardle explained how easy it is for attackers to bypass the app signing feature. In fact, the change required is so easy that high school students explained how it works (in Windows) during BSides Huntsville. Just one example method is to remove the signature from what’s called the LC_CODE_SIGNATURE block in a kext file, which essentially turns off the signature verification. Recall the car key analogy. When an attacker can unsign an application like Safari–for example–using this technique, it’s like not even needing a key to start the car’s engine.
“This is a rather big security issue,” Wardle said in his written report. “As any signed application can be unsigned, then infected with viral code, and [it] will still be allowed to execute.”
Though most users might say they have never had a virus on a Mac, assuming this is all possible and easy as it seems, the scary part is they might have and would never know it.
Again, this was just one of Wardle’s exploit examples. One out of 20 or so others.
How to Protect Your Mac
If everything Wardle demonstrated is true, and the major antivirus providers do not have an adequate solution to detect simple but dangerous attacks like privilege escalation, software hijacking, rootkit installs, and so one, enterprises with a Mac population should esure they are equipped to monitor network traffic properly. Most malware detection operates primarily by some sort of hash checking or inspection. Like in the methods described earlier, if attackers can change hashes quickly and fairly effortlessly, malware detection scanners likely won’t catch them.
Wardle has written a couple of custom tools to help with this and other OS X security flaws. And this year he debuted a UI for the tool, which originally had to run via a Python script in Terminal. “Knock Knock” and “Block Block” are tools Wardle says can detect when malware is installed or trying to persist in the operating system.
If these tools work well, they could be a dire addition to monitoring for and preventing harmful malware changes and attacks. Pairing the two with scrupulous network traffic monitoring and enforcement would yield useful indicators of any odious activity on OS X hosts.
Though they might not be perfect, proper use of the security precautions that are there–like Gatekeeper, Filevault, the Mac firewall, and File Quarantine–and other tools like Little Snitch couldn’t hurt.

Also, keep the antivirus. Though most or all solutions are circumventable, they will catch more than not having any at all, even if just barely.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella