As illustrated recently, Apple is growing its share of the PC economy, making it inevitable for attackers to target Mac users more. To prevent getting caught, malware needs to maintain persistence. And in OS X, it’s incredibly easy.
Most major antivirus software companies have an offering for virus and malware detection in OS X. Sophos, eSET, Symantec, Bitdefender, and others all offer scanning and detection for Mac. However, Synack, Inc. Director of Research Patrick Wardle displayed at RSA 2015 how he built a practical test to see which malware solutions were up to the task.
Results were pretty startling. None of them caught his malware. Not one of the major antivirus or anti-malware companies’ solutions alerted to–let alone blocked–its install or the malware’s persistence. The only major provider Wardle did not test was McAfee, he said.
Malicious persistence is essentially the act of making code, scripts, or apps launch or execute after rebooting, and not getting caught. This is essential to malware, because malware foiled by rebooting would be mostly useless.
Apple’s Built-In Protection
Apple has a number of malware and virus protections written into OS X, which is part of why Macs are typically regarded as safer than Windows machines. But it’s also due to Apple’s marketing and an incorrect mindset. “Apple use to have a slogan on their web sites that said ‘Macs don’t get viruses,’ [which is] not true,” Wardle said. “They just don’t get PC viruses.”
Without going into each one of a Mac’s built-in security features in detail, the components in question are: Gatekeeper, Xprotect, OS X (app) Sandbox, and code signing. There are other security features in OS X as well. Mac firewall, Filevault, and Parental Controls are some examples. These protections operate at different levels to prevent attackers or malicious software from doing things they’re not supposed to. Wardle’s research is disconcerting because the exploits found in it affect the most basic levels of OS X.
Apple’s Built-In Fail
Some of these built-in defenses need merely an OS settings change, recompiling of a kext entry, or a change in an app’s name to allow the malware to install, get root access, and persist despite updates or reboots.
As a single example, of the 20 or so scenarios Wardle demonstrated, is getting a malicious app to run but appear legitimate. And in OS X it’s easy. How easy?
“It’s trivial,” Wardle said.
Apps that run in OS X have a hash that verifies their legitimacy. Apps are signed through the development process using a developer’s key. Unlike in iOS, OS X allows apps that are unsigned to run without blocking them. So how does an attacker compromise an app and make it look legitimate to the OS? Simply remove the signature.
Wardle explained how easy it is for attackers to bypass the app signing feature. In fact, the change required is so easy that high school students explained how it works (in Windows) during BSides Huntsville. Just one example method is to remove the signature from what’s called the LC_CODE_SIGNATURE block in a kext file, which essentially turns off the signature verification. Recall the car key analogy. When an attacker can unsign an application like Safari–for example–using this technique, it’s like not even needing a key to start the car’s engine.
“This is a rather big security issue,” Wardle said in his written report. “As any signed application can be unsigned, then infected with viral code, and [it] will still be allowed to execute.”
Though most users might say they have never had a virus on a Mac, assuming this is all possible and easy as it seems, the scary part is they might have and would never know it.
Again, this was just one of Wardle’s exploit examples. One out of 20 or so others.
How to Protect Your Mac
If everything Wardle demonstrated is true, and the major antivirus providers do not have an adequate solution to detect simple but dangerous attacks like privilege escalation, software hijacking, rootkit installs, and so one, enterprises with a Mac population should esure they are equipped to monitor network traffic properly. Most malware detection operates primarily by some sort of hash checking or inspection. Like in the methods described earlier, if attackers can change hashes quickly and fairly effortlessly, malware detection scanners likely won’t catch them.
Wardle has written a couple of custom tools to help with this and other OS X security flaws. And this year he debuted a UI for the tool, which originally had to run via a Python script in Terminal. “Knock Knock” and “Block Block” are tools Wardle says can detect when malware is installed or trying to persist in the operating system.
If these tools work well, they could be a dire addition to monitoring for and preventing harmful malware changes and attacks. Pairing the two with scrupulous network traffic monitoring and enforcement would yield useful indicators of any odious activity on OS X hosts.
Though they might not be perfect, proper use of the security precautions that are there–like Gatekeeper, Filevault, the Mac firewall, and File Quarantine–and other tools like Little Snitch couldn’t hurt.
Also, keep the antivirus. Though most or all solutions are circumventable, they will catch more than not having any at all, even if just barely.
