• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

The Empty OS X Security Toolbox: Mac Malware Persistence Is Scary Easy

Author avatar of Owen LystrupOwen Lystrup
Updated — October 15, 2020 • 4 minute read
View blog >

As illustrated recently, Apple is growing its share of the PC economy, making it inevitable for attackers to  target Mac users more. To prevent getting caught, malware needs to maintain persistence. And in OS X, it’s incredibly easy.
Most major antivirus software companies have an offering for virus and malware detection in OS X. Sophos, eSET, Symantec, Bitdefender, and others all offer scanning and detection for Mac. However, Synack, Inc. Director of Research Patrick Wardle displayed at RSA 2015 how he built a practical test to see which malware solutions were up to the task.
Results were pretty startling. None of them caught his malware. Not one of the major antivirus or anti-malware companies’ solutions alerted to–let alone blocked–its install or the malware’s persistence. The only major provider Wardle did not test was McAfee, he said.3rd-party "security"
Malicious persistence is essentially the act of making code, scripts, or apps launch or execute after rebooting, and not getting caught. This is essential to malware, because malware foiled by rebooting would be mostly useless.
Apple’s Built-In Protection
Apple has a number of malware and virus protections written into OS X, which is part of why Macs are typically regarded as safer than Windows machines. But it’s also due to Apple’s marketing and an incorrect mindset. “Apple use to have a slogan on their web sites that said ‘Macs don’t get viruses,’ [which is] not true,” Wardle said. “They just don’t get PC viruses.”
Without going into each one of a Mac’s built-in security features in detail, the components in question are: Gatekeeper, Xprotect, OS X (app) Sandbox, and code signing. There are other security features in OS X as well. Mac firewall, Filevault, and Parental Controls are some examples. These protections operate at different levels to prevent attackers or malicious software from doing things they’re not supposed to. Wardle’s research is disconcerting because the exploits found in it affect the most basic levels of OS X.
Apple’s Built-In Fail
Some of these built-in defenses need merely an OS settings change, recompiling of a kext entry, or a change in an app’s name to allow the malware to install, get root access, and persist despite updates or reboots.
As a single example, of the 20 or so scenarios Wardle demonstrated, is getting a malicious app to run but appear legitimate. And in OS X it’s easy. How easy?
“It’s trivial,” Wardle said.
Apps that run in OS X have a hash that verifies their legitimacy. Apps are signed through the development process using a developer’s key. Unlike in iOS, OS X allows apps that are unsigned to run without blocking them. So how does an attacker compromise an app and make it look legitimate to the OS? Simply remove the signature.

figure5-Wardle
Image from Virus Bulletin.

Wardle explained how easy it is for attackers to bypass the app signing feature. In fact, the change required is so easy that high school students explained how it works (in Windows) during BSides Huntsville. Just one example method is to remove the signature from what’s called the LC_CODE_SIGNATURE block in a kext file, which essentially turns off the signature verification. Recall the car key analogy. When an attacker can unsign an application like Safari–for example–using this technique, it’s like not even needing a key to start the car’s engine.
“This is a rather big security issue,” Wardle said in his written report. “As any signed application can be unsigned, then infected with viral code, and [it] will still be allowed to execute.”
Though most users might say they have never had a virus on a Mac, assuming this is all possible and easy as it seems, the scary part is they might have and would never know it.
Again, this was just one of Wardle’s exploit examples. One out of 20 or so others.
How to Protect Your Mac
If everything Wardle demonstrated is true, and the major antivirus providers do not have an adequate solution to detect simple but dangerous attacks like privilege escalation, software hijacking, rootkit installs, and so one, enterprises with a Mac population should esure they are equipped to monitor network traffic properly. Most malware detection operates primarily by some sort of hash checking or inspection. Like in the methods described earlier, if attackers can change hashes quickly and fairly effortlessly, malware detection scanners likely won’t catch them.
Wardle has written a couple of custom tools to help with this and other OS X security flaws. And this year he debuted a UI for the tool, which originally had to run via a Python script in Terminal. “Knock Knock” and “Block Block” are tools Wardle says can detect when malware is installed or trying to persist in the operating system.
If these tools work well, they could be a dire addition to monitoring for and preventing harmful malware changes and attacks. Pairing the two with scrupulous network traffic monitoring and enforcement would yield useful indicators of any odious activity on OS X hosts.
Though they might not be perfect, proper use of the security precautions that are there–like Gatekeeper, Filevault, the Mac firewall, and File Quarantine–and other tools like Little Snitch couldn’t hurt.

Also, keep the antivirus. Though most or all solutions are circumventable, they will catch more than not having any at all, even if just barely.

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella