Writing Advanced OS X Malware an ‘Elegant’ Solution to Improving Detection

OS X security researcher Patrick Wardle is expected at Black Hat to demonstrate how to write advanced Mac malware, including Gatekeeper and Xprotect bypasses, in hopes of raising awareness to the current state of OS malware detection.

Patrick Wardle has one word for today’s generation of Mac OS X malware: lame.

Sure there are advanced samples out there developed by nation-state sponsored groups or exploit vendors such as Hacking Team, but for the most part, Wardle says, we’re still talking about malware that are standalone binaries that are easily detectable and remind him of 10—15-year-old Windows malware.

So year 2000.

Wardle, director of research at security company Synack and a former NSA exploitation and vulnerability analyst, believes that lack of sophistication is leading to complacency from security vendors—and Apple—in building in advanced detection capabilities that focus on Mac malware.

Next week at the Black Hat conference in Las Vegas, Wardle plans to demonstrate how relatively simple it is to write an advanced Mac OS X malware sample and hopes his talk puts vendors on notice that, yes, while Windows is still the predominant attack target for hackers, there needs to by more attention turned toward the Apple side of the house.

“In my opinion the majority of Mac malware we see currently is very amateur and prosaic,” Wardle said. “To draw a parallel, it’s almost where Windows malware was 10 to 15 years ago. Pretty much all the samples I see are all standalone binaries. They may have Dylib modules, but persist as standalone executables. Generally if you fire up Activity Monitor, you can see the malware running, which in my opinion is pretty lame.”

Waddle said he was bothered by a conversation he had with a vendor during the RSA Conference this spring when he was told that the particular vendor’s Windows product had advanced heuristics used in detecting malware, while their Mac OS X product did not.

“I know there’s Mac malware out there that we don’t know about and if the security tools aren’t as advanced and aggressive as they are on the Windows side, we’re going to be missing some of the advanced threats out there,” Wardle said. “The goal of my talk is really to show how easy it is to write Mac malware that’s more stealthy, more complex, more difficult to detect, more difficult to disinfect, and hopefully create more awareness.”

Wardle is known for his OS X security research. At the CanSecWest conference, he explained different attacks that abuse dylibs in OS X for many of the same outcomes as with Windows: persistence; process injection; security feature bypass (in this case, Apple Gatekeeper); and remote exploitation. And at RSA, he dove deeper into exploits he’s developed that bypass not only Gatekeeper, but also Xprotect on OS X systems.

“Problem with this is Apple and the [security] companies aren’t necessarily as proactive as they could be,” Wardle said. “I’m sure there is advanced Mac malware out there. There’s known unknowns that we haven’t detected or found yet, and my concern is that we’re content with the way security tools are now because they detect what we know, and the known malware isn’t really that sophisticated.”

Wardle insists that Mac malware lacks some of the elegance of Windows malware, including some better known attacks including Wirelurker or Hacking Team’s Remote Control System backdoor for OS X.

“While feature-complete, they do provide the attacker what they need, usually remote access to a box. But the way the malware is implemented, the way it persists, the way it protects itself, is very basic,” Wardle said. “Things are packed with UPX, which is really trivial to unpack, if it’s packed at all. Most malware on Windows is packed, while on Macs it is not.”

Wardle said that some malware samples persist on OS X using techniques such as a launch agent or launch daemon, which correlates to how Windows malware persists as Windows services.

“This means the malware may create a new executable on the system, which is easy detect and prevent,” he said, adding that dylib hijacking offers better persistence because it’s a lot quieter than something that could be spotted in the OS X Activity Monitor.

Wardle is also expected to shoot some holes in some of the security features expected to be included in OS X 10.11, also known as El Capitan. Wardle said he will demonstrate how he was able to repackage a known OS X malware sample and with user intervention, get it to execute and infect El Capitan, sidestepping Gatekeeper and Xprotect again. Wardle also said he will share some homegrown security tools he’s built and runs on his machines, including one that lists what automatically starts on an OS X machine and filters out signed, verifiable Apple binaries. Another tool, he said, watches autorun locations, prime areas for malware to live and persist, that behaves like a firewall and shoots off alerts if anything tries to run in one of those areas.

“It’s a little worrisome that an attacker could take a piece of known malware, repackage it slightly, and it has no problem executing on the latest and greatest supposedly most secure OS,” Wardle said. “I understand that the user is downloading and executing something, but Apple’s security tools are designed to protect against exactly this. Xprotect is supposed to block malware. Gatekeeper has one job; it’s not supposed to allow unsigned code to run from the Internet. It’s a fundamental component of Apple’s security policy, a cornerstone technology. I will demonstrate how easy it is for an attacker to remotely bypass those. It illustrates me that [Apple] grasps the concept of security, but when it’s implemented, it’s still relatively easy for me get around them.”

Suggested articles