Category Archives: macOS

How does macOS protect against malware?

Mac users often are told that “Macs don’t get viruses.” This is not really true, of course. Macs can and do get infected. However, it is true that macOS provides some basic protection against malware. This protection can be quite effective in some ways, but, unfortunately, quite ineffective in others. Let’s take a look at how macOS features protect you from malware, and how malware can get past these features.

Quarantine

macOS has a feature that is called Quarantine. Any time a file is downloaded from the Internet, it gets marked with a Quarantine “flag.” When you try to open a downloaded app with this flag set, macOS will kick off a whole bunch of checks.

If all of those checks are successful, macOS will display a message alerting you that you’re opening an application downloaded from the Internet, which you’ll have to allow if you want to use the file. (macOS flashes this message to users to display the true nature of the file, in case it was disguised as another type, for example, an app disguised as a document.)

Once the app has been opened successfully for the first time, the Quarantine flag is removed, and these checks won’t be repeated again.

Some of the other protection features in macOS depend on Quarantine, and unfortunately, there are some ways that apps can get onto your hard drive without being marked with a Quarantine flag. Some examples:

  • Not all apps will properly set a Quarantine flag on files they download; torrent apps and malicious downloaders are two good examples.
  • Copying an app to another Mac after the Quarantine flag has been removed will result in the app not being quarantined on the second Mac.
  • Copying a file to a non-Mac file share or a USB flash drive that is not Mac formatted will result in the Quarantine flag being lost.
  • Vulnerabilities that enable creation of files without going through legitimate download methods allow for flagless apps on the hard drive.

Gatekeeper

Rewind back to when an app is downloaded from the Internet, and a Quarantine flag has been planted. The first of the checks conducted on a quarantined app is a check of the app’s code signature.

A code signature is a bit of cryptographic data that identifies the creator of the app and can be used to determine whether the app has been tampered with. It depends on a certificate obtained from Apple, as part of a $99 developer account.

If the code signature indicates that the app has been tampered with, or that the certificate used to create the signature has been revoked by Apple, macOS won’t allow the app to run at all.

Unfortunately, Gatekeeper is not infallible, and its biggest weakness is Quarantine itself. Gatekeeper checks do not happen for apps that are not quarantined, which includes apps that were quarantined, but have already been opened at least once and are thus no longer quarantined.

This means that an innocent-looking app could download all kinds of malicious processes in the background once installed, and those processes would not be subject to Gatekeeper checks. Similarly, if you had run a malicious app on your computer, and some time later Apple revoked the developer certificate used for its code signature, the app would continue to run on your Mac because code signature checks only happen for quarantined apps as part of Gatekeeper.

This also means that malware could maliciously modify apps on your Mac, which would make the malware devilishly hard to find and remove.

XProtect

A hidden feature of the system that you’d never know was there, XProtect is a basic anti-malware feature also tied to Quarantine. XProtect has a relatively small number of rules for identifying known malicious apps, and every quarantined app that you attempt to open is run past XProtect first. If it matches any of the rules, macOS will not allow you to open it.

XProtect suffers from the same problems as Gatekeeper, in that it can’t protect against anything that doesn’t have a Quarantine flag. There’s a bigger problem, however: at the time of this writing, the most recent rule added to XProtect was on March 13, 2018. So it’s missing rules for nearly an entire year of new malware! The future of XProtect is unclear, but it’s definitely not protecting you against current threats.

Malware Removal Tool

In 2012, a series of attacks on macOS through vulnerabilities in Java resulted in malware being installed simply by visiting a website. Since this bypassed Quarantine, it was not something that the security measures in macOS at that time were equipped to deal with. Thus, Apple silently created the Malware Removal Tool, or MRT.

The MRT is a black box. Nobody really knows exactly how or when it works, and it runs silently, without any notifications to the person using the computer. Its sole purpose is to remove known malware that has gotten onto the computer.

Like XProtect, MRT recognizes only known malware via what appear to be hard-coded rules inside the MRT code. Nobody really knows how those rules work, and lately Apple has taken to obfuscating the malware name strings in the MRT code, so we can’t tell what it’s capable of detecting, either.

There’s no malware called OSX.28a9883.A, but that’s what Apple’s calling it

Unfortunately, MRT has not seen many updates lately that can be identified easily. Because it’s such a black box, it’s impossible to know, but it certainly doesn’t look like it is capable of detecting much recent malware.

System Integrity Protection

Abbreviated as SIP, this feature protects the core system files from modification. Also referred to as “rootless,” this SIP works by preventing all users, including the all-powerful root user, from changing a large number of restricted files on the system. Only certain pieces of Apple software can make changes to these files. This feature can only be turned off by rebooting the computer into recovery mode and entering an arcane command in the Terminal, which is not something the average person is likely to do.

Although SIP caused problems for some software at the time of its introduction, it has proven to be an excellent security measure, ensuring that the system files cannot be tampered with.

thomas$ sudo mkdir /System/blah
Password:
mkdir: /System/blah: Operation not permitted

As a result, some people believe that SIP plays a role in preventing malware from infecting Macs. Unfortunately, that’s not the case. Even before SIP, only some malware made changes to the files that are now protected by SIP. Malware can infect a Mac quite easily without doing that, and without even needing root permissions. This means SIP does nothing to prevent malware from invisibly infecting your Mac if you make the mistake of opening the wrong app.

Transparency, Consent, and Control

This mouthful is shortened simply to TCC, and it is a new feature of macOS 10.14 (Mojave). TCC protects certain user data against outside access, with the goal of preventing apps from surreptitiously doing things like slurping up your web browsing history.

This is a noble goal, but despite its short life so far, TCC has had some issues. These range in seriousness from a proliferation of permission request dialogs that can cause “dialog fatigue” to vulnerabilities that could allow apps to reach right past TCC and get access to the data anyway.

An example of a TCC dialog. Many people will just click OK to make it go away.

TCC does not prevent malware infection itself. However, it does—when working correctly—prevent malware from gaining access to some of your data. Don’t get too comfortable, though, as malware is still gobbling up unprotected data, such as passwords and credit cards stored in Chrome’s autofill, which is not covered by TCC.

My brain is exploding! What does all this mean?

The good news is that Apple is constantly working on making macOS a safer place. Although security experts are quick to point out holes in the protection features in macOS, your Mac is definitely more secure with them than without them.

However, it’s important to keep in mind that each and every one of these protections does have holes. Malware creators know exactly where those holes are, and are adept (some of them, anyway) at exploiting them. So don’t let your guard down.

In the security world, we like to talk about layers of protection. Having multiple layers is good practice, because if malware gets beyond one or two, it can still be blocked by another layer. With the various holes in current protection features, it makes sense to add another layer of protection to your Mac, such as antivirus software.

Malwarebytes for Mac, for example, can help to plug holes by detecting current threats that XProtect and MRT don’t. With the newly-introduced App Block feature, it can also help plug the holes in Gatekeeper.

So knowing what your Mac is capable of protecting against on its own and where it needs assistance can keep you more secure, whether you’re downloading apps from the Internet or simply taking an extra second to read through those dialog boxes.

The post How does macOS protect against malware? appeared first on Malwarebytes Labs.

Trend Micro Antivirus for Mac 2019 is Certified by AV-TEST with Top Scores for Protection, Performance, and Usability

Current and potential users of the latest edition of Trend Micro Antivirus for Mac (v9.0, for 2019) will be pleased to know that it achieved MacOS Certification and top scores in all three categories in the recent AV-TEST Product Review and Certification Report – Dec/2018. Trend Micro Antivirus for Mac was tested against eight other Mac security solutions during November and December of 2018, achieving a perfect score of 6.0 out of 6.0 for each category tested: Protection, Performance, and Usability.

In the first, and most important category, Trend Micro Antivirus for Mac achieved a 100% Protection score, 6.0 out of 6.0 points, in December 2018 for the detection of widespread and prevalent malware discovered in the last 4 months.

For Performance in December of 2018, it again achieved a 6.0 out of 6.0 score, with a 0% effect on the download of frequently-used applications, as well as a 0% percent effect on the copying of files locally in a network, with only a 2% effect on the launch of standard software applications.

Finally, in December of 2018, it achieved a perfect 6.0 out of 6.0 points, in the Usability testing, which assesses the impact of the security software on the usability of the computer—the low value of zero (0) indicating the best results you can get, with no false detections of legitimate software as malware during a system scan, and no false warnings concerning certain actions carried out during the install and usage of legitimate software.

Independent lab testing remains the best indicator of the value and efficacy of security software, because labs such as AV-TEST use only the most rigorous and objective methods to evaluate the key indicators of protection, performance, and usability. Evaluations that cannot test all competitor products simultaneously can produce skewed results, particularly for the criterion of protection, the most important indicator of the value of a security product.

For more information or to buy the best security solution for your Mac, go to Trend Micro Antivirus for Mac.

The post Trend Micro Antivirus for Mac 2019 is Certified by AV-TEST with Top Scores for Protection, Performance, and Usability appeared first on .

Encontrada otra vulnerabilidad en protección de privacidad de macOS Mojave

Desde que en septiembre pasado Apple anunció mejoras en la protección de la privacidad para macOS Mojave 10.14, una serie de investigadores lo ha estado analizando en busca de vulnerabilidades de seguridad. Desatortunadamente para Apple, no ha sido un gran desafío encontrarlas ya que el mismo día de su lanzamiento un investigador informó de una […]

Smashing Security #115: Love, Nests, and is 2FA destroying the world?

Smashing Security #115: Love, Nests, and is 2FA destroying the world?

Is two factor authentication such a pain in the rear end that it’s costing the economy millions? Do you feel safe having a Google Nest in your home? And don’t get caught by a catfisher this Valentine’s Day.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by B J Mendelson.

Malicious Windows EXE Files Infect macOS Users With Infostealers and Adware

Security researchers discovered several Microsoft Windows EXE files using malicious payloads to infect macOS users with infostealers and adware.

Trend Micro found one adware-bearing sample hiding within an installer for the Windows and Mac firewall app Little Snitch, which is available for download from various torrent websites. The sample was able to bypass Mac’s Gatekeeper, since this built-in protection mechanism doesn’t conduct code signature checks for or otherwise verify EXE files on machines running macOS.

Contained within the ZIP file downloaded from the torrent websites is a DMG file that hosts the Little Snitch installer. This installer hides an EXE file that loads an infostealer. The malware then gathers basic system information, such as Memory, BootROMVersion and SMCVersion, and scans the /Application directory for installed apps, such as App Store, FaceTime and Mail. After completing these steps, the malware sends all its findings to its command-and-control (C&C) server.

Additionally, the executable is capable of downloading several files from the internet. These files, in turn, download adware and other potentially unwanted applications.

Bridging Windows and macOS With Malware

These files don’t constitute the only instance of a digital threat crossing between Windows and macOS. In May 2017, for instance, Fox-IT identified a Mac OS X version of Snake malware, which traditionally targets the Windows platform. Less than a year later, security researcher Patrick Wardle of Objective-See uncovered CrossRat, a versatile threat capable of targeting Windows, macOS and Linux machines.

In a few cases, researchers have even observed attack campaigns distributing separate threats that target Windows and Mac computers. Security researchers at Microsoft came across one such instance in 2011 containing both the Mac-based Olyx backdoor and other Windows malware.

How to Defend Against Malicious EXE Files

Security professionals can help protect against adware-laden EXE files by creating security policies that limit the types of websites from which employees can download applications. They can frame this policy within the context of a larger app approval framework through which security teams follow a logical sequence to upload/review apps and ensure vendor integration. At the same time, security professionals should apply user activity analytics to a long-term data repository to sufficiently protect corporate data against digital threats like infostealers.

The post Malicious Windows EXE Files Infect macOS Users With Infostealers and Adware appeared first on Security Intelligence.

Apple Security updates released for Facetime bugs

A recently reported bug in Facetime, caused privacy concerns last month as individuals were able to eavesdrop on users.  The

Apple Security updates released for Facetime bugs on Latest Hacking News.

Apple fixes FaceTime eavesdropping bug, two iOS zero-days

Apple has pushed out critical security updates for iOS and macOS, which fix the “Facepalm” FaceTime eavesdropping bug but also two zero-day flaws that, according to Google researchers, have been exploited in the wild. Fixed vulnerabilities The Facepalm bug (CVE-2019-6223) affects FaceTime Groups both on iOS and macOS, and was discovered by Grant Thompson, a high schooler from Arizona. After the existence of the flaw and demontration videos of its exploitation were made public, Apple … More

The post Apple fixes FaceTime eavesdropping bug, two iOS zero-days appeared first on Help Net Security.

Security Affairs: Expert publicly disclosed the existence of 0day flaw in macOS Mojave

A zero-day vulnerability in macOS Mojave can be exploited by malware to steal plaintext passwords from the Keychain.

The security expert Linus Henze has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the Keychain. According to Henze, the flaw affects macOS Mojave and earlier versions.

The researcher did not report the vulnerability to Apple, it publicly disclosed the existence of the flaw without making public its details.

Henze has published a video PoC for the flaw that shows how to use malware to extract passwords from the local Keychain password management system. The attack works on a system running the latest macOS Mojave OS version (10.14.3)

The attack is sneaky because it doesn’t require admin privileges for both the malicious app and the user account. The expert pointed out that the malicious code could exploit the flaw to steal passwords only from that user’s Keychain because other Keychains are locked.

macOS Mojave

Why Henze did not report the flaw to Apple?

Simple, the expert explained that did not share his discovery with the tech giant because the company doesn’t operate a bug bounty program for macOS. Apple contacted the experts after the publication of the video asking for more details about the issue, but Henze refused to provide them without a bounty.

Currently, Apple’s bug bounty program only covers hardware, iOS and
iCloud.

The popular MacOS expert and former NSA white hat hacker Patrick Wardle also confirmed the that the exploit wotks.

Pierluigi Paganini

(SecurityAffairs – MacOS Mojave, hacking)

The post Expert publicly disclosed the existence of 0day flaw in macOS Mojave appeared first on Security Affairs.



Security Affairs

Expert publicly disclosed the existence of 0day flaw in macOS Mojave

A zero-day vulnerability in macOS Mojave can be exploited by malware to steal plaintext passwords from the Keychain.

The security expert Linus Henze has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the Keychain. According to Henze, the flaw affects macOS Mojave and earlier versions.

The researcher did not report the vulnerability to Apple, it publicly disclosed the existence of the flaw without making public its details.

Henze has published a video PoC for the flaw that shows how to use malware to extract passwords from the local Keychain password management system. The attack works on a system running the latest macOS Mojave OS version (10.14.3)

The attack is sneaky because it doesn’t require admin privileges for both the malicious app and the user account. The expert pointed out that the malicious code could exploit the flaw to steal passwords only from that user’s Keychain because other Keychains are locked.

macOS Mojave

Why Henze did not report the flaw to Apple?

Simple, the expert explained that did not share his discovery with the tech giant because the company doesn’t operate a bug bounty program for macOS. Apple contacted the experts after the publication of the video asking for more details about the issue, but Henze refused to provide them without a bounty.

Currently, Apple’s bug bounty program only covers hardware, iOS and
iCloud.

The popular MacOS expert and former NSA white hat hacker Patrick Wardle also confirmed the that the exploit wotks.

Pierluigi Paganini

(SecurityAffairs – MacOS Mojave, hacking)

The post Expert publicly disclosed the existence of 0day flaw in macOS Mojave appeared first on Security Affairs.

New cryptocurrency malware SpeakUp hits Linux & Mac devices

By Waqas

The IT security researchers at Check Point have identified a new malware called SpeakUp targeting Linux and macOS – The new findings prove that there has been a surge in malware attacks against Linux and Apple devices. SpeakUp is a new backdoor Trojan that is being distributed by cybercriminals through a malicious new campaign designed […]

This is a post from HackRead.com Read the original post: New cryptocurrency malware SpeakUp hits Linux & Mac devices

New Mac Malware steals iPhone text messages from iTunes backups

By Waqas

The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a dangerous new Mac malware capable of targeting devices for multi-purposes including stealing cryptocurrency. Dubbed CookieMiner by researchers; the Mac malware is a variant of OSX.DarthMiner, another nasty piece of malware known for targeting MacOS. But, CookieMiner aims at much more than its predecessor. See: 400% increase in […]

This is a post from HackRead.com Read the original post: New Mac Malware steals iPhone text messages from iTunes backups

New Mac malware steals cookies, cryptocurrency and computing power

A new piece of Mac malware is looking to steal both the targets’ computing power and their cryptocurrency stash, Palo Alto Networks researchers warn. About the CookieMiner malware Dubbed CookieMiner on account of its cookie-stealing capabilities, this newly discovered malware is believed to be based on DarthMiner, another recently detected Mac malware that combines the EmPyre backdoor and the XMRig cryptominer. Like DarthMiner, CookieMiner uses the EmPyre backdoor for post-exploitation control. This agent checks if … More

The post New Mac malware steals cookies, cryptocurrency and computing power appeared first on Help Net Security.

Critical FaceTime bug turns iPhones, Macs into eavesdropping tools

A shocking and easily exploitable FaceTime bug allows people to listen in on other users of Apple devices by simply calling them through the service. The bug apparently affects Group FaceTime and Apple has reacted by making the service unavailable until they can push out a fix. Exploitation of the FaceTime bug The bug was first reported by 9to5Mac and then replicated and confirmed by others. The gist of it is this: it allows the … More

The post Critical FaceTime bug turns iPhones, Macs into eavesdropping tools appeared first on Help Net Security.

Apple publica la primera actualización del año para iOS y macOS ¡Actualiza ya!

Apple ha publicado las actualizaciones de enero que solucionan la mayoría de las CVE que afectan iOS y macOS con unas pocas que afectan a Safari, watchOS, tvOS e iCloud para Windows. iOS v12.1.3 Esta última versión arregla una lista de CVEs para el iPhone 5 y posteriores, iPad e iPod Touch 6th Generation. Casi […]

Apple delivers security patches, plugs an RCE achievable via FaceTime

Apple has released a new set of updates for its various products, plugging a wide variety of vulnerabilities. WatchOS, tvOS, Safari and iCloud Let’s start with “lightest” security updates: iCloud for Windows 7.10 brings fixes for memory corruption, logic and type confusion issues in the WebKit browser engine, all of which can be triggered via maliciously crafted web content and most of which may lead to arbitrary code execution. The update also carries patches for … More

The post Apple delivers security patches, plugs an RCE achievable via FaceTime appeared first on Help Net Security.

Additional Crispiness on the MacOS box of apples sandbox

In November 2015 we first released our MacOS sandbox. We now have an incremental feature improvements live on our site to help our users get further behavioral information from samples scanned with VirusTotal

Several improvements visible to users are:


  • Sandbox updated to OSX 10.11 El Capitan in sandbox.  We have a High sierra update planned for later this year. 
  • Detailed HTML analysis report is now available. 
  • Screenshots of the software under analysis to provide more contextual information:
    • Show screenshots of what a user would see
    • Help determine if the sample is waiting for user input
  • Network traffic reports updated
    • Country Detection
  • Timestamps on file operations,  to help show the sequence of events.
  • Process tree is shown if there is more than one level of processes


To view the detailed behavior report, click on the behavior tab, then select the Box of Apples sandbox, then click on the detailed report link

Click on the detailed behavior report. 




Some Samples that might be interesting, that contain the new features:
ec7241a6009f1fff38b481d8b4fd6efede4cc2f9d8ee20d9ca2b4ff66d656171
3b196c1c1a64aca81dec5a5143b3f2faaadcc4034b343f46f23348f34a2ef205
694c23b548249056bf90b2b2c252a8c9abfae4aeb611476cbdaa8dc112f79d8f


Screenshots and File operations

DNS, IP Traffic and Behavior tags


This is part of the Multi-Sandbox project.    We’ll continue to improve our own and 3rd party sandbox providers that wish to integrate sandboxes into VirusTotal.

If you find any issues, or have feature requests, please don’t hesitate to reach out to us by emailing  contact@virustotal.com