OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Invisible malware

Published October 15th, 2013 at 11:08 AM EDT , modified October 15th, 2013 at 11:08 AM EDT

There has been a bit of talk in the security industry about a recent blog post by Daniel Pistelli, who reported on a technique that could be used to create what some are calling “invisible” malware. This technique does represent a bit of a problem to the anti-virus industry. However, it’s important to understand the full context of how Mac OS X protects against malware, and to recognize that this technique means very little to Mac users in the current malware climate.

Mr. Pistelli’s trick involves encryption of the executables, which is directly supported by Mac OS X. The reasoning is that an encrypted executable looks very different from the unencrypted version. So, you could take some existing malware, which is already detected by anti-virus software (including Apple’s XProtect technology), and encrypt the executable. This would mask the signature of the malware, causing it to slip past most or all anti-virus programs.

This is a serious issue, and one that I’m sure everyone in the Mac security industry will be looking into. Better coders than I will come up with solutions on that front, and I’m sure this will become just another one of those tricks hackers use to slow down (but not completely prevent) detection of their malware.

However, it’s important to realize that, encrypted or not, there is a very significant barrier that malware has to get past first on recent versions of Mac OS X: Gatekeeper. Because Gatekeeper prevents unsigned applications from running, unless the user bypasses that security feature entirely, even encrypted malware will be facing a brick wall. Some will probably use the trick of signing malware with a valid developer ID, as has happened in a couple cases already. However, this is never going to become a very popular trick. There is a cost to obtaining a developer ID, which will make a hacker reluctant to throw it away. After all, once Apple gets wind of a developer ID being misused in this fashion, they disable the ID and, in the process, kill all apps created by that developer.

Gatekeeper is not perfect, and in the future we will probably have to worry about things like stolen developer credentials and malware with very limited and tightly-targeted distribution (which can evade detection for a long time). Encrypted executables could easily fit in with these techniques as a supplemental obfuscation method. However, encrypted malware is, after all is said and done, not a particularly big worry for those using systems with Gatekeeper running as intended.

Tags: , , ,

This post is more than 90 days old and has been locked. No further comments are allowed.