The Carbon Black Threat Research Team released a report yesterday on the increased prevalence of OS X malware. In this post, I want to briefly discuss the research from my perspective as one of the authors and line up what’s next from our team.
For the past several years I, along with everyone else, have noticed the growing prevalence of Apple devices in the market. I mean, even my mother has an Apple computer now, which is saying a lot! If even my mother has a Mac, then we don’t need to show the supporting statistics demonstrating that both consumers and corporate networks are using them more than ever.
This vast increase in Apple computers on both the enterprise and consumer markets was one of the driving factors in our research. Simply put, an increase in Apple devices means an increased threat to networks via these machines.
Our research started with a simple question: “What does OS X malware look like at a grand scale?” There are a number of reports out there for Windows malware and what it looks like at larger scales, but not much for OS X.
When I was learning how to reverse-engineer malware many moons ago, I had a mentor tell me: “You are nuts if you don’t run malware in a sandbox and see what easy results you get out of it before diving into the assembly of the sample.” I have used this same approach for many years. We also used that approach for our initial crack at the OS X malware we observed (more than 1,400 samples).
Questions we asked included:
- What does dynamic analysis say about all this?
- What are the persistence mechanisms used, what do the network communications look like, ports, protocols etc.?
- How does OS X malware behave when being run on a system?
Once we collected the data, we then performed larger-scale analysis to answer some of those questions. In addition, we really wanted to let the data tell us what was happening and not let our preconceived notions of malware behavior skew the analysis.
One of the biggest shockers to me was the lack of Unix mechanisms used for persistence. There wasn’t a lot of cron jobs being targeted or Unix-type attack techniques seen in the data. The malware really stuck to OS X mechanisms. We outline several of those mechanisms in the report.
Of course, during our research we created Bit9 + Carbon Black tools, queries, etc., which have gone into our products or soon will, but one of the other things we wanted to do was to give back to the community as a whole versus just Bit9 + Carbon Black customers.
To do that, we looked at other tools out there that enterprises can use. I specifically had the pleasure of working with the open-source tool that Facebook has produced called Osquery (https://osquery.io/). It is one of the nicest open-source tools that I have used in a long time and, straight out of the box, you can use some of the following queries to hunt for OS X malware in your environment.
For looking at LaunchDaemon, LaunchAgent, startup items, and login malware you can use the following queries:
- select name,program,path FROM launchd;
- select name,program,path FROM launchd where username = ‘root’;
- select name,linked_against,path from kernel_extensions;
- select name,path,type,source from startup_items;
- select * from preferences where domain = ‘loginwindow’;
- select * from preferences where domain = ‘loginitems’;
- select * from crontab
The picture below is an example of a system infected with the Olyx backdoor that can be seen in the osquery of “select name,program,path FROM launchd”:
A fair amount of OS X malware also interfaces with the launchd, and to do that they execute the launchctl command to load/unload daemons and agents. Watching for this type of activity is useful as well. To do this with osquery the queries would be:
- select * from shell_history where command = “launchctl”;
- select * from shell_history where command = “/bin/launchctl”;
A majority of the adware would install its own browser extensions. To look at browser extensions you can use the following osqueries:
- select identifier,path from safari_extensions; (mostly adware malware)
- select identifier,path from chrome_extensions; (mostly adware malware)
The picture below is an example of a system infected by various pieces of adware:
As all good malware reverse-engineering people know, there is lots more to malware than how it behaves in sandboxes. While conducting some static analysis, we found that more than 90 percent of the OS X malware we analyzed from 2015 still uses the old load command entry point method.
Apple introduced a new load command (LC_MAIN) to define the entry point into the Mach-O format with the release of OS X 10.8 in 2012. The previous load commands were LC_THREAD and LC_UNIXTHREAD. In analyzing samples from 2010 through 2015, we did not start seeing the new method being used until 2014 and, even then, it was a tiny percentage.
This trend leads to a statistical indicator from the research that malware currently uses the old load command much more frequently than the new load command. Consequently, if a Mach-O file found on a modern Mac system uses the old load command, it’s more likely to be malware than a Mach-O file using the new load command.
Our research into OS X malware is continuing and I am very excited about some new triage mechanisms our team has devised. We are looking to publish results on that soon. We also are looking at publishing some additional tools in the future. As the prevalence of Apple computers continues to grow, it also will be interesting to see where the malware leads. Our initial research into OS X malware is a nice baseline for what the field looks like for Apple devices. Now, we are looking forward to seeing the next set of trends in OS X malware.