None of the tested anti-virus solutions for Apple’s OS X prevented the installation of a programmed for test purposes malware (Photo: Patrick Wardle).
According to a security researcher, it is trivial to sustainably infect a Mac with malware. Neither would help popular antivirus software, even Apple’s own mechanisms, such as XProtect or signing apps.
Patrick Wardle, the senior security researcher the consultant SynAck, does not think much of the security mechanisms of Apple’s OS X, which according to him, can easily outwit. In 2014, over 50 new families of malware for OS X had appeared. This was an upward trend, which can be explained by the increasing market share (14 percent in the US) of Macs. His insights he shared in a lecture at this year’s RSA Conference with.
Apple’s security mechanisms outwit
It would present malware writers easily, malicious software protection mechanisms Sytems pass on Mac computers to install. For native mechanisms such as gate keeper, XProtect, the sandbox of OS X or signing apps would offer little protection. Gatekeeper for example, just check whether an application from a trusted source, so for example from the App Store comes – but not if the software package has been modified maliciously and during the installation arbitrary code discharged with the system
The check code signatures also consider any attacker from:. Although OS X check whether a signature is valid. Error signature but because it was, for example, from the attacker, just reboot the malicious modified application without complaint. Even if it umpteen times before being exhibited with a valid signature. Removing the signature’ll do with a simple Python script.
Since OS X Mavericks and kernel extensions must (Kernel Extensions kext) be signed. The space required kext daemon can however be manipulated from the userland out in such a way so that the signature check is removed. A Stop the daemon also leads to the goal, because the component used to start the expansion continues in this case without the check, says Wardle.
For most of the modifications described by Wardle root privileges are required. These are but to obtain, for example, by not fully closed Rootpipe gap. Wardle has published a few days before his presentation of a video that demonstrates this.
anti-virus applications really effective
In an experiment conducted by Wardle test of common anti-virus software for OS X did not shown that these infections are not effectively prevent. A written his own demo malware, which permanently embeds itself in the system and transfers data to the outside, was intercepted in any case of no more than ten tested applications.
The resources available for sustainable anchoring of malware in the system techniques, including plists, cron jobs, scripts, plug-ins for the Spotlight search feature or Login Items, Wardle also describes in his presentation. Most of these techniques were to be found also by the network, active and partially signed with valid developer certificate malicious software such as CallMe, Crisis, Kitmos or Yontoo used.
So Mac users can protect themselves and their computers, has the expert two free tools developed: Knock Knock covers all autostart files and sends the hash results on VirusTotal to inform the user about possible hazards. Block block runs in the background and notifies when a process at one of the relevant, used by malware sites will settle in the system. With root privileges, such checks can toggle it off again. ( Uli Ries ) / (the)
No comments:
Post a Comment