Categories: Security

How to create undetectable malware with Mac encryption mechanism

Researcher Daniel Pistelli demonstrated how to exploit Mac internally encryption mechanism to create an undetectable Mac OS X Malware.

During the last couple of years the number of cyber threats that targeted Mac is increased significantly, the main reasons are the wide diffusion of Apple devices and lack of awareness of Apple users.

In particular the number of malware specifically designed to infect Mac systems is exploded, malicious codes has been used to target Apple users is very concerning for Mac world, Apple products are popular within high management, influential politicians and group of activists, clamorous the case of the attack against the Dalai Lama.

The Hacker News Portal reported that reverse engineer Daniel Pistelli, lead developer of Cerbero Profiler, conducted an exceptional research on a technique to create an undetectable malware for Mac OS X. The research highlights the possibility to exploit Apple internally internally encryption mechanism normally used to protect OS executable such as “Dock.app” or “Finder.app“.

“Apple uses this technology to encrypt some of its own core components like “Finder.app” or “Dock.app”. On current OS X systems this mechanism doesn’t provide much of a protection against reverse engineering in the sense that attaching a debugger and dumping the memory is sufficient to retrieve the decrypted executable. However, this mechanism can be abused by encrypting malware which will no longer be detected by the static analysis technologies of current security solutions.”

What would happen if an attacker exploited this encryption mechanism of protection?

This encryption could be used to preserve access to malware code avoiding detection mechanism while the OS X runs the malicious code. The Mac encryption could be used to hide new malware or hide other menaces already detected by Anti-malware products making them completely undetectable. To demonstrate the efficiency of the malware avoidance mechanism the researcher tool a Mac malware known by all the principal antivirus products and encrypted it with the Apple internally encryption mechanism, the resultant signed malicious code is totally undetected by all the defense product as demonstrated in the above test resurlts from Virus Total.

The principal advantage of this technique respect classic methods implemented to elude defense systems is that the decryption code is not present in the executable for of Mac malware making impossible the detection of the remaining encrypted code.

“The difference compared to a packer is that the decryption code is not present in the executable itself and so the static analysis engine can’t recognize a stub or base itself on other data present in the executable, since all segments can be encrypted. Thus, the scan engine also isn’t able to execute the encrypted code in its own virtual machine for a more dynamic analysis.

Two other important things about the encryption system is that the private key is the same and is shared across different versions of OS X. And it’s not a chained encryption either: but per-page. Which means that changing data in the first encrypted page doesn’t affect the second encrypted page and so on.” wrote the researcher in a post.

Daniel suggests Antivirus producers the following solutions to prevent infection caused Mac malware encrypted with internal mechanisms:

Support the actual decryption
Trust encrypted executables only when signed by Apple.
Trust only executables whose cryptographic hash matches a trusted one.

… and remember that no OS is totally secure!

Pierluigi Paganini

(Security Affairs – Apple, Mac malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.