How to create undetectable malware with Mac encryption mechanism

Pierluigi Paganini October 08, 2013

Researcher Daniel Pistelli demonstrated how to exploit Mac internally encryption mechanism to create an undetectable Mac OS X Malware.

During the last couple of years the number of cyber threats that targeted Mac is increased significantly, the main reasons are the wide diffusion of Apple devices and lack of awareness of Apple users.
In particular the number of malware specifically designed to infect Mac systems is exploded, malicious codes has been used to target Apple users is very concerning for Mac world, Apple products are popular within high management, influential politicians and group of activists, clamorous the case of the attack against the Dalai Lama.
The Hacker News Portal reported that reverse engineer Daniel Pistelli, lead developer of Cerbero Profiler, conducted an exceptional research on a technique to create an undetectable malware for Mac OS X. The research highlights the possibility to exploit Apple internally internally encryption mechanism normally used to protect OS executable such as “Dock.app” or “Finder.app“.
“Apple uses this technology to encrypt some of its own core components like “Finder.app” or “Dock.app”. On current OS X systems this mechanism doesn’t provide much of a protection against reverse engineering in the sense that attaching a debugger and dumping the memory is sufficient to retrieve the decrypted executable. However, this mechanism can be abused by encrypting malware which will no longer be detected by the static analysis technologies of current security solutions.”
What would happen if an attacker exploited this encryption mechanism of protection?
This encryption could be used to preserve access to malware code avoiding detection mechanism while the OS X runs the malicious code. The Mac encryption could be used to hide new malware or hide other menaces already detected by Anti-malware products making them completely undetectable.  To demonstrate the efficiency of the malware avoidance mechanism the researcher tool a Mac malware known by all the principal antivirus products and encrypted it with the Apple internally encryption mechanism, the resultant signed malicious code is totally undetected by all the defense product as demonstrated in the above test resurlts from Virus Total.
Mac Malware before encryption
Mac Malware after encryption
The principal advantage of this technique respect classic methods implemented to elude defense systems is that the decryption code is not present in the executable for of Mac malware making impossible the detection of the remaining encrypted code.

“The difference compared to a packer is that the decryption code is not present in the executable itself and so the static analysis engine can’t recognize a stub or base itself on other data present in the executable, since all segments can be encrypted. Thus, the scan engine also isn’t able to execute the encrypted code in its own virtual machine for a more dynamic analysis.

Two other important things about the encryption system is that the private key is the same and is shared across different versions of OS X. And it’s not a chained encryption either: but per-page. Which means that changing data in the first encrypted page doesn’t affect the second encrypted page and so on.” wrote the researcher in a post.

Daniel suggests Antivirus producers the following solutions to prevent infection caused Mac malware encrypted with internal mechanisms:

  • Support the actual decryption
  • Trust encrypted executables only when signed by Apple.
  • Trust only executables whose cryptographic hash matches a trusted one.

… and remember that no OS is totally secure!

Pierluigi Paganini

(Security Affairs –  Apple, Mac malware)

 



you might also like

leave a comment