04 March 2017

Patrick Wardle’s Mac Malware RSA Recap


With all of the Windows malware that dominates the news scene, Patrick Wardle directed some attention over to one of his favorite topics- Mac malware- for his presentation at RSA in San Francisco. Patrick loves any opportunity to challenge the notion that Macs are secure and insusceptible to malicious code, proposing that “Windows gets much more attention just due to the sheer volume of attack attempts”.

“In my RSA talk I discussed all Mac malware that appeared in 2016. While each sample had been reported on before (i.e. by the AV company that discovered it), the talk cumulatively covered all malware in one place. For each, I clearly identified the infection vector, persistence mechanism, features/goals, and described disinfection.”

Here’s the lineup

The talk started by looking at KeRanger, the first fully-functional, in-the-wild ransomware for OS X.

Next in the lineup, he discussed Eleanor, a PHP-based backdoor that exposed infected computers as a hidden Tor service. Following this was Keydnap, a standard backdoor for OS X with a propensity for stealing credentials, and used Tor for its communications. Fake File Opener, a rather annoying piece of adware, with a unique persistence mechanism was covered next. Then, on to Mokes, a fairly standard OS X backdoor, that did support a wide range of features. Finally, the talk covered, Komplex, A Russian (APT 28/FancyBear) OS X implant, that provided remote ‘administrative’ capabilities.

After presenting his 2016 lineup, Patrick finished by discussing Apple’s baked-in security mechanisms that aim to protect OS X users and also ideas for generic detections.

“Most of the AV products out there aren’t going to catch any new threats to Macs, but there are tools available for monitoring software, detecting the creation of encrypted files, and detecting access to computer webcams and mics. Additionaly, Objective-see.com has macOS security tools for people to access and they are 100% free. I really believe in the development of effective security tools such as these and making them available for free.”

For absolutely free, no-strings-attached, OS X security tools, check out Patrick’s website: Objective-See.

Some social media love:

@arnaudlaudweinThanks for this great talk, keep us posted when you publish your first Mac rootkit!

@beckerdite It was a great talk! Thanks for putting so much thought into a very important area for all of us.

Some of the latest article and news around Patrick’s Mac Malware research here:

The Register: Macs don’t get viruses? Hahaha, ha… seriously though, that Word doc could be malware

Forbes: DNC Hackers Are Using Apple Mac Spyware Code From FBI Surveillance Vendor, Claims Ex-NSA Researcher

Tom’s Guide: Mac Malware Getting Much Worse: How to Protect Yourself

See Patrick’s slides here: https://speakerdeck.com/patrickwardle/rsa-2017-meet-and-greet-with-the-mac-malware-class-of-2016