krypted.com

Tiny Deathstars of Foulness

macOS now comes with a vulnerability scanner called mrt. It’s installed within the MRT.app bundle in /System/Library/CoreServices/MRT.app/Contents/MacOS/ and while it doesn’t currently have a lot that it can do – it does protect against the various bad stuff that is actually available for the Mac. To use mrt, simply run the binary with a -a flag for agent and then a -r flag along with the path to run it against. For example, let’s say you run a launchctl command to list LaunchDaemons and LaunchAgents running:

launchctl list

And you see something that starts with com.abc. Let me assure you that nothing should ever start with that. So you can scan it using the following command: 

sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/mrt -a -r ~/Library/LaunchAgents/com.abc.123.c1e71c3d22039f57527c52d467e06612af4fdc9A.plist

What happens next is that the bad thing you’re scanning for will be checked to see if it matches a known hash from MRT or from /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara and the file will be removed if so. 

A clean output will look like the following:

2018-09-24 21:19:32.036 mrt[48924:4256323] Running as agent

2018-09-24 21:19:32.136 mrt[48924:4256323] Agent finished.

2018-09-24 21:19:32.136 mrt[48924:4256323] Finished MRT run

Note: Yara rules are documented at https://yara.readthedocs.io/en/v3.7.0/. For a brief explanation of the json you see in those yara rules, see https://yara.readthedocs.io/en/v3.5.0/writingrules.html.

So you might be saying “but a user would have had to a username and password for it to run.” And you would be correct. But XProtect protects against 247 file hashes that include about 90 variants of threats. Those are threats that APPLE has acknowledged. And most malware is a numbers game. Get enough people to click on that phishing email about their iTunes account or install that Safari extension or whatever and you can start sending things from their computers to further the cause. But since users have to accept things as they come in through Gatekeeper, let’s look at what was allowed.

To see a list of hashes that have been allowed:

spctl --list

When you allow an app via spctl the act of doing so is stored in a table in 

sudo sqlite3 /var/db/SystemPolicy

Then run .schema to see the structure of tables, etc. These include feature, authority, sequence, and object which contains hashes.

On the flip side, you can search for the com.apple.quarantine attribute set to com.apple.quarantine:

xattr -d -r com.apple.quarantine ~/Downloads

And to view the signature used on an app, use codesign:

codesign -dv MyAwesome.app

To sign a package:

productbuild --distribution mycoolpackage.dist --sign MYSUPERSECRETIDENTITY mycoolpackage.pkg

To sign a dmg:

codesign -s MYSUPERSECRETIDENTITY mycooldmg.dmg

However, in my tests, codesign is used to manage signatures and sign, spctl only checks things with valid developer IDs and spctl checks items downloaded from the App Store. None of these allow for validating a file that has been brought into the computer otherwise (e.g. through a file share). 

Additionally, I see people disable Gatekeeper frequently, which is done by disabling LSQuarantine directly:

defaults write com.apple.LaunchServices LSQuarantine -bool NO

And/or via spctl:

spctl --master-disable

Likewise, mrt is running somewhat resource intensive at the moment and simply moving the binary out of the MRT.app directory will effectively disable it for now if you’re one of the people impacted.

September 24th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , , , ,

An article on ZDNet that states that Snow Leopard has anti-malware built into it (thanks Dee-Ann): http://blogs.zdnet.com/security/?p=4104&tag=nl.e589 Side note: I wonder whether or not they read the EULA for their pre-released software? I realize that release date is really just a few days from now, but come on guys… Just wait a couple of days to post these things…

August 25th, 2009

Posted In: Articles and Books, Mac Security

Tags: , , ,

I originally posted this at http://www.318.com/TechJournal How to Know You Have it and What to do About Removing It What is it? Malware, short for Malicious software, is the macro concept behind names like “Adware”, “Spyware”, “Hijackers”, “Toolbars” and “Dialers”. Malware is a growing PC-related assault epidemic (doesn’t effect Macintosh too much yet). How you get it? Malware tends to sneak into your life (usually in a hidden or invisible manner) via third party software (software from less-than well known developers) disguised as added functionality to your work flow and your internet experience (and other bells and whistles) in order to execute many malicious tasks that are bad for business. Tell tail signs you have it- there’s the activity you can see; Pop-up ads, re-directing of your browser, out-of-the-ordinary sluggishness, and other virus-like activity. Then there’s the activity you can’t see (and generally the most malicious of all); The taking of personal information from different parts of your PC, keeping track of web sites you visit and web searches you make, files you download, software you install. All of this can (and usually does) involve your personal and sometimes private information, cause system slow down or even interruption inproductivity and produce virus-like activity to the point of annoyance or even system crash. This involves security issues, downtime and productivity loss (money lost!) Discovering you are one of malware’s victims is critical and yet only half the battle. Knowing what steps to take to rid your life of it (and possibly to prevent future attacks) is then key. The point is, malware is bad and Three18 can help you get rid of it. At Three18 we continue to stay on top of current malware and other emerging malicious technologies and we pride ourselves on educating our clientele on the benefits of using practical skeptical computing technique to reduce the possibility of malware ever getting to your system and/or network. If you do get malware’d, Three18 will help to get you and your network cleaned up and safely back onto the information super highway!

January 26th, 2007

Posted In: Windows XP

Tags: , ,

I originally posted this at http://www.318.com/TechJournal Spyware is software that covertly gathers user information through the user’s Internet connection without their knowledge, usually for advertising purposes. Adware refers to any software application or program displaying advertising banners or Pop-up. Adware is often considered spyware (although not always) and is typically installed without the user’s knowledge. Malware is a general term that encompases both of these and often viruses and trojan horses, which can cause computers to become slow due to the amount of processing power that these applications can take and the number of them that can infect computers. Malware applications are typically bundled as a hidden component of shareware programs, online music, scripts hidden on websites and viruses that can be downloaded from the Internet. Over the past two years, many products have been released such as Windows XP Service Pack 2, Adaware and Spybot Search and Destroy that can effectively remove spyware. However, spyware and adware authors were able to make a lot of money from their pseudo-legal actions and have become better programmers in their newfound spare time. Many spyware and adware products have begun to incorporate the use of root kits into their software. A root kit is a set of tools used by intruders once they have hacked into a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits often discuise themselves in order to prevent detection. Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows. Root kits are typically used by attackers to build collections of slave systems and hide their tracks. By using techniques that are most commonly attributed to attackers, spyware and adware products are becoming more and more harmful to systems. The utilities that once helped to resolve malware issues on systems are not working as well as they once did because of these new techniques employed by malware authors. Many of these techniques go far beyond simply hiding the malware and involve teaching the operating system to pretend that the malware doesn’t exist to make it almost impossible to find. RootKit Revealer is a free product distributed by sysinternals.com that can search for known root kits. A litmitation of this application is that it doesn’t find new attacks that were released since the last revision of Rootkit Revealer. Microsoft is also looking into software that can detect root kits with their Strider Ghostbuster Project. Both RootKit Revealer and Strider Ghostbuster not only look for root kits but also look for any attempts to hide any applications from the operating system. This was effective when the projects were announced and first released. Now, a new generation of malware is coming along that is intelligent enough to actually hide itself from standard searches and then not hide itself from the RootKit Revealer or Strider Ghostbuster scans. The finesse with which authors of malware are creating their root kits often leaves one wondering who is ahead in the game. For more information on the many rootkit removal services that may be available to your business, please contact Three18, Inc. at 310-581-9500 or via email at sales@318.com

October 5th, 2005

Posted In: Windows XP

Tags: , , ,