twitter facebook rss

OS X malware: I hear you KnockKnocking but you can’t come in*

Posted by on October 29, 2014.

This might be a contender for The Register’s misleading title of all time – Knock Knock tool makes a joke of Mac AV – but it’s based on an interesting open source tool previously discussed in Patrick Wardle’s recent paper for Virus Bulletin 2014 – Methods of Malware Persistence on Mac OS X.

Why is the title of Darren Pauli’s Register article misleading, I hear you ask?

Wardle’s KnockKnock tool is actually designed for the generic detection of binary programs that maintain ‘persistence’: that is, they’re intended to execute at every boot/reboot. It’s a Python script that can incorporate plug-ins for each known technique for allowing a program to launch automatically when the system (re)starts.

As Wardle readily recognizes, that’s not in itself a test of malicious intent: there are many applications with legitimate reasons to load at bootup. KnockKnock does, however, include the useful functionality of being able to filter (by default) applications that are Apple-signed. I wouldn’t claim that it’s totally impossible for a malicious application to be signed, but signing by Apple does normally indicate a legitimate application. If there is any doubt, or if a more thorough scan is indicated for other reasons, the script includes options to show Apple-signed and whitelisted binaries as well.

Still, that leaves a percentage of apps (about 10%, according to Wardle’s paper) that may or may not be malicious “leaving a handful of binaries that quickly can be examined and manually verified.” And that exemplifies the distinction between a generic detection that warns against suspicious objects and behaviour but may require the use of other tools and/or manual inspection to confirm those suspicions, and detection of a known threat. In fact, modern anti-malware applications usually use a combination of threat-specific identification and generic detection of possible threats.

However, I don’t think Wardle is trying to present his app as a better alternative to mainstream anti-malware.  Despite the obvious limitations of what some vendors insist on calling signature, distinguishing between innocent and malicious applications is not usually a task best left to the average Mac user or even to many system administrators. KnockKnock could certainly be very helpful to individuals with significant forensic skills, but I don’t see it as an obvious fit for replacing mainstream anti-malware on every Mac desktop. But then, from the paper and from other reports I’ve seen, Wardle hasn’t even mentioned that possibility. He has, however, drawn attention to the fact that Apple’s built-in countermeasures (specifically XProtect, Gatekeeper, sandboxing, code-signing) aren’t a complete defence against malware.

Well, many of us have discussed that issue over time, especially with reference to the very basic functionality of XProtect – most recently, in my case, in a paper with Lysa Myers in which we discussed the implications of built-in OS countermeasures for OS X AV testing –  and I doubt if Apple – which has a much better relationship with the anti-malware industry these days, at any rate at researcher level – is going to claim at this point that there isn’t, never was, and never could be any such thing as OS X malware. I don’t suppose that it would claim that its inbuilt protection is 100% effective these days, either.

There is one thing I’d like to get off my chest, though it’s not a big deal. Patrick Wardle’s paper includes the oft-repeated but technically incorrect statement that ‘the first personal computer virus discovered in the wild (Elk Cloner), was a Mac virus that infected Apple IIs’. And in fact, I’ve heard/read more or less the same thing no less than four times in the last fortnight. Elk Cloner may have been the first personal computer virus in the wild, though there were similar experimental viruses with limited circulation at Texas A&M** at around the same time that Skrenta was playing with Elk Cloner in Pittsburgh. The timeline is a bit smudged, that far back. But the Apple II was not a Mac, and ran (primarily) AppleDOS, not Mac OS. (In fact, diskettes loading alternatives such as Hackerdos or ProDOS tended to get trashed, though this doesn’t seem to have been intentional.)

* Title shamelessly parodying “I hear you knockin’”, a hit for Smiley Lewis in 1956, though I have some affection for the slightly bizarre 1970 cover by Dave Edmunds.

** We discussed these in ‘Viruses Revealed’, a book by myself, Robert Slade and Urs Gattiker. You’ll be lucky to find a copy in a bookshop nowadays, though.

David Harley
Small Blue-Green World


Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley, Expert Views | Tags: , , ,