macOS is inherently a secure operating system. Apple has gone to great lengths to ensure that multiple protections are built-in to macOS with the express intention of keeping users, their devices and data protected from threats to their privacy, the data’s integrity and further compromises to the underlying system.
Some of the protections that are available on macOS right from the installation are found below with a quick summary of what they do. Wardle extensively details each component and how it works - individually and in tandem - to protect Mac from malware.
- XProtect: Antivirus technology providing signature-based detection of malware.
- Malware Removal Tool (MRT): Technology that delivers updates from Apple to remediate infections that may have made it onto macOS.
- Notarization: A scanning service provided by Apple that actively scans apps distributed outside the App Store for known malware.
- GateKeeper: Blocks malicious apps from executing, should they fail Notarization checks.
Considering the above protections are enabled by default, devices are still susceptible to infection - and that’s largely due to the end users themselves intervening through several common avenues:
- Fake updates
- Pirated applications
- Poisoned/Hijacked search results
- Infected web sites
As Wardle dubs it in the presentation, a “user-assisted infection” is one whereby “the user is essentially coerced or tricked into running something they should not.” Ultimately leading to exposing their device to running a malicious script or invoking the payload that exploits a macOS vulnerability.
The Flaw…and root cause analysis
With an understanding of the macOS security software in place and how they work to protect devices from malware and malicious apps, Wardle develops a proof of concept (PoC) to show users exactly how an unsigned app can bypass the security hoops to still be allowed to run.
Without giving away the complex details behind how this was achieved, the end result is the same: An unsigned, non-notarized application is correctly set with the quarantine attribute and checked by macOS, but still allowed to launch without triggering notifications or dialog boxes, just as an authorized app would.
As Wardle succinctly sums it up, “this is less than ideal”.
So, what’s going on?!
Upon delving more deeply into the PoC, it is quickly noted that several files are missing from the application bundle. Most notably, the executable is, in itself, a script, which is odd, to put it mildly.
We’re then taken on a tour of what happens behind the scenes when a user launches an app. The process is complex and Wardle does an excellent job of providing - not just the key details - but the complete step-by-step explanation of the over half a dozen user-mode applications, system daemons and kernel processes that are involved in the background.
The next step is to execute known trusted and untrusted apps, alongside the unsigned PoC app and evaluate the blogs to determine where along the path of applications and daemons the vulnerability exists to pin down the source of the root cause. This is an incredibly detailed and time-consuming process that is demonstrated in the presentation using screenshots, code examples and summarized deep-dives as only Wardle can tell it.
Detections and malware discovery
Once the script-based executable was determined to be the root cause that allowed the bypass of protections to occur, Bradley was called in to transform the findings into an analytic that could be used to detect this vulnerability, and more importantly, stop it from occurring.
Bradley provides viewers a detailed reference of how the Detections Engine within Jamf Protect works to protect devices and user data from security threats across different behaviors, such as file or download events. The complexities of the checks involved include heuristics detections, including whether an app is passing all the checks of the macOS protections. This is also down to reduce the number of false-positive detected as Apple does inherently allow legitimate applications to launch scripts as part of its allowed actions.
Jamf Protect detections were able to determine that the creators of the Shlayer malware were in fact the authors behind modifying its payload to abuse this zero-day. This allowed the malware to bypass macOS protections to successfully install itself within the system within microseconds - long before the user could even begin to suspect becoming compromised.
- A zero-day vulnerability that allowed an attacker to infect targeted systems with malware.
- The vulnerability consisted of bypassing native macOS protections to allow the software to launch without prompting.
- Root cause analysis revealed that apps running scripts were misclassified, allowing such apps to run.
- Jamf was able to detect this vulnerability being exploited in the wild, preventing devices using Jamf Protect endpoint security from becoming infected.
Register for JNUC to access this session as well as the other sessions on demand.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.