Although there is no sign (yet) of any malware which exploits the loophole in OS X Gatekeeper and performs dylib hijacking, as described by Patrick Wardle of Synack, Patrick has continued to improve his utility DHS (dylib Hijack Scanner), available from here. One new feature is that it optionally writes its results to out a file, and DHS no longer reports Microsoft Messenger as having been hijacked (unless it really has, of course).
In a quick and dirty Sunday morning script hack, I have put together two droplet tools, SigCheck and DylibScan, which you may find helpful for checking for potential malware. You can download them, with their ReadMe file, scdsdroplets. You will note that this uses HTTPS for a secure connection!
Suggested Interim Strategy
Until the loophole in Gatekeeper is closed in a future security update, I suggest a strategy along these lines:
- If at all possible, keep Gatekeeper turned on, and only install or update apps and other executable code through secure connections with the App Store and similar services.
- If you have to download apps, updates, or executable code of any type, only do so using a secure HTTPS connection.
- If you have to download apps, updates, or executable code of any type over a non-secure connection such as HTTP or FTP, check what you download with great care before installing it.
- If you download an Installer package, inspect its contents before proceeding to install it. Do this using the Show Files command in the File menu of Installer. If you are in the least bit suspicious, don’t install it.
- If you download a Zip or similar archive, inspect its contents using an app which can open the archive before proceeding to install it. If you are in the least bit suspicious, don’t install it.
- If you download a disk image (or after decompressing a disk image), inspect its contents using SigCheck, or failing that DylibScan, before proceeding to install it. If you are in the least bit suspicious, don’t install it.
You can also use these droplets for inspecting and checking other folders, apps, etc.
If you have any questions or issues, please comment here.