Last Week on My Mac: Malware has got the upper hand

One of the greatest human achievements during my lifetime has been the eradication of smallpox. From long before the dawn of civilisation until 1977, countless millions had died of that disease. Estimates are that in the twentieth century alone, 300-500 million people around the world died of smallpox. Its toll puts man-made catastrophes such as the world wars into insignificance.

One important reason that we were able to eliminate smallpox, but not still-common virus infections such as the common cold and flu, is that the smallpox virus changed very little. This made it relatively simple to prevent by vaccination – a word which originated in the campaign against smallpox. Colds and flu are much more mutable viruses, each year bringing new strains to defeat existing protection.

So it is with malware. If it never changed, if no one ever developed new malware exploiting newly-discovered vulnerabilities, then we’d not have a problem. Like smallpox, it would be a thing of the past.

Instead, the last week has seen the arrival in the wild of a whole family of new malware affecting macOS: OSX/Dok. At first, one variant was detected, then a second quickly became manifest. Apple very promptly updated protection provided to El Capitan and Sierra, and within days new variants have appeared which circumvent that.

Apple and the vendors of ‘anti-virus’ products are now engaged in a race against the developer of OSX/Dok: each time that protection becomes effective, new variants will appear which sneak through that protection. The protection is then updated again, and the malware changes. A determined and well-resourced team of malware developers can continue this cycle for as long as it takes to achieve their objective. It is a race which is unlikely to have any real winner.

The reason that this is happening is the nature of anti-malware protection in macOS and ‘anti-virus’ products. Like vaccines against colds and flu, protection is determined by quite precise properties of past malware. Today’s protection provides little if any protection against tomorrow’s malware.

Gatekeeper is a good example: each variant of OSX/Dok has been signed using a valid developer’s certificate, issued by Apple to allow it past Gatekeeper’s protection. Apple has very promptly revoked the certificates which OSX/Dok has abused yesterday, but as it cannot know which certificates will be abused next, tomorrow’s variants of OSX/Dok will once again be given the thumbs up by Gatekeeper, and it will not protect Macs from them.

This is not to say that Gatekeeper is now useless, but that it can only form a part of the protection against malware built into macOS. Unfortunately, at present, the other parts have a similar weakness: like almost all ‘anti-virus’ products, they rely on ‘fingerprints’ and very specific properties of the malware that they detect. When the malware behaves like smallpox, that is very effective, as we have seen over the last couple of years.

But when malware behaves like colds and flu as OSX/Dok is doing, Gatekeeper, XProtect, MRT, and other Apple and third-party protection will always lag behind the malware which it is trying to protect against.

This is not the only possible approach to detecting malware, though. It is the one in which there has been most investment, and it is tempting to suggest that one determining factor in that industry strategy is maintaining revenue from subscriptions to ‘virus definitions’ services.

An alternative, which has academic credibility and growing evidence of practical success, is to look for malware behaviours. As Patrick Wardle and others have pointed out, most malware has to remain persistent in order to achieve its objectives. In macOS, there’s a limited number of ways in which apps can become persistent, such as through the LaunchAgent/LaunchDaemon mechanism. One relatively simple way of detecting a lot of malware – including, it would appear, most of the OSX/Dok variants – is to block the installation of LaunchAgents and LaunchDaemons. Yet macOS does not do that, nor do commercial ‘anti-virus’ products.

There is one product which I know of which adopts this different approach to detecting malware. It is the only product which appears to have provided good protection against all the OSX/Dok variants so far studied, from the moment of their release into the wild. It is Objective-See’s BlockBlock (donationware).

Because BlockBlock is not (yet) very widely used – at least in comparison with Apple’s protection built into El Capitan and Sierra – malware developers don’t seem to have looked seriously at how to circumvent its protection. But even if they do, its importance is in demonstrating a new strategy in detecting and stopping malware, a strategy which has so far been badly underused: looking for patterns of behaviour which are suggestive of malware.

To a degree, El Capitan and Sierra already do this in System Integrity Protection (SIP): apps can no longer install malicious kernel extensions in /System/Library/Extensions, LaunchAgents in /System/Library/LaunchAgents, or LaunchDaemons in /System/Library/LaunchDaemons. But /Library/Extensions, /Library/LaunchAgents, and /Library/LaunchDaemons are not watched folders. A developer will need a special certificate to get their kernel extension into the first of those, and the user will need to authenticate as an admin user to install into the latter two, but as OSX/Dok and others have shown, those are not insurmountable problems for the determined malware developer.

With just a month to go to WWDC 2017, and Apple’s expected announcement of macOS 10.13, we can only hope that its security engineers have already worked out and implemented a better strategy. If it isn’t behavioural, like BlockBlock, then Apple will remain stuck in this futile race against malware developers. And we’ll be stuck in between.