LaunchAgents and LaunchDaemons: Closing the vulnerability

For it to be successful, malware must persist. Any malicious software which isn’t persistent gets blown away the next time your Mac starts up.

For an operating system with the byzantine complexity of macOS, there are several different ways that software, including malware, can make itself persistent. But by far the simplest in all recent versions of OS X and macOS is to make a LaunchAgent or LaunchDaemon run the malicious code, so that the Mac’s launchd service automatically runs it each time that Mac starts up.

All this requires is a short property list file, installed in /Library/LaunchAgents or /Library/LaunchDaemons, and it’s ready and waiting to do whatever harm it wants.

Unlike ~/LaunchAgents, which is essentially unprotected, those two folders in the top-level Library are weakly protected: it is a simple task, though, to get most users to authenticate with their admin password and let software install whatever it likes in those crucial folders.

Most recent Mac malware does exactly that.

LaunchAgents and LaunchDaemons are, unfortunately, very popular with perfectly legitimate software too. I recently installed a highly-respected and widely-used tool which installed no less than half a dozen different property lists in those main Library folders. The tool which informed me that this was going on itself installs a ‘helper’ tool in /Library/LaunchDaemons for that purpose.

Of the thirty-six property lists currently installed in my /Library/LaunchDaemons folder, only six claim to be from Apple. All the rest admit to being from third parties. Take a look in your own folder, and I suspect that you will see even more third-party property lists.

macOS makes essentially no checks on those property lists. They can be written by third-parties but named as if they come from Apple, or another vendor of repute: that is a trick used commonly by property lists installed to make malware persist. They can launch any software which can be run on that Mac, irrespective of its origins or ill-intent. So long as that software makes its way past Gatekeeper’s rudimentary signature checks, it will be launched by macOS.

Good security software, such as Objective-See‘s KnockKnock and BlockBlock, is assiduously careful to examine LaunchAgents and LaunchDaemons, looking for malware. But the security features built in macOS, including XProtect and Gatekeeper, seem to be oblivious of these dangers.

Locking down access to these folders, and to the property lists within them, is not an easy task. Many of us add our own LaunchAgents, for example to perform scheduled tasks. Requiring those property lists to be signed, for example, would not pose much of a barrier for the serious malware developer, but would greatly limit the ability of the ordinary user to get their Mac to do what they need to.

There are now stark contrasts between the controls over /System/Library/LaunchAgents and LaunchDaemons, which are protected by SIP, and their equivalents in /Library, which are just as capable of abuse. SIP prevents you from trashing apps like Chess, but lets you install anything you like in those folders. To develop and install a third-party kernel extension requires a special code signature provided by Apple, but anything and anyone can install persistent code which loads later via launchd.

High Sierra is an excellent opportunity for Apple to come up with a new mechanism which makes it much more difficult for malware to make itself persistent by installing LaunchAgents and LaunchDaemons. Otherwise they will remain too easily abused, leaving users vulnerable.