Just what do XProtect and MRT protect your Mac from?

Apple doesn’t release any listing of the malware which the software it has built into El Capitan, Sierra, and High Sierra is expected to protect against. Here’s a breakdown of the malware which the latest versions (MRT 1.35 and XProtect 2099) should block or remove.

Note that these are the malware which XProtect and MRT aim to deal with. Whether they work on new variants of each is another issue: as XProtect in particular relies on quite specific signatures for recognition, a slight change in signature could enable a specific release of malware to avoid detection.

The macOS strategy against malware is generally to prevent unsigned software from running in the first place (Gatekeeper), to detect known malware (XProtect), and to remove any malware which is found (MRT). In all cases below, any certificates used to try to slip past Gatekeeper’s checks should have been revoked by Apple, but it is not uncommon for new malware to abuse new, and still valid, certificates. In the sections below detect refers to XProtect’s detection features, and remove to MRT’s malware removal code.

In each case, the full name, e.g. OSX.Bundlore.A, is shortened to just Bundlore, with variants being itemised in the entry. Unfortunately, XProtect and MRT don’t always appear to use consistent nomenclature: for example, XProtect refers to OSX.Machook.A and .B, but MRT to OSX.WireLurker.A, which may be the same as OSX.Machook.A. I have not attempted to untangle those possible overlaps, and the following list sticks to the names used by Apple. There are also some inconsistencies between the different XProtect data files, although those are generally small.

XProtect 2099 and MRT 1.35 cover the following well-known malware:

  • Abk – A detected.
  • AceInstaller – B detected.
  • AdLoad – A, B1 and B2 detected.
  • AdPlugin – i and 2i detected.
  • Bundlore – A, B and D detected and removed; C removed.
  • CoinThief – A, B and C detected.
  • CpuMeaner – A removed.
  • CrossRider – A detected.
  • DevilRobber – A and B detected.
  • Dok – A detected and removed; B detected; C removed.
  • Ekoms – A removed.
  • Eleanor – A detected and removed.
  • ExtensionsInstaller – A detected.
  • FileSteal – i and ii detected.
  • Findzip – A detected.
  • FkCodec – i detected.
  • Flashback – A, B and C detected.
  • Fruitfly – A and B removed.
  • Frutas – A removed.
  • Geneio – A and D detected and removed; B, C, E, G and G1 detected.
  • GenieoDropper – A detected.
  • GetShell – A detected.
  • HackingTeamRCS A – removed.
  • HellRTS – A detected.
  • HiddenLotus – A detected.
  • HMining – A, B, C and D detected and removed, and A2 detected.
  • iKitten – A detected.
  • InstallCore – A detected and removed.
  • InstallImitator – A detected and removed; B, C and D detected.
  • Iservice – A and B detected.
  • iWorm – A, B and C detected.
  • KeRanger – A detected.
  • Keydnap – A removed.
  • LaoShu – A detected.
  • Leverage – a and A detected.
  • MaMi – A removed.
  • MacDefender – A and B detected.
  • MacHook – A and B detected.
  • MaControl – i detected.
  • Mdropper – i detected.
  • Morcut – A removed.
  • MudMiner (believed to be CreativeUpdate) – A removed.
  • Mughthesec – A detected and removed; B detected.
  • NetWeird – i and ii detected.
  • Netwire – A detected and removed.
  • Nwm0zjrk (not otherwise identified) – A removed.
  • OpinionSpy – (regular) and B detected.
  • ParticleSmasher – A detected.
  • Proton – A detected; B detected and removed; C and D removed.
  • Prxl – 2 detected.
  • QHostWB – A detected.
  • Revir – A, ii, iii and iv detected.
  • RSPlug – A detected.
  • ShellDrop – A removed.
  • SMSSend – i and ii detected.
  • Snake – A removed.
  • Testing – A removed.
  • Trovi – A detected and removed; A2, B, C and D removed.
  • VindInstaller – A detected.
  • VSearch – A detected and removed.
  • WireLurker – A removed.
  • XAgent – A detected.
  • XcodeGhost – A detected and removed.
  • OSX.127eaa6 – removed.
  • OSX.28a9883 – A detected and removed.
  • OSX.4e36ae6 – removed.
  • MACOS.e3278ad – removed.
  • MACOS.bdd69ef – removed (this appears to be a bitcoin miner).

There is also another category of malware which doesn’t appear to have been reported in public sites, for which Apple uses descriptors such as OSX.ATG10A. Currently, ATG15B is detected and removed, and ATG 1A, 1B, 2A, 2B, 3A, 10A, 10B, 11A, 15A, 15C, 15D, 51A and U112A are all removed. These may refer to Genieo variants. XProtect also detects the EICAR test listed as OSX.eicar.com.i.

MRT also removes several unwanted or malicious Safari extensions and modifiers. These currently (MRT 1.35) include:

  • Omnibar.safariextz, part of Genieo
  • GoldenBoy.safariextz
  • Nariabox.safariextz
  • Perfetnight.safariextz
  • Smokycap.safariextz
  • Smokycap-2.safariextz
  • SearchConnect.safariextz
  • SafariProxy, part of Dok.

The next time that anyone suggests that there has been no malware for macOS, show them the above list. Should you ever wonder whether it is worth upgrading to El Capitan or later, consider whether your current version of OS X has equivalent protection. And should you ever think about paying for additional anti-malware protection, ask how that will improve on that list.

Full details of all the protection provided by XProtect, and information about many of the malware items which it can detect, is provided in UXProtect from Digita Security. Currently UXProtect requires Sierra or High Sierra.

My free utility LockRattler, from Downloads above, provides a complete set of tools for checking the currently installed versions of XProtect and MRT, for downloading updates when they are not delivered automatically, and more. LockRattler requires El Capitan or later.

If you’re interesting in improving protection from malware beyond that provided in macOS, then visit Objective-See and Sqwarq and look at what they have to offer.

For those still running versions of OS X earlier than El Capitan, Apple still provides XProtect updates as follows: for 10.6.7 and 10.6.8, for 10.7.x, and for 10.7.5 with Security Update 2013-001 and 10.8.x.

Updated for MRT 1.35 on 21 and 22 June 2018. Thanks to Al Varnell for his help with these.