MRT: what do we know about it?

The Malware Removal Tool, MRT, is one of the front-line security features in macOS. While its companion XProtect tries to detect malware, the purpose of MRT is to attempt to remove malicious software which can be removed cleanly and safely. Apple provides next to no information beyond that: the Apple Platform Security guide states that: “Apple also issues updates to MRT to remove malware from any impacted systems that are configured to receive automatic security updates. MRT removes malware upon receiving updated information and it continues to check for infections on restart and login.”

Components

Although called an app, MRT.app isn’t an app at all, and can’t be run as an app through the Finder. Instead, its binary is actually used as a command tool, which is run in two circumstances: after your Mac starts up, and when MRT.app has just been updated. MRT runs in two different modes, controlled by the -a and -d options, which run it in agent or daemon mode, respectively.

The dummy app is located in /Library/Apple/System/Library/CoreServices/, among the unprotected Data volume additions to /System/Library/CoreServices/ on the System volume in Catalina; in Mojave and earlier, that’s simply /System/Library/CoreServices/. It’s written in Swift, and is normally run by two launchd property lists:

the LaunchAgent at /Library/Apple/System/Library/LaunchAgents/com.apple.MRTa.plist runs MRT at load as an agent, with the -a option;
the LaunchDaemon at /Library/Apple/System/Library/LaunchDaemons/com.apple.MRTd.plist runs MRT at load as a daemon, with the -d option.

(In Mojave and earlier, those paths start /System/Library/LaunchAgents/ and /System/Library/LaunchDaemons/)

Modes

Running in daemon mode, MRT performs thousands of signature checks against Apple’s Certificate Revocation List (CRL), many of which generate errors. It also presumably checks items against its own list of what it can remove. Running in agent mode, it is far quieter, and only likely to generate some sandbox errors in the log. It then appears to run against a different set of rules which could, for example, remove malicious or unwanted files and directories. This suggests that daemon mode assembles a list of actions which are then performed in agent mode. When run after startup, MRT runs first in daemon then in agent mode, both completing in the first couple of minutes after boot.

Originally, MRT doesn’t seem to have run automatically following updating, and Apple recommended that users restarted their Macs when MRT had been updated, although that wasn’t widely promulgated. For at least the last year, whenever it has been updated, MRT is run in both agent and daemon modes, normally twice in each, so there now shouldn’t be any need to restart.

Unfortunately, since 2018, Apple has obfuscated the names of malware which MRT can remove. Prior to that, it was possible to search the string content of its executable and discover the names of malware which it claimed to be able to ‘remediate’. I have listed those which MRT version 1.35 addressed, and as far as I can see that list is good for the current version 1.68, with the addition of all the malware concealed by Apple’s obfuscation.

Fame

Beyond its very brief description, Apple has long remained silent on what MRT does. It has broken that silence only once, in early July last year, 2019. MRT was then called into play to remove part of an app which wasn’t malware, but left users with a serious vulnerability: Zoom.

One of the biggest problems posed by that old version of the Zoom client was that it installed, in a hidden folder, a web server which was left behind, still active, when you uninstalled its app. This web server was capable of reinstalling the Zoom client, and was found to have its own vulnerability as well. However Zoom responded to the other issues in its client software, it was vital that all copies of this web server were removed, particularly on Macs whose users may have forgotten that they had ever installed Zoom’s client. This wasn’t something that Zoom was able to handle alone: they needed Apple, just as Apple needed to remove Zoom’s web server before it could be exploited.

The solution lay in gently repurposing Apple’s MRT to detect and destroy Zoom’s web server in its hidden folder, much in the way that it does for malware. The delivery vehicle had therefore to be an urgent ‘silent’ security update containing the new version of MRT, which Apple had ready to push out on 10 July 2019.

Then everything got rather strange. Instead of Apple breaking its self-imposed silence on security updates and explaining this direct to users, it passed the message on to Zack Whittaker at TechCrunch, then re-tweeted TechCrunch’s tweet linking to that news story. Not only that, but the story was coy over detail: it didn’t mention MRT, merely that the “silent update” had been released, and that all users would receive it automatically. Neither did it explain that users needed to do anything other than wait for the update to be installed.

As you may have noticed, the latest update to MRT, version 1.68, has caused serious problems on many Macs. I doubt very much that Apple will release any information or help for users, but silently fix this in the next release. Let’s hope that’s not too far away.

Appendix: Known malware which MRT is intended to remove

These lists are based on what MRT 1.35 was known to be able to remove, before obfuscation of malware names in 2018 made this impossible to determine.

MRT 1.35 removes the following well-known malware:

Bundlore A, B, C, D and E
CpuMeaner A
Dok A, C
Ekoms A
Eleanor A
Fruitfly A, B
Frutas A
Geneio A, D
HackingTeamRCS A
HMining A, B, C and D
InstallCore A
InstallImitator A
Keydnap A
MaMi A
Morcut A
MudMiner (believed to be CreativeUpdate) A
Mughthesec A
Netwire A
Nwm0zjrk A
Proton B, C and D
ShellDrop A
Snake A
Testing A
Trovi A, A2, B, C and D
VSearch A
WireLurker A
XcodeGhost A.

MRT also removes several unwanted or malicious Safari extensions and modifiers. In MRT 1.35, those include:

Omnibar.safariextz, part of Genieo
GoldenBoy.safariextz
Nariabox.safariextz
Perfetnight.safariextz
Smokycap.safariextz
Smokycap-2.safariextz
SearchConnect.safariextz
SafariProxy, part of Dok.

4Comments

Add yours

1

EcleX on October 23, 2020 at 7:02 am

Many thanks for the review. Perhaps it could be added that applications like SilentKnight allow to update the Malware Removal Tool (MRT), along with other macOS components and Extensible Firmware Interface (EFI). That comes specially handy when “Apple – About This Mac – Software Update” does not show-install such updates.

LikeLiked by 1 person
2

alvarnell on October 24, 2020 at 11:16 am

Both versions of MRT 1.68 were deprecated and 1.67 re-posted at 2020-10-24T01:49:12Z-:13Z, but they don’t show up to replace 1.68 so isn’t going to help those that have already updated, which has to be most users by now. Probably an interim fix until 1.69 is ready. I don’t think changing your database to show 1.67 as current will help anything since softwareupdate won’t show it as available.

I did manually download the 1.67 ,pkg and ran it manually. Said it completed successfully, but it didn’t actually replace 1.68, which is what I expected.

LikeLiked by 1 person
- 3
  
  hoakley on October 24, 2020 at 11:38 am
  
  Thank you. There isn’t an easy solution until 1.69 is pushed.
  Howard
  
  LikeLike
- 4
  
  EcleX on October 24, 2020 at 6:21 pm
  
  Just delete the 1.68 and run the 1.67 installer. Check out comments of:
  
  Apple has pushed updates to XProtect and MRT
  https://eclecticlight.co/2020/10/19/apple-has-pushed-updates-to-xprotect-and-mrt-17
  
  and in particular the one starting with:
  
   STOP THE PRESS • GOOD NEWS • HERE IS THE FIX 
  
  LikeLiked by 1 person

Share this:

Related