Knock Knock, who’s there?

I saw an interesting video today which talks about the kinds of OS X malware and the ways they can persist. Now when it comes to ways that OS X malware can keep itself alive even after a reboot there is nothing new in this video, however the tool that was created by the author Patrick Wardle is pretty cool. Basically it checks all the locations and ways malware is known to be persistent. The known LaunchDeamons and LaunchAgents, browser plugins/extensions and Login Items are all checked but it goes a little deeper than that. Code is also checked, like plist files’ use of “RunAtLoad” or “KeepAlive” which could indicate persistent malware.

The tool is currently in Beta and command line only but worth checking out if you want to learn more about what goes on under the OS X hood. Or maybe you suspect a malware infection and your antivirus product is coming up dry. If you know me you know my opinion of OS X’s built-in anti malware tools X-Protect and Gatekeeper; They are fairly useless. Antivirus applications perform much better and have a much better chance at offering you protection but again, these products are (just like X-Protect) reactive. Based on signatures, hashes, location data and file names they almost always offer protection after the fact. True heuristics is very hard to find in OS X products which is sad because that may offer the best possible protection as it is proactive, not reactive. The Knock Knock tool can be easily extended with new plugins. If a new way of persistence is discovered, a simple python plugin can be written and added to the Knock Knock functionality.

I ran the tool on my Mac and found nothing that shouldn’t be there. When I ran the tool on an infected Mac however, it was able to point out a huge amount of malware. VSearch, Genieo, iWorm, CoinThief, CodecM, Revir, a ton of browser plugins, a keylogger and much more were found to be persistent in one way or another. Over 50 total. Now of course this tool is not an antivirus application. It doesn’t monitor your Mac constantly and it doesn’t tell you “this file belongs to this malware” but I like the functionality it offers. You’ll need to know a bit about OS X, which file belongs and which doesn’t. What is a possible threat and needs further investigating and what is harmless. However for those that want to learn more about their Mac’s internals, think they are infected with malware or research malware, this is a nice tool to add to the collection. If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.

The video can be found here.
The slides for the video can be found here.
Knock Knock can be downloaded here.

Posted in Security Tagged with: , ,

Upgrading to OS X 10.10 Yosemite

You may have been amongst the first to upgrade your Mac to OS X 10.10 Yosemite or you may be one of the people that prefers to wait a bit. Here are a few tips to ensure the upgrade goes smooth when the time comes.

1. Make sure your Mac meets the minimum system requirements, at LEAST.
According to Apple the following Macs can run Yosemite:
• iMac (Mid 2007 or newer)
• MacBook (Late 2008 Aluminum, or Early 2009 or newer)
• MacBook Pro (Mid/Late 2007 or newer)
• MacBook Air (Late 2008 or newer)
• Mac mini (Early 2009 or newer)
• Mac Pro (Early 2008 or newer)
• Xserve (Early 2009)
– OS X 10.6.8 or later.
– 2 GB of Memory.
– 8 GB of available storage.

As with OS X Mavericks, the requirements cover a broad range of Macs and as with OS X Mavericks, it is not a good idea to install the system on a Mac that meets the bare minimum requirements. Here is my recommended minimum requirements list:
• iMac (Early 2009 or newer)
• MacBook (Late 2008 Aluminum, or Early 2009 or newer) (if you must)
• MacBook Pro (Early 2009 or newer)
• MacBook Air (13-Inch, Late 2010 or newer)
• Mac mini (Early 2009 or newer)
• Mac Pro (Early 2009 or newer)
– OS X 10.9.5 Mavericks.
– 4 GB of Memory, 8 GB preferred.
– 20 GB of available storage.
– A graphics card that has 512 MB of memory or more preferred.

This list is based on my experience over the years. After a new OS is released I see people every day that upgraded and have issues immediately. More often than not this is because their previous system was already experiencing issues. Cluttered drive, upgrades on top of upgrades, no maintenance etc. These can all cause issues. Upgrading from an older OS, skipping one or more versions and going straight to the latest often causes issues as well. Something I also hear a lot is “but I meet the minimum system requirements, why is it so slow?”.

Minimum system requirements tell you what is needed to run the OS, just the OS. The way these requirements are often understood is; I have 2 GB of memory so I can run the latest system ánd any application I want. With only 2 GB of memory the Mac will load the OS, start up and present you with your desktop and files but by that time it will already have consumed most of that 2 GB. If you then try to run iPhoto, iTunes, Safari, Spotify or any other application on top of that, you’ll be out of memory in a matter of minutes. Since OS X Mavericks the memory (RAM) management has really improved so people can do more with less but there are limits. Look at your system now and your most used applications to figure out what your ideal setup should look like. For example a user on average uses these applications:
– iTunes
– iPhoto
– Safari
– Microsoft Office
– Mail
This is just basic use of a Mac. Lets see what each of these applications require.
– iTunes (500 MB of RAM)
– iPhoto (4 GB of RAM recommended)
– Safari (1 GB of RAM recommended depending on use)
– Microsoft Office (1 GB of RAM recommended)
– Mail (200 MB of RAM)
Talking about Photoshop or other photo/video editing applications?
– Photoshop (1 GB of RAM for CS 6, 2 GB but 8 GB recommended for CC)
– Aperture (4 GB of RAM recommended)
– iMovie (2 GB of RAM, 4 GB recommended)

These applications require this amount of memory on top of what the OS needs to run. As you can tell, 2 GB of RAM is not enough to do anything smoothly. If the minimum requirements for something is X GB, double it to make sure it runs smooth. The average system needs 4 GB to run smoothly most of the day but these days 8 GB is definitely recommended.

2. Compatibility.
Once you are sure your Mac can handle the new system it’s time to check all your applications. Is all the software you have and use compatible with the new OS? Check manufacturer websites to see if you need updates or maybe even completely new versions. User forums for products can help too. If a lot of people on the Apple or Adobe forums are complaining about compatibility issues, you may want to hold off.

3. Be prepared to start fresh
If you are planning to upgrade a system that is running 10.6 or 10.7, I recommend starting fresh. Meaning a clean install of the system. While upgrades like this that skip one or two OS versions can result in a perfect smooth running machine, this is mostly not the case. Again, speaking from experience. If your system is currently experiencing issues (regardless of the OS version you have installed) like slow performance, freezing, spinning beachball or applications unexpectedly quitting do not upgrade. An upgrade is not a magical fix, it will almost certainly make the issue worse. Instead resolve the problem first and then upgrade. Depending on the issue a clean install may be the best solution.

4. Backup and Clone

Upgrading to a whole new OS is a very invasive undertaking. In case something goes wrong (see point 3 but even if your system is fine, stuff can still go wrong) you want a backup to restore from. You should already have some kind of backup strategy in place like Time Machine backups but in cases like these it’s a good idea to have a clone of your system as well. A clone is a 1:1 copy of your hard drive contents and will allow you to boot up from it or restore the entire system. If you upgrade to Yosemity and find out you hate it, have too many incompatible applications or it just doesn’t run well on your older machine, just start up from the clone drive and clone the whole thing back to your Mac. Once the clone is done and you restart it’ll be like nothing ever happened.

SuperDuper is my preferred cloning tool and I recommend using an external hard drive that supports FireWire 800, USB 3.0 and/or eSATA for best performance. USB 2.0 and FireWire 400 will work but both the cloning and booting from it, if needed, will be painfully slow. Keep running your Time Machine backups as usual too of course.

5. Remember your passwords
After installing the new system you will be asked for your Apple ID so that features like iCloud and Messages can be enabled so make sure you know the login details before you upgrade. You can set up your iCloud and Messages later on but entering these details during the installation will make for a smoother experience when it’s done.

6. Duplicate important documents
Once you upgrade and start working on a document in a new version of Numbers, just to name one, you can not open that document in older versions anymore. This is the case for a lot of software. With a new OS usually come big application updates or upgrades as well. If you have important documents that you still need to be able to work on even if you decide to downgrade back to your previous system later on (with that clone I mentioned), make a copy and work on that instead. If you open/edit the original file you may not be able to use it anymore if you downgrade your system.

Having a backup (clone preferred) will ensure you can go back to the current state of your system and is therefor the most important step when it comes to any upgrade.

I have enjoyed the new look and features so far and have yet to find any bugs or issues.

Posted in Just an update Tagged with: , ,

Antivirus Detection Rate results updated – October 5, 2014

With quite a few AV products improving their detection rates steadily and (mostly) consistently, it’s time to raise the bar a little. Previously, the results PDF showed 4 categories:
Category 1 - The best AV products with a detection rate of 90% or higher.
Category 2 - AV Products with a detection rate of 60-90%.
Category 3 - AV Products with a detection rate of 60% or lower.
Category 4 - AV Products that were excluded from testing.

These categories have been changed and are now:
Class A - The best AV products with a detection rate of 95% or higher.
Class B - AV Products with a detection rate of 95-85%.
Class C - AV Products with a detection rate of 85-75% or lower.
Class D - AV Products with a detection rate of 75% or lower.
Class F - AV Products that were excluded from testing.

This seems like a very high bar but then again, why not expect the best of the products that claim they protect us? I will also attempt to release updates on a set schedule.
Class A- Updated every month or as new samples become available.
Class B- Updated every two months.
Class C- Updated every three months.
Class D- Updated every six months.
Class F- Updated every year or not at all.
Continue reading “Antivirus Detection Rate results updated – October 5, 2014” »

Posted in Security Tagged with: , , , ,

Apple patches Bash vulnerability

Since late last week the internet has been buzzing about something named Shellshock. The Bash shell is something most users will never know or hear about, it runs under the hood of OS X and other major operating systems and is critical for a lot of tasks. The flaw that was discovered last week allows an attacker to basically take over your machine if certain conditions are met and was already being exploited online shortly after it’s discovery.

Apple stated that most Mac users were safe from Shellshock as remote services like web sharing are disabled by default. OS X Server users were not mentioned but I consider them to be at far more risk as it is much easier to set up and enable a web server or other remote services. However this bug was serious enough to get Apple’s immediate attention and today they released a software patch “OS X bash Update 1.0″. Strangely this update can not be found through the normal software update process but has to be downloaded from Apple’s website.

The patch was released for the last three operating systems and can be found here:
OS X 10.7 Lion
OS X 10.8 Mountain Lion
OS X 10.9 Mavericks
No restart is required to install this security patch but you do need to have the latest version of your OS installed. If the patch refuses to install, run Software Updates first.

All Mac users running any of those OS X versions should download and install immediately.
The fact that this update is not available through the Software Update menu or App Store is a concern. This means that a lot of OS X user may never install the update. Hopefully this will be corrected.

Posted in Security Tagged with: , , , , , ,

Apple updates

Last week was a busy one and not just because of the new iPhone 6 and 6 plus.

OS X 10.9.5 was released and is loaded with security fixes. A few of the noteworthy ones are:
– CoreGraphics, a maliciously crafted PDF could lead to an information disclosure or code execution.
– Intel Graphics Driver, IOAcceleratorFamily and Libnotify, a malicious application may be able to execute arbitrary code with system privileges.
– OpenSSL, just think back on recent OpenSSL issues to get an idea of how critical this is.
Overall, 10.9.5 is a very important update because of the security fixes that are included and is recommended for all Mavericks users. The full list of security fixes included can be found here. 44 total.

OS X 10.9.5 includes the security fixes of Safari 7.0.6. However for the latest Safari version a separate update was released alongside OS X 10.9.5.
Safari 6.2 (Mountain Lion users) and Safari 7.1 (Mavericks users) include some important fixes. The biggest issue that was fixes is one where a man in the middle could intercept user credentials. All the details can be found here.

Apple also released separate security updates for Lion, Lion Server and Mountain Lion, Security Update 2014-004. These updates include some or most of the fixes described above which are included in 10.9.5.

All of these updates can be obtained by running Software Update on your Macs (Apple menu > Software Update or App Store > Updates).
If you prefer to download and install manually, here are all the links:
OS X 10.9.5 (275.5 MB)
OS X 10.9.5 Update (Combo) (982.3 MB)
Security Update 2014-004 (Mountain Lion) (139.3 MB)
Security Update 2014-004 (Lion) (144.5 MB)
Security Update 2014-004 Server (Lion) (194.8 MB)

The Server app also received updates containing security fixes. To read more, have a look at these links:
Mavericks users.
Mountain Lion users.

Last but not least, iOS 8. Besides a ton of new features there were a ton of security fixes and improvements as well. If your hardware can handle it (iPhone 5 and up, iPhone 4S not recommended) definitely update your iOS device. The list is too long for me to mention all the fixes so just have a look here.

Posted in Security Tagged with: , , , , , ,

Be sure you are prepared for iOS8

This exact article was published a year ago when iOS 7 was released. I have edited it where needed and republished it so you can be ready for tomorrow’s upgrade to iOS 8.

Tomorrow Apple’s iOS 8 will be available to the public. The next few days you’ll hear a lot of the following:
– I love it! It’s amazing!
– It’s great but….
– Where did all my *name data* go?!
– My *name app* doesn’t work anymore!
– My phone is messed up now!
– I hate it, I wish I could go back.

As always there will be people from all of the above camps out there. You won’t know what camp you’ll be in until you install iOS 8 so it’s important to prepare properly so you won’t lose data and/or can downgrade back to iOS 7. If you upgrade, love it and don’t experience a single issue, great. Then you’ll have done all of the following for nothing but hey, better safe than sorry :) Let’s begin.
Continue reading “Be sure you are prepared for iOS8” »

Posted in Just an update Tagged with: , , ,

Security updates for safari and Adobe.

Today Apple released updates for Safari on Lion, Mountain Lion and Mavericks. All users are recommended to update.

The update addresses 7 webkit memory corruption issues that could lead to arbitrary code execution when visiting a malicious crafted website.

The updates can be obtained by running Software Update from the apple menu or opening the Updates tab of the Mac App Store.

Yesterday, patch tuesday, security updates were released for Adobe Flash Player, Adobe Reader and Adobe AIR.
If you have any of these products installed, check for updates as soon as you can. More information can be found here.

Posted in Security

Antivirus detection rate results update

Alright, it’s been a few months but I finally had some time to update the test.

A few changes have been made to the test environment:
– As the majority of Mac users now use 10.9 Mavericks the virtual machines were all rebuilt from scratch using the latest version of Mavericks (10.9.4). Upgrading the existing VM’s proved problematic and I was not happy with the results so starting fresh was the best option.
– In re-infecting the new VM’s I had a good chance to test Gatekeeper in it’s default setting too (Mac App Store & Identified Developers only). The results were added in a separate column next to XProtect. It shows that OS X does a decent job at blocking malware, 40% of all samples, but since it can easily be bypassed and malware has been seen signed with a valid developer ID Mac users should not rely on Gatekeeper to stay safe. The same goes for XProtect of course which does a lousy job in general.
– Flash Player, Java, Firefox, Chrome and Opera were installed and will be kept up to date with every test.
– VM resources remained the same. 4 CPU Cores, 4 GB RAM and ample drive space on a dedicated SSD.
– Little Snitch is no longer being used in the virtual environments as it may impact the behavior of certain malware. Instead VM’s now use their own ethernet cable that leads to a Mac with internet sharing enabled. On that Mac Little Snitch is active so connection attempts can still be monitored. As far as the VM knows it is connected to the internet and has no monitoring software present but on the other Mac I can still see exactly which types of connections are being made and where to. So far in testing this has worked well. For a more detailed analysis, if needed, this setup also allows me to utilize other tools without impacting the virtual environment.
– The older 10.8 virtual machines were updated with the latest samples and software and will be kept around if needed for testing.
– The applications that have a detection rate of 90% or higher has doubled since the test started. I felt this was a good time to make this the new standard. Whereas previous tests showed the top as being 80% or higher AV, this has now been raised to 90%. I might even make the top performing category 95% and better soon. Why should we not expect the best of applications that claim they protect us, right?

Some observations in this test:
– Avast kept running the virtual machine into the ground as soon as the installer was finished so I used the old 10.8 VM instead. This was also completely unresponsive and crashed after the Avast install. I used an archived installer from the beginning of the year, this installed without issues. From there I could update to their new version 9 and run the test. I don’t know if this is because of the virtual environment or if their latest installer behaves the same on actual Macs. Use caution.

– I’m very happy to see F-Secure finally released an actual application, it seems they take Mac users seriously now. Their previous products were not very stable and definitely did not run well in virtual environments, this has changed. The application has preferences that reside in the System Preferences window, the scan results are clear and the interface is neat. There are no options when it comes to scan settings. Whatever is found is trashed immediately, no questions asked, or labeled as riskware and left for you to clean. Real-time scanning can not be disabled. Apart from a few minor issues with the interface like the scan being completed but the progress bar being stuck at 98% the application performed well.

– Something I liked a lot about ESET version 6 was it’s notifications the operating system was out of date. The Vm did not have the latest iTunes update installed and, while not critical for the OS, this is a great feature to have. I have not seen this from any of the previous ESET products.

– MacKeeper was not willing to provide me with a trial license (needed to update virus definitions). A supervisor will let me know within a week if I can get one, they will also let me know if I should exclude them from the test going forward. I’m certainly not postponing the test for a week to wait for that license so their results were not updated.

– I was unable to get BitDefender (app store version) to scan. It downloaded ok, definitions updates and the app launched fine. However when I clicked any of the scan buttons the app would just sit there and do nothing. Reboots, reinstalls, fresh VM and even an actual Mac running OS X 10.9.4 all had the same result. As the app was last updated two years ago it may simply no longer be compatible with Mavericks. I’ll test some more in the near future. If I can not get it to work I will revert back to the 10.8 VM for this particular app and continue it’s testing.

– After ClamXav’s last sudden improvements I had high hopes for this test. Sadly it did not improve as much as I had hoped.

Other notes:
I’m considering making the trace detection results count towards the final percentage. Trace files are present on systems that are already infected and the original file that caused the infection may be long gone (an installer or downloaded file of some kind).

I will be working on updating the rest of the application results in the upcoming week or two.

The results can be found here.

Posted in Security Tagged with: , ,

Antivirus test results updated tomorrow

When I was getting ready to upload the PDF and observations my internet decided to take the rest of the night off. Testing of the top performing AV (80% or higher detection rate) has been completed, the results will be uploaded tomorrow hopefully. Intego lost the number 1 spot in the list but judging from past performance they should bounce back pretty soon.

Some samples were added, some work on the VM’s was done and I may be excluding one of the products from the test soon. For all the details, check back tomorrow night!

Posted in Security Tagged with: , ,

OS X updated, Safari updated, iCloud enabled 2 factor authentication

It was a busy day for Apple. The following updates were released:

OS X 10.9.4
The OS X Mavericks 10.9.4 Update is recommended for all Mavericks users. It improves the stability, compatibility, and security of your Mac.
This update:

  • Fixes an issue that prevented some Macs from automatically connecting to known Wi-Fi networks
  • Fixes issue causing the background or Apple logo to appear incorrectly on startup
  • Improves the reliability of waking from sleep
  • Includes Safari 7.0.5

The update also contained some security patches which Apple believes, as usual, are not worth mentioning in the release notes. 19 security related issues were resolved and some of them, in my opinion, were quite nasty. Opening a maliciously crafted zip file could lead to arbitrary code execution (copyfile), remote attackers could gain access to another user’s session (curl), An attacker with access to a system may be able to recover
Apple ID credentials (iBooks Commerce) and A malicious application may be able to execute arbitrary code with system privileges (launchd). Also a not so minor issue with Secure Transport that allowed two bytes of memory could be disclosed to a remote attacker. Two bytes is not much but a few bytes disclosed to the wrong person can do a whole lot of damage, just think back to the Heartbleed fiasco. There is more to this list and if you want to read it you can find it here (this URL usually takes a while to be updated by Apple).

Safari  6.1.5 and 7.0.5
12 security issues were patched in Safari, all WebKit related. From memory corruptions that could be exploited to malicious websites being able to access local files on your Mac. The full list can be found here.

Apple also released updates for iOS 7. The update, 7.1.2, is available for iPhone 4 and later and squashed some nasty bugs too. All together 44 security related issues were addressed including fun stuff like someone being able to bypass Activation Lock or exceed the maximum number of failed passcode attempts. Someone could also gain access to the application that was open before the phone was locked. Mail attachments were not encrypted so they could be extracted and Find My iPhone could be disabled without an iCloud password. The full list can be found here.

An Apple TV update, 6.1.2, was also released containing security patches.

Last but certainly not least, Apple finally enabled two factor authentication for iCloud accounts. Something that was enabled for Apple ID’s in March 2013. This applies to iCloud.com and the web apps in it. Once enabled, attempting to access iCloud.com contents will require you to enter an additional code that is sent to a trusted device. To enable the feature, sign in with your iCloud ID on the Apple ID website. Once signed in go to “Password and Security” where you enable two-step verification.

I highly recommend you install all available updates mentioned and enable two factor (or two-step as Apple likes to call it) authentication sooner rather than later as well. Of course use common sense and back up all important data before applying updates. I have not had any issues but better safe than sorry :)

To get your hands on these updates use Apple menu > Software Update, Open the App Store and click the Updates tab or search for them on the Apple Downloads page. On your iDevices open Settings > General > Software Updates.

Posted in Security Tagged with: , , , , ,

Malware Detection Rate Results

Last updated:
Sunday October 5th, 6:40PM EST
436 Samples, 44 Applications
#1 Avast
#2 Intego
#3 Norman
Get it here.