Provided by stg_max_gts
0 Facebook x.com Reddit
Malware is bad software that you don't want to come across because it can harm your Mac or cause data loss. Here's how to protect yourself from it.
As security becomes an increasingly important issue in the connected age, malicious attacks from malicious users continue to be a concern for many organizations and users.
Malicious software (malware) can be installed on your devices, which can result in the loss of credentials or data, damage to operating systems, or ransomware.
As billions of digital devices spread across the globe and more commerce moves online, malware is becoming an increasingly serious threat.
Software Security Models
In the early days of software – before the Internet became mainstream – most systems were open source and software could be installed from anywhere. Typically this was from a CD-ROM or floppy disk.
With the advent of online software stores, this has become a little less of an issue. This is because app storefronts test most software before it is released to ensure security.
However, bad software can and does sometimes slip through.
Apple tried to solve this problem by introducing curated stores like the iOS App Store. But even there, some bad software was released from time to time.
Curated stores are safer and more reliable, but they are still not foolproof.
The Mac is a little different because in the early days, it too could accept software from anywhere. Classic apps like Virex and Norton Utilities helped “clean” the Mac of malware.
Today, the Mac App Store includes curation, app receipt verification, and app notarization. But the Mac still allows you to install software from anywhere as long as certain settings are turned off.
Code signing, developer ID and Gatekeeper
Several years ago, Apple introduced an additional security measure for macOS software: Gatekeeper. Along with a developer ID, Gatekeeper ensures that downloaded Mac software is safe by default.
With Gatekeeper, macOS developers register and receive a developer ID from Apple, which is then used to digitally sign the Mac software they create.
When Gatekeeper is enabled on macOS, it ensures that apps are signed by the developers who create them. It also warns you the first time you launch a Mac app for apps that aren’t from known, registered developers.
Mac users can choose in System Preferences->Privacy & Security->Allow Apps which apps they want to allow: either apps from the App Store only, or apps from the App Store and known developers.
Code signing services and app notarization ensure that software is legitimate and not hacked or malicious when users download it.
Configure software security in System Preferences.
System Integrity Protection (SIP)
macOS offers another system security feature that helps keep your Mac secure: System Integrity Protection, or SIP.
SIP limits which apps can be allowed to run and what code can run on your Mac. By default, only App Store apps or software from registered Apple developers can run.
It also limits unauthorized tampering with or modification of system files.
It is possible to disable SIP in Terminal, but this is not recommended. It compromises macOS security and may allow malicious code to run on your Mac.
The csrutil command line tool can be used to check and change SIP settings.
To get the current SIP status on your Mac in Terminal, type:
csrutil status and press Return.
Privileges, Escalation, Sockets, and Helper Tools
Most UNIX software uses the concept of privileges and privileged users. For example, the root user has unlimited security privileges and can make changes to the software as desired.
For security purposes, the root user is disabled by default in macOS. Other users may have different levels of privileges that allow them to perform certain actions, including installing or removing software.
Administrator users have elevated privileges, and many operations in macOS require an administrator password.
By using temporary privilege escalation, macOS users can gain additional rights for a short period of time.
Well-designed software should be factored so that security-critical code runs in a separate process called a helper tool. Helpers ensure that only small portions of code can run with elevated privileges, thereby limiting which parts of the software can perform critical tasks that could compromise the security of the system.
A well-factorized application will place all compromised code in a helper tool, and then when permissions are needed, it will launch the helper tool after the user has been authorized. This improves security, and also means that compromised applications will not be able to run all code with elevated privileges, which is a security risk.
The idea is to launch the helper tool and elevate privileges for the shortest amount of time, perform privileged operations, and then return privileges to the previous level when the helper tool has finished.
UNIX domain sockets and pipes can also be used to pass information securely between processes.
Security Daemons and Frameworks
macOS is one of the most secure operating systems in the world, but it is not foolproof.
Security in macOS is managed through a combination of background processes (daemons) and frameworks of Apple code that are loaded into applications when they are launched. These include:
- launchd
- secured (security server)
- XPC Services
- Authorization Services.framework
- Security.framework
- System Configuration.framework
- Service Management.framework
- Endpoint Security.framework
- Cryptographic Services
- Code Signing Services
- Keychain Services
- Hardened Runtime
Dynamic linking ensures that frameworks are loaded into memory only when their APIs or interfaces are actually used.
Hardened Architecture and Daemon Frameworks.
The above software components provide the following services:
launchd (Launch Daemon) is a system daemon that runs in the background and manages the launch and shutdown of applications and other processes on macOS.
secured (Security Daemon) manages secure access, privilege escalation, running tools and specific user IDs, and other security services.
XPC Services manages secure interprocess communication between software components, and works with launchd to securely launch helper tools.
Authorization Services.framework manages prompting users for an administrator password, caching privilege escalations, and maintaining timers that lower privileges after a specified timeout. When your Mac asks you for an administrator password to install software or change settings, it sends a secured message to display an administrator password dialog box so the user can enter a name and password.
Security.framework manages user identification (authentication) and grants access to resources, protects data on disk and over network connections, and checks the validity of code before it runs.
The System Configuration.framework manages system settings and ensures that restricted settings can only be changed by providing the necessary authorization.
Service Management.framework allows applications to manage launch agents, launch daemons, and login items.
Endpoint Security.framework allows developers to write their own system extensions that enhance security.
Cryptographic Services provides standard cryptography APIs, manages keys, certificates, and passwords, and generates random numbers and hashes.
Code Signing Services provides services for signing and verifying created software to ensure that it is valid and has not been compromised.
Keychain Services manages system keys, certificates, and identities.
Hardened Runtime (along with SIP) protects macOS from code injection, memory tampering, and dynamic library hijacking. Apple's Xcode development environment includes Hardened Runtime settings, including whether to allow Just-In-Time (JIT) code, use unsigned memory, and dynamic linker environment variables (DYLD).
Modifying environment variables before malware runs is one way to inject malicious code into running applications.
All of these components work together to ensure that macOS software is as secure as possible.
The Zero Trust security concept means that access to all privileged software is restricted unless a privileged user explicitly allows a secure action. Zero Trust by default means that malware cannot run without special permission.
You can see which daemons are currently running on your Mac in the Activity Monitor utility or by using the top command in Terminal. To use top, type:
top and press Return.
This will display all running processes, including daemons, process IDs (PIDs), runtimes, CPU usage, ports, and more.
Courtesy of @benzoix
Malware on Macs
Malware can be defined as malicious software that can hack into or infect a computer, network, or device in order to disable, corrupt, or damage the device, or steal and transmit unauthorized data over a network.
The Computer Fraud and Abuse Act makes it a federal crime in the United States to interfere with, disable, or gain access to a computer or network without permission. It also makes it a crime to transmit or intercept stolen information over a network.
Types of malware include (but are not limited to) viruses, Trojan horses, malicious applications or frameworks, drivers, and even firmware. Network attacks are also possible by injecting malware into network code or eavesdropping on network communications.
Ransomware is a type of malware that steals a company’s trade secrets or customer data, then allows the attackers to demand payment from the organization to keep the stolen data from being used or disclosed.
Viruses are small pieces of code that can be installed and run remotely on a user’s local computer, then silently wreak havoc.
Viruses can corrupt or modify application code, drivers, files, databases, or system software to perform some malicious action. This may include deleting/corrupting data or modifying software to perform some malicious action.
Viruses can be silent, undetectable, and tiny – and often go unnoticed until it’s too late. Because viruses can be installed virtually anywhere, they are difficult to stop and even more difficult to get rid of once they have infected a computer or device.
In the past, viruses have even been known to infect the firmware of devices such as storage drives or network routers, rendering them irreversibly damaged and unusable.
A Trojan horse is generally considered to be an application that, when executed, damages stored data or other installed software and causes it to perform some malicious action. One common attack vector for Trojan horses is to silently replace software frameworks or system components with a malicious impostor version, which then inadvertently launches related applications.
Trojan horses do not let normal applications know that the impostor will cause damage when they call compromised framework APIs. Trojan horses often appear in the form of standalone applications or installers, or frameworks and related libraries.
Device drivers can also be installed to run malicious code when a specific device is used. Network malware drivers are particularly notorious, as they can transmit data over the network at will that cannot be retrieved or “hidden” once sent.
macOS Security Frameworks
Malicious firmware infects or replaces existing firmware inside external devices, causing them to cause damage during normal operation or when certain standard commands are sent to the device. Malicious storage device firmware is probably the most common, as it can easily be installed via flash commands on the device and then call standard disk I/O commands, causing data loss or corruption.
Network attacks come in the form of malicious code embedded in web pages or database commands, usually by appending additional code to the end of standard commands and data.
For example, buffer overflow malware adds a small amount of malicious code to the end of a URL, web page, script, or network packet that causes damage when received and executed on the client computer.
Buffer overflow attacks are among the most common web-based attacks. They are difficult to detect because much of the network code and web pages run automatically and outside of most software security models.
Most web browsers now include settings to limit what types of software can be downloaded and run automatically in their windows.
Java applets are particularly notorious for allowing malware to be downloaded.
Other types of network attacks include impostor attacks, man-in-the-middle attacks, credential theft, phishing, email spoofing, and distributed denial of service (DDoS), in which remote computers flood servers with so much data that they stop working.
Social engineering attacks are deceptive tactics in which attackers convince victims that they are legitimate in order to gain access to their protected information or get them to take actions that could harm them. Social engineers may also attempt to manipulate victims into unwittingly committing crimes so that if caught, they can blame someone else.
Social engineering is particularly used in the vast and largely unknown field of industrial espionage (espionage).
Network attacks are some of the most common and simplest incidents.
What You Can Do
Thanks to macOS's sophisticated security model and UNIX privileges, the Mac is a very secure system. However, breaches can and do happen.
With the root user disabled and the limited privileges that most Mac software runs with, it's difficult for an attacker to trick macOS into running malicious code with elevated privileges. Signed and secure helper tools make these attempts even more difficult and ensure that most malicious software can't survive long enough to cause serious damage.
Under the watchful eyes of secured and launchd, tricking a piece of Mac software into running with full privileges without an administrator password is difficult. secured itself is also difficult to defeat, since it can only run as a specific, OS-controlled, elevated user, and without it, other benign software can't be authorized to run.
Apple quickly removes most malicious software from its App Store. While SIP is enabled, software from unauthorized registered Apple developers cannot run without warning the user.
You can also run various “cleaner” apps to scan your Mac and storage devices for malware. But be careful — even safer apps have been masquerading as malware in the past!
Routine virus scans and uninstalling suspicious apps from your Mac can help reduce the risk. Another good policy is to simply keep the number of apps you install to a minimum, thereby narrowing the attack surface.
You may want to install little-used software on a single external drive and then only connect the drive when you need to access that software.
Keeping system extensions, scripts, third-party fonts, drivers, and kernel extensions to a minimum is also a good idea — this will also reduce the load on background tasks.
You may want to consider setting your web browser security to the highest level and enabling blocking of suspected malicious sites by default. This can help reduce the chance that a network attack from a malicious site could harm your Mac.
Some browsers have settings that block all web applet downloads to protect against dangerous Trojan horse downloads.
Also, make sure all WiFi and hotspot passwords on your networks are strong – and don’t allow anonymous logins. Some Mac network settings allow you to require an administrator password to change settings.
Be sure to limit administrator privileges on your Mac – grant administrator privileges only to those users who really need them, and only for the required period of time. By default, most users on your Mac should not have administrator privileges.
You can also disable Guest Users. Enabling Guest Users allows any remote user to connect to your Mac without a password.
Also disable Remote Management, Remote Login, and Remote App Scripting in System Preferences -> Sharing unless you really need them.
Gatekeeper and Runtime Protection
If you download and run non-App Store Mac software that is not from an authorized developer ID, macOS will warn you and ask if you are sure you want to run it. This is done by a part of macOS called Gatekeeper.
If you are sure you want to run the software, you can click Allow in the Finder alert window, which will allow the software to run. This simple security check gives you an extra chance to test software before it blindly runs the first time you double-click it.
Limiting apps to App Store apps in System Preferences means you can only install and run App Store apps on your Mac. This will prevent all possible third-party apps downloaded outside the App Store from running, but it will also limit your software choices.
For more information and history on how daemons and agents run on the Mac, see TN2083
Daemons and Agents.
Also, be sure to read Apple's Platform Security Guidelines and Apple's general security page.
Apple has put a lot of effort into designing and building macOS to be secure, and in most cases you won't have to worry about the security of your Mac. But keep all of the above in mind when using your Mac to minimize your chances of getting infected with malware.
Follow AppleInsider on Google News
