![]() Don’t forget to change my dummy values for your real ones in the code! You can get all these details for your app by running this in Terminal: In this example, I’ve specified three things: that the code is signed by Apple, that is has the app’s bundle identifier and that it has the developer’s Team ID. The key to it is what you specify in the entitlement constant. ![]() I’ve also got a version for Objective-C, adapted from here. If you’re using Swift, some example code for doing that (pictured above) is available from my pastebin here. In order to ensure the app on disk is still in fact the app that was downloaded and first launched, developers need to implement a check on each launch. That means once an app has passed GateKeeper, it’s a ripe target for attackers to come in and replace the binary with one of their own. In short, code signing is checked when an app is first launched, but after that, except in a few special situations, macOS’s security mechanisms pretty much ignore it. The vulnerability lies not so much in the code signing itself, but in the mechanism for when and why it gets checked. Thomas was kind enough to share details of a talk he gave at MacTech last year, in which he demonstrated how some 3rd party apps are susceptible to having their binaries replaced by a fake binary even when the original application is properly code signed with a valid developer’s signature. I was lucky enough to get a great tip from MalwareBytes’ Thomas Reed this week on the possibilities of code hijacking. Otool -oV /Volumes/Installer/Installer.app/Contents/MacOS/hemorrhoid | grep name | awk '' My next tack was to dump the class names with ![]() Every time I tried to attach the debugger to the Installer’s process, the installer quit with “status = 45”, a sign that the debugger is being deliberately thwarted. That gave me pause to try and run the Installer in the lldb debugger and see exactly what it was up to, but – also another sign of malware – the Installer.app appears to have been coded precisely to stop that from being possible. Examining both the binary and other files in the Installer bundle revealed some heavily obfuscated code that is really quite unusual to see in anything except malware. ![]() For one thing, the bundle identifier (a reverse domain-name style string used to uniquely identify an app on macOS) was the oddly titled, and the executable binary file was named hemorrhoid. After a support call asking me whether the MacGo player itself was malicious, I decided to look into what was going on in a bit more detail.ĭownloading the Mac Media Player from the developer’s site rewarded me with a DMG file called Macgo_Mac_Media_Player.dmg, and mounting that revealed the Installer.app (pictured above).Įxamining the package contents of Installer.app had a few surprises. Last week I added MacGo’s Mac Media Player.app to DetectX’s search definitions after finding that the installer was delivering MacKeeper on unsuspecting users. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |