Checklist 196 : The Art of Mac Malware: Analysis with Patrick Wardle
Mac malware expert Patrick Wardle is writing a book — and he’s asking for help from the security community. We sat down with him to discuss:
A different kind of book
Patrick Wardle is Principal Security Researcher at Jamf, a company that specializes in Apple device management in the enterprise. He is also a prolific writer, authoring the award-winning Objective-See technical blog. In addition, Wardle maintains a free suite of Mac security tools on his website, and is also the founder of Objective by the Sea, the world’s only macOS security conference.
Wardle is a well-known figure in the Mac security community, a reputation that owes much to his detailed analyses of new macOS malware variants. At the start of 2020, Wardle decided to distill his knowledge into a book: The Art of Mac Malware: Analysis. With the manuscript now nearing completion, Patrick Wardle joined us to discuss the project, his unique writing process, and how he envisions the book’s future.
We asked Wardle to begin by giving us an overview of the book and its intended audience:
PW: Say you have a file (a binary, an application, a package) that you think might be malicious. This book is really a detailed walkthrough of how you would go about analyzing that file to determine if it’s malicious or benign — and if it is malicious, how you would go about digging into how it functions, how it persists, what it’s trying to do once it gets on your computer.
That’s something I spend a lot of time doing at my “day job”: analyzing new malware threats targeting macOS. The goal with the book was to capture my process, the steps one would generally take in order to answer these questions, in a very informative and hands-on manner, and in a way that can hopefully teach some of these ideas as well.
The book is definitely intermediate to advanced. It does start with some introductions to Mac malware, gives some good overviews, a good primer, but then pretty quickly dives into more intermediate and advanced topics, because by its nature “analyzing computer viruses” is somewhat of an advanced topic!
I would say that the target reader is someone who has experience in information security and wants to get deeper into learning how to analyze malware that specifically targets macOS. Or perhaps someone who is very familiar with analyzing malware on another platform, for example Windows, and has a good understanding of foundational concepts, but is new to the macOS platform or hasn’t had a lot of experience analyzing malware that targets Apple systems.
While The Art of Mac Malware: Analysis is still a work in progress, Wardle has taken the unusual step of pre-releasing full chapters of the book to the general public — and of inviting feedback and input from the security community at large. He says that this approach has its origins in his personal philosophy of community involvement, and also has a more practical side as well: ensuring a better, more accurate final text (a strategy that, according to Wardle, has already demonstrated its merits):
PW: I’m very passionate about involving the community in a lot of the work that I do. If you look at Objective-See, which is the website I created that has free Mac security tools, an open-source blog, etc., all of the content there is free — and the goal is really to engage people. The Objective by the Sea security conference that we organize is free to attend. I really like the idea of involving the community.
The idea for this book was really to take that to the next level, and to offer a mechanism for the interested reader to provide feedback. As a writer, of course, that’s useful: It’s basically more sets of eyes on the book, kind of like crowdsourced community editing, which is very helpful to me. But more importantly, it also allows me to get feedback as I’m creating the book. If something is unclear, if I don’t describe or explain something in as digestible a way as I could, if I’ve overlooked some content that should be included, the readers can actually suggest that.
So the end result will be a book that’s more comprehensive, more digestible…and that has fewer grammar and editing issues! Plus, engaging the community during the writing process is an interesting approach to me, because people are going to feel like they’re a part of something. I really want this book to be a comprehensive resource that can help educate and teach other people. And it would be naive, or even arrogant, for me to assume that I have all the answers in creating such a book. Opening it up to the community will really bring in the best of all worlds.
I’ve already had good feedback in terms of areas that I should cover more. One example was the chapter on infection vectors, which describes how Macs actually get infected with malware. I had a section on 0-day exploits, which are exploits for which no patch exists. But I kind of overlooked the fact that even once an exploit has been patched, there will still be some users who don’t apply the patch and therefore are still vulnerable. So even if the malware is no longer 0-day, it can still attempt to target unpatched users. I think it was Thomas Reed who made that point, and said “Hey Patrick, you should really expand this section more to cover exploits that have been patched”. And that was really good feedback, and a great example of how I was able to expand a section based on feedback, in this case from Thomas, who is a colleague, and someone I really respect. It’s really neat to get that kind of input from the community. And then of course people tweet about it, people share it, which provides lots of positive exposure for the book, and which brings more eyes on the book and results in more feedback, and so there’s this cumulative, community-driven effect which I think is a win-win-win for everyone.
Mac malware capabilities
While the majority of Wardle’s book is aimed at a fairly technical crowd, its overview chapters contain valuable insights for the everyday Mac user. Of particular interest was the section on common infection vectors for macOS malware, which we asked Wardle to elaborate on:
PW: An infection vector is a mechanism that malware (or malware authors) use to gain access to a Mac. So this basically answers the question: How does malware get onto a Mac, how does it infect a Mac. And there are myriad ways that malware does this.
One of these infection vectors is fake updates. I’m sure we’ve all seen this: You browse to a website, there’s a pop-up, and it says, “Hey, your Flash Player is out of date”. And this is more than likely a piece of adware or some other piece of malware that’s attempting to infect your system. Now, the pop-up isn’t really doing anything malicious per se, other than being an annoyance, but if you click on it, and then download and run the “update”, more than likely you’ve just infected yourself. So this isn’t really that sophisticated of an infection vector, because it basically requires the user to infect themselves. But it is fairly common, and it has been abused widely.
Fake applications are another common infection vector. And this is a little more sophisticated. You might be browsing, you might get a link, and you come across a new chat application, or a new video app, or some cool application that you might want to use or try. And this could be completely fake, it could be claiming to be, for example, the desktop version of WhatsApp, but is actually just malware. Or it could be a Trojanized application, which would be something legitimate, but that has been injected with some malicious code. So again if you are tricked into downloading and running one of these things, you are likely going to be infected. We see these being used often in supply chain attacks, where an adversary will actually infect a legitimate third-party website, and then infect or Trojanize the legitimate applications that are being distributed from that website. If users come to that legitimate (albeit now hacked) website, and download and run the Trojanized applications, they will become infected. That’s not very common, but when it does happen, it’s very effective, because users aren’t really doing anything “wrong”: they’re browsing to a legitimate website, and downloading what they believe to be legitimate software…they’re really not participating in any shady or suspicious activity.
And then the last infection vector is pirated applications. A lot of times users like free software, or just don’t like to pay. Ethical reasons aside, from a security point of view, this is really not a good idea, because what hackers will often do is crack the licensing mechanisms for something like Photoshop, or some other expensive but common application, and then also inject some malware into that. So, yes, you will get your free copy of Photoshop, but unfortunately there will be something else built in as well.
Now, the good thing from a user’s point of view is that in macOS Catalina, Apple has introduced something called notarization. This means that Apple will scan and check software before it is allowed to run on the operating system. So if a hacker creates a fake Flash updater, obviously that is not going to be notarized by Apple, and if the user then goes and tries to run that updater, the system will block it.
So what we’re seeing is attackers moving to more sophisticated infection vectors as Apple raises the bar. Two examples are macro-based attacks, where they’re using malicious Office documents, and also exploits, for example browser exploits where more sophisticated actors can infect a user if they just browse to a malicious web page using a vulnerable browser.
Wardle’s discussion of malware capabilities was equally interesting, and while it touched on some malicious features that would likely be familiar to Checklist listeners, it also made mention of malicious behaviors that are perhaps less well known. Wardle expanded on two of these: survey and reconnaissance, and remote shells.
PW: So the question is: Once malware has penetrated the system, what does it do?
Generally that’s going to be tied to what kind of malware it is. But something like survey and reconnaissance is pretty common to all types of Mac malware. One of the first things that malware does when it gets on a system is to kind of survey the environment. Imagine that you just landed on the moon: You’re going to want to look around, check out the oxygen levels, make sure there are no monsters or other aliens. And when malware “lands” on your system, it really doesn’t know where it’s at, so it has to do some similar checks. It’s got to say: Am I compatible with this system? Is there a firewall or antivirus program running that might detect me if I perform certain actions that it’s looking for? And it also just gathers up information about the user, the version of macOS, etc.
There are two main goals here.
The first is to uniquely identify the target. Imagine a piece of malware has infected a ton of Macs. Usually what a piece of malware will do is beacon back to a command-and-control server for more tactics. If thousands of Macs are connecting back, they have to have a way to uniquely identify themselves. That’s often done during the survey phase where they will get, for example, the username. But oftentimes that’s not enough, because obviously there are people with the same usernames. So they’ll often get the serial number or the MAC address, and other unique, identifying information about the operating system and the systems that they’re running. Then they’ll send that back to the command-and-control server so that the attacker can uniquely identify their targets.
And as I mentioned, the other thing that the malware is doing is examining the environment for any incompatibilities. So for example, we’ve seen malware that will actually not infect a system if it sees a firewall product running, because the malware knows that when it tries to beacon out, that firewall will detect that unauthorized network activity and alert the user, which in turn can bring attention to the malware. The attackers would rather lose one or two infection opportunities than bring attention to their malware and potentially compromise the whole attack.
Remote shells, on the other hand, are typically seen in more advanced malware. Remote shells allow a remote attacker to run shell commands on an infected system. The shell is basically the Terminal, the command prompt, where you run commands. If you’re kind of a Mac power user, then maybe you use the Terminal to list files, search for things, look at a process list, etc. It’s really like a console where you can interface directly with your computer. And what a sophisticated piece of malware will do is expose the same functionality, but remotely. This allows a remote attacker complete access to an infected system. It’s as if the attacker is sitting directly in front of that infected system, and can run any command. Now, this is generally interactive, so it’s not going to scale to thousands of computers. But in more advanced and targeted attacks, remote shells really give sophisticated attackers complete control over an infected system — which is often exactly what they’re going for.
The road to publication (and beyond)
As mentioned above, The Art of Mac Malware: Analysis is still a work in progress. We asked Wardle if he had some sense of when the book would be complete, and if he could tell us anything about his ultimate plans for publication and various distribution formats:
PW: The content for the book is basically done. I started earlier this year. It was kind of my quarantine project, where I committed to writing 500 words a day. But by the time I actually announced it a few weeks ago, I had the majority, if not all of the content, done. One of the reasons I wanted to wait to announce it was to make sure that I could actually see this through!
So the way it works right now is that I release a new chapter every week or so. I’m working with a great editor who’s giving me a lot of editorial feedback, you know, more kind of “professional editing” help. So we’re now in this editing stage where we’re dotting the i’s and crossing the t’s for each chapter, and then releasing them one by one (I believe we’re up to chapter 7 of about 12 or 13 chapters). Then I get feedback throughout the week from the community, and at the same time, I’m kind of finalizing the next chapter. The chapters should all be out by the end of the year.
I’m also really excited to announce that I’ve been approached by several publishers. The final plan is to have a free version online, because I’m a big believer in giving back to the community, and also because there has been so much community involvement, so I want this to be free as a resource for the community. That online version will probably be a little more user-friendly than what we have up on the site now, because it will be the final product. I’ve actually already made PDF versions of the chapters available, because that was one of the pieces of feedback I received: People said, “Hey, great, I like the editable format, but I also just want to download it and read it”.
And then as I mentioned, I’ve been talking to some publishers, so there’s also going to be a physical book. I’m a big fan of physical books. It’s kind of neat to have on your bookshelf, to carry around as a resource, etc. And obviously there will be an ebook as well, probably through one of those same publishers. The goal is really to have a professional product for people who like books, or who want to add the book to their collection. I’m trying to figure out pricing; I want to make it very accessible. I’m also looking to raise money for the conference that we put on and some of the charity efforts that are involved. So this is really not a “for-profit” venture. One of my friends told me that you don’t really make a lot of money writing books anyway, which is totally true, but I would really like for it to be something that continually feeds back into the community. So I would say “stay tuned” for an announcement about the physical product, but in the meantime it’s going to be available online for free as well.
In closing, Wardle offered some insights into how he was inspired to write The Art of Mac Malware: Analysis, and to his own background as a writer:
PW: This is my first book. I actually love to write. I’ve written a lot of white papers for conferences. My blog posts sometimes get very long. For example, each year I write an overview of the Mac malware of the year, which I put up as a blog post, and last year I thought, “Eh, I should make a printable PDF as well,” and I did that and it came out to like 50 or 70 pages, something rather obscene. So I was kind of like: “Well, if I can write 50 pages, that’s kind of on the way to becoming a book…” and that was sort of an eye-opening moment for me. I knew I liked to write, but writing a book was sort of this daunting goal, but that’s when I saw, “Oh, this is something I can do”. And I remember reading this quote, I forget who it was, but basically someone asked this novelist, “How do you write all these books”, and they said, “500 words a day”. And I was like, “Oh, I can commit to that!” And so at the beginning of the year, I did commit to that, and now here we are.
The Checklist would like to thank Patrick Wardle for taking the time to talk about his forthcoming book. If you’d like to keep up with Patrick online, please follow him on Twitter. To read publicly available excerpts from The Art of Mac Malware: Analysis, or to help with feedback, comments, and editing, go to https://taomm.org/. If you’d like to support the book project financially, and also receive early access to new chapters of the book as they’re finished, please visit Wardle’s Patreon page.
This brings us to the end of another Checklist, but we’ll be back soon with an all new episode. In the meantime, be sure to check out our archives for past shows and show notes. And as always, if you have a question you’d like answered, or would like to suggest a guest or topic for a future show, please write to let us know!