Knock Knock tool makes a joke of Mac AV

Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em


Security research and development bod Patrick Wardle has released a tool to reveal executables that automatically boot in Mac OS X.

The Knock Knock tool was open source and built on an extensible framework to encourage the community to evolve the platform.

Wardle, of consultancy Synack, said he designed the tool because he was concerned about the lack of insight into the potential for persistent malware to load on his machine, a worry justified he said given Apple's "feeble" anti-virus protection and that a further 33 OS X malware families were discovered last year.

"I was really bothered by the fact that I did not know what was automatically executing on my computer or if there was any persistent malware on my computer that I wouldn't know about it," Wardle said.

"[Knock Knock] should show me everything that is set to automatically execute when my Mac is rebooted.

"I've run it on some friends' computers and actually found a bunch of OS X malware."


Knock Knock

He added that a fully patched Mac was "not that secure" and that the built-in anti-malware mechanisms were "pretty lame".

"There [are] tonnes of ways for malware to persist on OS X and Mac malware is certainly a reality, particularly if you're a Chinese activist or one of my friends who I guess have questionable browsing habits."

In one example it detected the "clipboardd" persistent malware when it listed all binaries unsigned by Apple meaning users needed to have knowledge of OS X malware.

Plugins could be added to scan for new persistence techniques to keep it abreast of threats.

Wardle said writing the plugins was simple and noted the beta-phase command line tool was stable and usable. ®

Broader topics


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • A miserable work week spent toiling inside 'the metaverse'
    Nausea, eye strain, inability to take notes, migraines are just a few of Metaverse work 'perks'

    Sometimes it takes research to prove what was already suspected, like how utterly uncomfortable it would be to work in the metaverse.

    An international team of researchers conducted a study [PDF] to just such an end, putting participants in VR headsets and taking an inventory of their self-reported physical and mental states throughout a five day, eight-hour-a-day period spent in headsets and a virtual "office".

    Unlike a real job, participants were allowed to set their own work agendas and didn't perform standardized tasks yet even still had trouble undertaking these.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading

Biting the hand that feeds IT © 1998–2022