Answer

Mac malware: Evasion techniques, enterprise detection best practices

Security researchers discovered a strain of Mac malware utilizing right-to-left override in somewhat the same way Windows malware does. Can you detail this evasion technique (both for Mac and Windows machines)? How can enterprises spot such malware?

    Requires Free Membership to View

Ask the Expert

Have questions about enterprise threats for expert Nick Lewis? Send them via email today! (All questions are anonymous)

The strain of Mac malware that is similar to Windows malware is named OSX/Janicab.A. It uses right-to-left encoding to trick users into executing malicious applications that appear to be PDF files.

It is important to note that an enterprise can spot new malware using the same tools it always has, regardless of the malware strain. While there might be advanced malware that bypasses security detection tools, it would need to be part of an advanced attack and know exactly which security tools are in use and how to bypass each one.

In the case of OSX/Janicab.A, malware authors are trying to bypass the OS X Gatekeeper, a feature that requires applications to be signed with a valid digital certificate. If the application is not signed, an error warning is displayed.

Due to their success, malware authors are starting to use the same tools and techniques on OS X systems as they have used in the past to bypass Windows antimalware tools. Historically, even in attacks on Linux and UNIX systems, attackers are trying to create directories or executables that are not easily visible when users initiate the attack. By using an alternative encoding scheme on the file name, such as having a significant number of spaces in the name of the file, attackers are obfuscating visibility and improving their success rates.

To successfully detect OSX/Janicab.A and other malware, I suggest that every enterprise check for character sets or language settings that are not standard in its organization, monitor for revoked Apple ID software signing certificates, use standard antimalware tools and leverage behavioral-based detection. Enterprises could also benefit from scanning for file names that are formatted in non-standard ways, then investigating should an anomaly appear.

This was first published in January 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: