Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

When it comes to sharing malware signatures, Apple is a bit selfish

captain_to_fire
 Share

Source: Ars Technica, Objective-See

 

Quote

maDetection.png

 

A few things make Windshift stand out among APTs, Karim reported in August. One is how rarely the group infects its targets with malware. Instead, it relies on links inside phishing emails and SMS text messages to track the locations, online habits, and other traits of the targets. Another unusual characteristic: in the extremely rare cases Windshift uses Mac malware to steal documents or take screenshots of targets' desktops, it relies on a novel technique to bypass macOS security defenses.

It's no surprise that malware infections on Macs will just continue to grow. While Windows remains the biggest target for malware authors, I think PC users are less cocky than most Mac users I know because even at school I still hear people saying "Macs don't get viruses" which is not true. This time, it's an advanced persistent threat (APT) that can exfiltrate documents, take screenshots and bypass Apple's built-in antimalware defenses like Gatekeeper. This time, a security researcher picked up the said malware and uploaded it to VirusTotal only to be detected by two engines as shown above.

 

Example:

apple-xprotect-plist-update-detects-hellrts.png?w=595

1251912409_Screenshot(400).png.480b3e53bcfca3040cee23a1a86d7032.png

 

It turns out Apple already knew about the malware and automatically updated the XProtect which basically inoculated Macs from the said malware. In fairness to Apple, they managed to detect and block it before other AV engines (except the two above) which means they're really serious about security (e.g. secure enclave coprocessor, T2 chip, Face ID, etc)

Quote

XProtect

macOS includes built-in technology for the signature-based detection of malware. Apple monitors for new malware infections and strains, and updates XProtect signatures automatically—independent from system updates—to help defend Mac systems from malware infections. XProtect automatically detects and blocks the installation of known malware.

 

Malware removal tool

Should malware make its way onto a Mac, macOS also includes technology to remediate infections. In addition to monitoring for malware activity in the ecosystem to be able to revoke Developer IDs (if applicable) and issue XProtect updates, Apple also issues updates to macOS to remove malware from any impacted systems that are configured to receive automatic security updates. Once the malware removal tool receives updated information, malware is removed after the next restart. The malware removal tool doesn’t automatically reboot the Mac. (emphasis is mine) ??

Spoiler

unlike the Windows 10 version that requires a restart for even the simplest updates. ?

 

1328047391_Screenshot(401).png.6400a8bf903819932d46c15e701f4b30.png

Automatic security updates

Apple issues the updates for XProtect and the malware removal tool automatically. By default, macOS checks for these updates daily. For more information on automatic security updates, see the Apple Support article “Mac App Store: Automatic security updates” at support.apple.com/HT204536.

So you might ask, what seems to be the problem? It turns out that it's a standard operating procedure for antivirus vendors including Microsoft to share malware signatures especially the ones relating to advanced persistent threats and widespread malware. Apple on the other hand managed to knew about the said malware, updated signatures of XProtect and revoked the certificate used to bypass Gatekeeper and others. 

whatsYourSign.png

 

I can see a few reasons why Apple would want to restrict malware signatures to themselves and not share them to others.

  • Apple is aware of the related vulnerabilities of antivirus programs because they run on high privileges, thus increasing attack surface further.  The security researchers of Google Project Zero are notorious for advocating for AV free systems. image.png.8d87a7536704f3eed140c4aa5d936760.png
  • Apple is unaware that they need to share signatures with other security companies because it's the SOP
  • Apple wants to monopolize the security of their own platforms which is the most likely reason. Unlike Android, Apples doesn't allow AV programs to scan contents and I think it would be useless too on something like iOS since all apps run on a restricted sandbox environment. [here] Considering that Apple is using their own in house chips for almost everything and it was rumored that they'll soon use in house modems, looks like Apple is heading to a vertical monopoly in the years to come.

So I think it's a bit of a selfish move from Apple but then again, it proves that when it comes to Mac malware, majority of AV vendors are inexperienced and it seems they don't have similar detection algorithms like what they have for PC malware. Back in 2009 in Snow Leopard's security page, Apple recommends the use of antivirus. Now that recommendation is gone.

image.png.eaf041fb10e8acaa7f6322ad1462416d.png

 

Obviously this will potentially hurt the business model of AV vendors but only time will tell on how macOS can withstand more sophisticated targeted attacks in the future by not sharing security intelligence.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

I think it's been known for a while that Mac's get viruses... I have Malwarebytes installed on mine just in case... 

She/Her

MacBook Pro 13" Early 2015 | i5 5257U | Intel Iris 6100 | 8GB Ram | 120GB SSD | macOS Monterey

Link to comment
Share on other sites

Link to post
Share on other sites

I guess if it becomes a bit more popular Linux too will start picking up more viruses.

Link to comment
Share on other sites

Link to post
Share on other sites

19 minutes ago, Humbug said:

I guess if it becomes a bit more popular Linux too will start picking up more viruses.

I'm sure there are Linux servers that get infected by viruses too just because of the fact that anything compiled by man will always have vulnerabilities.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

I'm gonna play devil's advocate, if that's the correct phrase for this: do we really want third-party software developers to tool around with the security chips on newer Apple computers? That would most likely blow a door WIDE open for vulnerabilities.

It seems like Apple does this not necessarily out of selfishness but rather, for the security of, well, the dedicated security chips.

Check out my guide on how to scan cover art here!

Local asshole and 6th generation console enthusiast.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, handymanshandle said:

I'm gonna play devil's advocate, if that's the correct phrase for this: do we really want third-party software developers to tool around with the security chips on newer Apple computers? That would most likely blow a door WIDE open for vulnerabilities.

It seems like Apple does this not necessarily out of selfishness but rather, for the security of, well, the dedicated security chips.

But it’s not what dedicated security chips they’re sharing but what Apple was expected to share are malware definitions because in Windows land, that’s how it’s done. Also even with antivirus installed, the data stored inside the T1/T2 chip is inaccessible to third party programs. 

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, captain_to_fire said:

But it’s not what dedicated security chips they’re sharing but what Apple was expected to share are malware definitions because in Windows land, that’s how it’s done. Also even with antivirus installed, the data stored inside the T1/T2 chip is inaccessible to third party programs. 

Hmm.

Then I really do wonder why Apple doesn't do it. Is there something a little deeper to it than "Apple wanting to monopolize how they do security"?

This likely is something with many layers we probably can't fully figure out.

Check out my guide on how to scan cover art here!

Local asshole and 6th generation console enthusiast.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, handymanshandle said:

Hmm.

Then I really do wonder why Apple doesn't do it. Is there something a little deeper to it than "Apple wanting to monopolize how they do security"?

This likely is something with many layers we probably can't fully figure out.

Time will come Apple will become the first vertical monopoly. 

Edited by captain_to_fire

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, captain_to_fire said:

Time will come Apple will become the first truly vertical monopoly. 

That we will see.

It wouldn't be totally out of place, considering that they developed their own graphics API.

Check out my guide on how to scan cover art here!

Local asshole and 6th generation console enthusiast.

Link to comment
Share on other sites

Link to post
Share on other sites

25 minutes ago, captain_to_fire said:

Time will come Apple will become the first vertical monopoly. 

I honestly don't see the problem of owning everything that goes into your product. I generally don't like apple but I always thought it was silly when people make it seem like such a bad thing for a company to build everything that goes into their product. 

Link to comment
Share on other sites

Link to post
Share on other sites

37 minutes ago, Brooksie359 said:

I honestly don't see the problem of owning everything that goes into your product. I generally don't like apple but I always thought it was silly when people make it seem like such a bad thing for a company to build everything that goes into their product. 

On security side things are a bit complicated. On the one hand all in house locked and hidden does increase security because no one outside really knows how everything is build. This does create the problem of what happens if someone busts the doors open, because no one else knows how everything works, no one also cannot help you to at least close the doors a little bit. Like T2-chip is secure, but if it's security was to be compromised, let's say someone finds a way to hack into it and manages to find a ton of weakpoints and what else Apple has mistakenly left in there, and now starts the cat and mice -game, attacker can now easily create more and more malware that uses the weakpoints and after letting them loose Apple patches them, problems arise if the attacker starts to sell those weakpoints because then Apple needs to fights against multiple malwares using multiple weakpoints at the same time.

 

Other side is the trust. This mostly applies on encryption and firewalls and other things that promise to protect. Encryption is great example here; There's still couple huge reasons why TrueCrypt is held as outdated but one of the best and those are open source, audited and known unsuccessful decrypting, open source makes it so anyone anywhere can confirm that there isn't backdoors, audits basicly are reviews by professionals to try to find backdoors and vulnerabilities and for the last one, if FBI, NSA and others can't get trough it, it must be good. VeraCrypt is based on TrueCrypt and fixes many of the problems and found vulnerabilities, but it still lacks the legal part where the three letter agencies are frustrated and raged because they have found a storage media they cannot access. But the main thing is openness, that anyone can see the code and the algorithms shows that they have nothing to hide while having things closed always keeps the doubt for backdoors and skeleton keys alive and here only the word of the company or experts paid by the company isn't really enough, even if there was  some third-party to audit the security and make every possible paperwork to show that they are no way connected to the company making the product, there still would be doubts. Just as Apple says the T2-chip securely encrypts and controls the SSD, does Apple have a backdoor to the T2-chip? Does Apple have a skeleton key for the T2-chips encryption? Apple says no, but wouldn't a criminal plead not-guilty even if he was caught red-handed?

Link to comment
Share on other sites

Link to post
Share on other sites

People are just ignorant though, thinking MacOS can't be infected. Windows is the main global OS and with very high market usage and MacOS is a small portion in statistics. Reason Windows is much more targeted. If MacOS over night would become the top OS with market usage like Windows is, it would get targeted severly more with infections. It would crumble to pieces all of a sudden. 

Ryzen 7 3800X | X570 Aorus Elite | G.Skill 16GB 3200MHz C16 | Radeon RX 5700 XT | Samsung 850 PRO 256GB |Mousepad: Skypad 3.0 XL | Mouse: Zowie S1-C |Keyboard: Corsair K63 MX red | OS: Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

21 hours ago, Thaldor said:

On security side things are a bit complicated. On the one hand all in house locked and hidden does increase security because no one outside really knows how everything is build. This does create the problem of what happens if someone busts the doors open, because no one else knows how everything works, no one also cannot help you to at least close the doors a little bit. Like T2-chip is secure, but if it's security was to be compromised, let's say someone finds a way to hack into it and manages to find a ton of weakpoints and what else Apple has mistakenly left in there, and now starts the cat and mice -game, attacker can now easily create more and more malware that uses the weakpoints and after letting them loose Apple patches them, problems arise if the attacker starts to sell those weakpoints because then Apple needs to fights against multiple malwares using multiple weakpoints at the same time.

 

Other side is the trust. This mostly applies on encryption and firewalls and other things that promise to protect. Encryption is great example here; There's still couple huge reasons why TrueCrypt is held as outdated but one of the best and those are open source, audited and known unsuccessful decrypting, open source makes it so anyone anywhere can confirm that there isn't backdoors, audits basicly are reviews by professionals to try to find backdoors and vulnerabilities and for the last one, if FBI, NSA and others can't get trough it, it must be good. VeraCrypt is based on TrueCrypt and fixes many of the problems and found vulnerabilities, but it still lacks the legal part where the three letter agencies are frustrated and raged because they have found a storage media they cannot access. But the main thing is openness, that anyone can see the code and the algorithms shows that they have nothing to hide while having things closed always keeps the doubt for backdoors and skeleton keys alive and here only the word of the company or experts paid by the company isn't really enough, even if there was  some third-party to audit the security and make every possible paperwork to show that they are no way connected to the company making the product, there still would be doubts. Just as Apple says the T2-chip securely encrypts and controls the SSD, does Apple have a backdoor to the T2-chip? Does Apple have a skeleton key for the T2-chips encryption? Apple says no, but wouldn't a criminal plead not-guilty even if he was caught red-handed?

Again it's a business choice and I don't think it is nearly as bad as some make it sound. It isn't the same as an actual monopoly. 

Link to comment
Share on other sites

Link to post
Share on other sites

Just enable firevault easy fix 

Link to comment
Share on other sites

Link to post
Share on other sites

28 minutes ago, RorzNZ said:

Just enable firevault easy fix 

Filevault only protects data inside Macs from unauthorized local access via full disk encryption. Once a Mac is logged in, all data are decrypted and malware can steal login credentials and sensitive data. 

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

On 12/24/2018 at 5:46 AM, Humbug said:

I guess if it becomes a bit more popular Linux too will start picking up more viruses.

There gonna be more of them, its expected as it becomes more and more popular. But  im not  too sure about the part that there gonna be more infections. For one getting something nefarious on linux is quite a bit harder because how software installation works. Especially with the official repos containing everything that could be needed by an average user.

Link to comment
Share on other sites

Link to post
Share on other sites

21 minutes ago, valdyrgramr said:

More like this https://arstechnica.com/information-technology/2014/12/powerful-highly-stealthy-linux-trojan-may-have-infected-victims-for-years/

 

Unfortunately so many people including a few in this forum thinks that Linux distros are somehow the silver bullet against malware because everyone seems to be targeting Windows. 

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

I've never had a virus on my mac or pc. I think the best protection is just common sense.

People missing that are most often those who get viruses. And of that subset of people mac users are protected comparatively much better than windows users. So I don't see it as something extremely cocky to say macs don't get viruses. It's false in a binary way, as obviously every system can get some kind of malware on it, but from a consumer standpoint it holds true more or less. Actually, the quick response from Apple themselves further proves this, though I have to agree it's kind of a dick move not to share such info. Then again, Apple has never been known for being overly transparent with software details like this.

 

My Folding Stats

 

X  Vigilo Confido  X

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

I got a feeling 9/10 people in this thread don't know what any of this means, or how different OSes functions security wise. It would certainly explain some of the totally irrelevant comments in this thread, such as Apple wanting to keep their code secret to increase security. 

 

Sharing malware signatures does now reveal anything about how software works. All it does is enable others to detect malware better. Not sharing them is a fucking dick move. It's like discovering a deadly disease, create a vaccine for it, and then not tell anyone that it even exists, just letting people get infected. 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, LAwLz said:

Not sharing them is a fucking dick move. It's like discovering a deadly disease, create a vaccine for it, and then not tell anyone that it even exists, just letting people get infected. 

I get that, but Apple isn’t in the game of doing Security R&D for other companies for free. They have costumers that they have to take care of, so they are. It would be nice if they woild share their findings after they have already implemented protections for their users, but their users are the priority at the end of the day. 

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 16GB 2666 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell 27 Gaming Monitor S2719DGF 1440p @155Hz, Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball
Link to comment
Share on other sites

Link to post
Share on other sites

14 minutes ago, DrMacintosh said:

but their users are the priority at the end of the day.

What about after that day? Nobody is advocating for Apple to not put their customers first here, this is about what they do with that information after the fact. Which Apple's policy is to just sit on the information apparently...

Link to comment
Share on other sites

Link to post
Share on other sites

36 minutes ago, imreloadin said:

What about after that day?

Read my post and you’ll find out. 

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 16GB 2666 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell 27 Gaming Monitor S2719DGF 1440p @155Hz, Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball
Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, DrMacintosh said:

I get that, but Apple isn’t in the game of doing Security R&D for other companies for free. They have costumers that they have to take care of, so they are. It would be nice if they woild share their findings after they have already implemented protections for their users, but their users are the priority at the end of the day. 

So everyone else but Apple are in the game of doing security R&D for free?

 

Your logic doesn't add up. This isn't about handing over business critical information. It's about ensuring a healthy environment for everyone. Even if it doesn't help Apple directly, it'll help them indirectly by creating a herd immunity - in the spirit of the vaccine analogy.

 

It is also in their interest to do their part and maintain a good relationship with other companies whom Apple currently get information from - so there is a tit for tat in some sense. The sharing of information helps keep everyone safe and Apple gains nothing from maintaining secrecy unless Apple intends to exploit the flaws themselves or if they intend to sell the information. Given their position either option would be unethical.

 

Imagine if everyone did the same. Just imagine.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, Trixanity said:

So everyone else but Apple are in the game of doing security R&D for free?

 

Your logic doesn't add up. This isn't about handing over business critical information. It's about ensuring a healthy environment for everyone. Even if it doesn't help Apple directly, it'll help them indirectly by creating a herd immunity - in the spirit of the vaccine analogy.

 

It is also in their interest to do their part and maintain a good relationship with other companies whom Apple currently get information from - so there is a tit for tat in some sense. The sharing of information helps keep everyone safe and Apple gains nothing from maintaining secrecy unless Apple intends to exploit the flaws themselves or if they intend to sell the information. Given their position either option would be unethical.

 

Imagine if everyone did the same. Just imagine.

I have a feeling that everyone quoting me isn’t reading what I post....

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 16GB 2666 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell 27 Gaming Monitor S2719DGF 1440p @155Hz, Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball
Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, DrMacintosh said:

I get that, but Apple isn’t in the game of doing Security R&D for other companies for free. They have costumers that they have to take care of, so they are. It would be nice if they woild share their findings after they have already implemented protections for their users, but their users are the priority at the end of the day. 

Even that is a poor excuse, because:

1) It does not cost them anything to share the signature. It takes 10 minutes tops to share it. Just end an email going "hey, this signature is bad. It's associated with this malware", and maybe put an analysis (which they have already made internally, before blocking it in their own program) as an attachment.

2) Sharing the signature with others would in fact protect their users as well, because it prevents the spread and creates herd immunity. Yes, that is a thing in software too.

 

Apple are being selfish fucktards which puts everyone, including their own users, at a greater risk than necessary.

Not sharing the signature actually shows that they do not care about their customers. What it does show is that Apple are, like they always have been, terrible at securing MacOS and that they are selfish bastards who are more than willing to benefit from others work, but so hellbent to not help anyone else that they would rather make the world a worse place than let someone else benefit from their work.

 

 

Edit: And yes I did read your post. You don't have to quote me saying I didn't read it. Your posts were:

1) Apple isn't doing security research for free. But in this case they had already done the research. They just refused to share it with anyone else. Again, they have the "vaccine" developed. They just didn't even tell anyone.

2) That they prioritize their own customers. Well in this case they aren't doing that, because they are letting the malware spread which increases the risk of one of their customers getting infected. Like like someone who hasn't received the update with the signature included perhaps, someone who has the anti-malware protection turned off, or maybe someone who is running Windows in a VM or the likes.

 

If you mean something else then please elaborate rather than just saying "everyone quoting me are not reading my posts!".

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×