Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Some Insight into Apple's Anti-Virus Signatures InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Some Insight into Apple's Anti-Virus Signatures

Published: 2011-06-02
Last Updated: 2011-06-02 21:19:41 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Now with Apple pushing out its first daily update to combat the latest MacDefender variant, its a good time to take a closer look at "XProtect", the Snow Leopard Anti Malware engine (or to use the Apple euphemism: "safe download list").

OS X heavily relies on XML files for configuration. These "plist" files are easy to read. The same is true for the XProtect configuration, which includes the currently valid signatures. Two files are used:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

This file appears to track XProtect versions, and when they got applied.

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

This is the actual signature file. For example, one of the MacDefender entries looks like:

 

        <dict>
                <key>Description</key>
                <string>OSX.MacDefender.B</string>
                <key>LaunchServices</key>
                <dict>
                        <key>LSItemContentType</key>
                        <string>com.apple.installer-package</string>

                </dict>
                <key>Matches</key>
                <array>
                        <dict>
                                <key>MatchFile</key>
                                <dict>
                                        <key>NSURLNameKey</key>
                                        <string>Info.plist</string>
                                </dict>
                                <key>MatchType</key>
                                <string>Match</string>
                                <key>Pattern</key>
                                <string>3C6B65793E43464276B6....F737472696E673E</string>

                        </dict>
[ ... 3 more 'dict' sections deleted ...  Also, the string is appreviated to fit ]
                  
                </array>
        </dict>
It is essentially pretty obvious how these signatures work. For each malware sample, we find a set of string matches like the one above. 
 
Using the xpath utility, we can get a list of all malware names currently covered:
 
xpath /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist 
    /plist/array/dict/string
 
Checking the file date will also give you and idea as to when the file was last updated.
 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: antivirus
0 comment(s)
Diary Archives