When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15.

Published: 2019-10-14
Last Updated: 2019-10-16 22:43:21 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

This post is continuing a series I started in April about network traffic from Windows 10. When dealing with network traffic, it is always good to know what is normal. As part of this series, I will investigate the first few minutes of network traffic from current operating systems. With macOS 10.15 Catalina just being released, I figured this might be an excellent next operating system to investigate.

Lets first start with some basic fingerprinting. TCP SYN packets from MacOS 10.15 look just like SYN packets from earlier macOS versions:

Flags [SEW], seq 4259408247, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 801728007 ecr 0,sackOK,eol], length 0

macOS is one of a few operating systems using ECN by default. It attempts to use the maximum possible window size, but also offers Window Scaling. Like all modern operating systems, macOS uses PMTUD to avoid fragmentation.

1. Catalina Install

For this experiment, I installed Catalina in a virtual machine. The first connections during the install set the time via Apple's "time.apple.com" NTP server. Next, the system connected to "albert.apple.com" via HTTPS, Apple's secure activation server. OCSP is used to verify the certificates. The system also checks if it has internet connectivity via "https://www.apple.com/library/test/success.html" and connects to swscan.apple.com. This server is used to distribute Apple software. The connection uses HTTPS, so it isn't clear what the installer is looking for, but likely supplemental software. In my case, the system connected 18 times and retrieved about 42 MBytes in total.

Interesting: During the install, the system connected 206 times to gspe21-ssl.ls.apple.com, retrieving about 23 MBytes. The system appears to be associated with Apple's mapping service (http://gspe21.ls.apple.com/html/attribution.html), but of course, it may have other functions as well.

Other significant connections retrieve language-specific dictionaries. These are the only significant HTTP connections.

2. First Boot

The first boot started out a lot like the install with a connection to time.apple.com. But unlike during the install, which used connections pretty much exclusively to Apple's own systems, macOS does connect to a few non-Apple networks:

  • apple-finance.query.yahoo.com - Retrieve stock quotes

After starting Safari, a few additional connections popped up to load icons for the start screen:

  • www.yelp.com
  • www.yahoo.com
  • www.weather.com
  • www.tripadvisor.com
  • www.linkedin.com
  • www.facebook.com
  • www.bing.com
  • www.twitter.com

There was a lot of talk about Safari's connection to Tencent for its "Safe Browsing" feature. Apple stated that only systems in China would connect to Tencent, and I did not observe any connections not in line with Apple's statement.

Apple uses various CDNs, so the exact IP addresses will vary based on your location. I ran these experiments while in Chicago, IL. 

Links to PCAP data:


This post has also been cross-posted to our newish SEC503 Blog: Show Me The Packets!

Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

0 comment(s)

YARA's XOR Modifier

Published: 2019-10-14
Last Updated: 2019-10-14 18:21:53 UTC
by Didier Stevens (Version: 1)
1 comment(s)

YARA searches for strings inside files. Strings to search for are defined with YARA rules.

With the release of YARA 3.8.0, support for searching for XOR encoded strings was introduced. By adding the modifier xor to the definition of a string, YARA 3.8.0 would search for strings that were XOR encoded, with a single-byte key, ranging from 1 to 255.

Here is an example of a string with xor modifier.

    rule xor_test {
            $a = "https://isc.sans.edu" xor

This YARA version's xor modifier would not match unencoded strings.

Apparently, that was not the purpose, and this was fixed with version 3.10.0.

The same rule would now also match unencoded strings.

With the latest version of YARA, 3.11.0, a YARA rule developer has now control over which XOR key range is used by modifier xor.

This is done by specifing an optional minimum-key - maximum-key range after the xor modifier, like this: xor(min-max).

The following rule has an xor modifier with key range 0x01-0xFF (minimum/maximum keys can be specified with decimal or hexadecimal values).

    rule xor_test {
            $a = "https://isc.sans.edu" xor(0x01-0xFF)

This rule will not match unencoded strings.


Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: xor yara
1 comment(s)
ISC Stormcast For Monday, October 14th 2019 https://isc.sans.edu/podcastdetail.html?id=6706


Diary Archives