Checking my devices for malware - Part 1 - OS X

Checking my devices for malware - Part 1 - OS X
Extract taken from a photo by Skitter.

Christmas is that time of the year where I dismantle, burn and rebuild all my machines.

There are 4 operating systems that I use (as base operating systems):

  1. Mac OS X (Part 1);
  2. Kali Linux (Part 2);
  3. Android (Part 3); &
  4. OpenBSD (Part 4).

In this series of posts I will cover the following topics for each operating system:

  1. The all important - WHY?
  2. Operating system check; &
  3. Checking for persistence.

Important to note, this is not a digital forensics or secure configuration procedure.

The all important - WHY?

If you're wondering if I run endpoint protection - I do. If you're wondering why I still need to perform these manual checks - I'm paranoid. My mantra in this regard,...

Thanks https://imgflip.com/i/3efnbq

Here is a good example, of when a little paranoia goes a far way,...

BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild - The Citizen Lab
Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.
The Citizen LabJohn Scott-Railton

If you think that this won't happen to you (or us) - think again,...

Pegasus Project: Ramaphosa among world leaders selected as potential targets of NSO spyware - Amnesty International
New evidence uncovered by the Pegasus Project has revealed that the phone numbers for 14 heads of state, including South African President Cyril Ramaphosa, French President Emmanuel Macron, Pakistan’s Imran Khan and as well as hundreds of government officials, were selected as people of interest by clients of spyware company NSO Group. Amnesty International South... View Article
Amnesty InternationalGenevieve Quintal

Operating system checks

This is my quick list to detect clear and present danger:

The essential mix

You first have to confirm the basic controls - I won't go into too much detail here:

  1. System update - this includes removing unnecessary services, creepware, etc.
  2. Secure configuration - this includes strong password, encryption, policies, etc.
  3. Security controls - this includes firewall, endpoint security, data backups, etc.

A good resource is the CIS security standard which details the most salient points.

CIS Apple macOS Benchmarks
Download our step-by-step checklist to secure your platform: An objective, consensus-driven security guideline for Apple macOS.
Center for Internet Security

Initialisation check

On the initial boot - I like to check five things:

  1. Active user directory;
  2. Network connections;
  3. Files (active) opened;
  4. Processes running; &
  5. Trace potential issues.

This process (and even some commands) will be the same across any *nix system.

We can use the man page to display online documentation for any of the utilities.

man dscl
dscl man page

Active user directory

We can use dscl (directory service command line utility) to list all accounts:

dscl . list /Users
Example output from dscl command on Mac OS X.

If you're unsure about something (e.g., nobody user account) then check it out:

Checking on the nobody user account from an authoritative source (apple.com).

We can use w and last utilities to analyse both current and past user behaviour:

w
last
The output for w and last utility on Mac OS X.

Once we have confirmed there are no signs of malicious activity - we can move on.

Processes running

We use ps (process status utility) to analyse all running processes on the system:

ps -axo user,pid,ppid,start,time,command
Example output for ps on Mac OS X.

You can also see the memory and CPU (central processing unit) utilisation using:

ps -axo user,pid,ppid,%cpu,%mem,start,time,command
Output from ps showing memory and CPU usage.

Alternatively, use the top utility to see real-time system memory and CPU usage:

top
The top command line utility

Let's say something catches your eye - like the process below (spidey senses tingle).

Spidey senses have been triggered!

Well let's check it out,... let's check if it's signed and where it launched from,...

sudo launchctl procinfo 346
Spidey senses need some tuning, but now we learnt something new.

We can use ktrace (debugging) to analyse all system calls made by an application.

Network connections

Next, check network services exposed and any potentially malicious connections.

netstat -an | more
Using netstat to analyse network connections to you Mac OS X.

Again, if you see something you're not sure of - just confirm it with a quick check.

host 8.8.8.8
whois 8.8.8.8
Checking an IP address with host and whois command line utilities.

Open files

To map or trace services and processes use lsof. It (lsof) lists the file handles open.

lsof
The output for lsof taken from OS X.

Again, if you're unsure what something is - check it (from an authoritative source).

Verify anything out of the ordinary or that you do not understand.

You can also use the -i option to select internet files or sockets.

lsof -i
The lsof utility with -i option.

You can go a step further and filter by protocol, IP address and even port number.

lsof i :443
The lsof utility showing only port 443 activity.

Checking for persistence

Persistence is simply how malware ensures it remains active on an operating system.

There is a great resource from the book "The Art of Mac Malware" by Patrick Wardle.

Patrick Wardle's "The Art of Mac Malware" book (cover).

This is Chapter 2 from the book, hosted on Patrick's website, covering persistence:

https://taomm.org/vol1/pdfs/CH%202%20Persistence.pdf

You can then download KnockKnock to help you process persistence checks.

Conclusion

This is the quickest and easiest way that I have to check for any malicious indicators.

I often run tools like Snort, OSquery and Zeek alongside my (commercial) endpoint protection suite. I highly recommend it as a learning exercise, since it never fails to produce interesting results.