• The Art of Mac Malware
    Books about Mac Malware, by P. Wardle
Volume II: Detection

Detecting malware is as vital as analyzing it. This volume explores programmatic approaches to detecting malicious code via behavioral heuristics, equipping you to develop tools and techniques to neutralize macOS threats.



Front Matter

  • The front matter of the book includes a table of contents, acknowledgements, introduction and a forward (by the noted researcher/author Maria Markstedter).

    Read Chapter »




Part I: Data Collection

  • Malware detection begins with data collection. All malicious code performs actions on an infected system that deviate from the norm. Therefore, by collecting sufficient data, you can uncover any infection.

    In the first part of this book, we'll examine running processes, parse binaries, extract and examine code signing information, and much more!

    Read Chapter »


Chapter 1: Examining Processes

  • The overwhelming majority of Mac malware executes as stand-alone processes continuously running on infected systems. As a result, if you generate a list of running processes, it's more than likely to include any malware present on the system. Thus, when you're trying to programmatically detect macOS malware, you should start by examining processes.

    In this chapter, we'll first discuss various methods of enumerating running processes. Then we'll programmatically extract various information and metadata about each running process to uncover anomalies commonly associated with malware.

    Read Chapter »


Chapter 2: Parsing Binaries

  • In the previous chapter, we enumerated running processes and extracted information that could help us heuristically detect malware. However, we didn't cover how to examine the actual binary that backed each process.

    This chapter describes how to programmatically parse and analyze universal and Mach-O, the native executable binary file format of macOS.

    Read Chapter »


Chapter 3: Code Signing

  • In this chapter, we'll write code that can extract code signing information from distribution file formats that malware often abuses, such as disk images and packages. Then we'll turn our attention to the code signing information of on-disk Mach-O binaries and running processes.

    For each, I'll show you how to programmatically validate the code signing information and detect any revocations.

    Read Chapter »




Chapter 4: Network State and Statistics

  • Most Mac malware specimens make extensive use of the network for tasks such as exfiltrating data, downloading additional payloads, or communicating with command-and-control servers. If you can observe these unauthorized network events, you can turn them into a powerful detection heuristic.

    In this chapter, I'll show you exactly how to create a snapshot of network activity, such as established connections and listening sockets, and tie each event to the process responsible for it.

    Read Chapter »




Chapter 5: Persistence

  • Arguably one of the best ways to detect malicious threats on macOS is to focus on persistence. Here, persistence refers to the means by which software, including malware, installs itself on a system to ensure it will automatically re-execute upon startup, user login, or some other deterministic event. Otherwise, it might never run again if the user logs out or the system reboots.

    In this chapter, we focus on enumerating persistent items, that will include persistently installed malware!

    Read Chapter »




Part II: System Monitoring

  • So far, I've covered programmatic methods of collecting data to generate snapshots of the system's state, then analyzed these snapshots to uncover symptoms of malicious activity. This approach limits the analysis to single points in time, however.

    In Part II, I'll explain how to monitor the system log, as well as network, filesystem, and process events, in real time.

    Read Chapter »


Chapter 6: Log Monitoring

  • If you've spent time poking around macOS, you may have encountered the system's unified logging mechanism, a resource that can help you understand macOS internals and, as you'll soon see, uncover malware.

    In this chapter, I'll start by highlighting the various kinds of information that can be extracted from these logs to detect malicious activity. We'll then reverse engineer the macOS log utility and one of its core private frameworks so we can programmatically ingest real-time information directly and efficiently from the logging subsystem.

    Read Chapter »


Chapter 7: Dynamic Analysis Tools

  • In this chapter, I'll describe various approaches for monitoring network activity on macOS systems. I'll start simple, by showing you how to regularly schedule network snapshots to obtain a near-continuous view of a host's network activity.

    Next, you'll dive deep into Apple's NetworkExtension framework and APIs, which provide a means of customizing the operating system's core networking features and building comprehensive network monitoring tools.

    Read Chapter »


Chapter 8: Endpoint Security

  • Introduced in macOS 10.15 (Catalina), Endpoint Security is the first Apple framework designed specifically to help third-party developers build advanced user-mode security tools, such as those focused on detecting malware.

    In this chapter, I'll provide an overview of the framework and discuss how to use its APIs to perform actions such as monitoring file and process events.

    Read Chapter »


Chapter 9: Muting and Authorization Events

  • In the previous chapter, I introduced Apple's Endpoint Security and its notification events.

    In this chapter, I move into more advanced topics, such as muting, mute inversion, and authorization events.

    Read Chapter »




Part III: Tool Development

  • It's time to pull everything together.

    In Part III, I'll cover the design and internals of Objective-See tools that provide powerful heuristic-based malware detection capabilities, based on the approaches we've discussed in part I & II of this book.

    Read Chapter »


Chapter 10: Persistence Enumerator

  • KnockKnock is simple, albeit powerful tool that tells you who is there!

    In this chapter, I'll walk through KnockKnock’s design and implementation to give you an in-depth look at the tool and expand your understanding of the persistence methods that Mac malware often does (or could) abuse.

    Read Chapter »


Chapter 11: Persistence Monitor

  • While KnockKnock, covered in the previous chapter, provides a powerful detection capability, it doesn't protect the system in real time.

    To complement it, I created BlockBlock, which monitors the most important persistence locations enumerated by KnockKnock, alerts the user whenever a new item appears, and gives them the ability to block the activity.

    Read Chapter »


Chapter 12: Mic and Webcam Monitor

  • OverSight, is a tool that monitors a Mac's built-in mic and webcam, as well as any external connected audio and video devices, and alerts the user about any unauthorized access.

    In this chapter, I'll explain how OverSight monitors these devices. I'll also demonstrate how this tool ingests system log messages filtered via custom predicates to identify the process responsible for the device access.

    Read Chapter »


Chapter 13: DNS Monitor

  • Malware often communicates with remote endpoints, whose address is resolved via DNS.

    In this chapter, I'll focus on the practicalities of building a deployable host-based network monitor capable of proxying and blocking DNS traffic from unrecognized processes or destined for untrusted domains.

    Read Chapter »


Chapter 14: Case Studies

  • In this final chapter, I showcase a handful of case studies, ranging from good apps misbehaving to sophisticated nation-state attacks.

    In each case, I'll demonstrate exactly how the heuristic-based detection approaches discussed throughout this book succeed at uncovering the threat, even without prior knowledge of it.

    Read Chapter »




End Matter

  • The book's end matters contains its index, and more.

    Read Chapter »




  • An Objective-See Foundation initiative
  • 