Patrick Wardle - The Art of Mac Malware: The Guide to Analyzing Malicious Software

by Patrick Wardle

THE ART OF MAC MALWARE. Copyright 2022 by Patrick Wardle.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

First printing

26 25 24 23 22 1 2 3 4 5 6 7 8 9

ISBN-13: 978-1-7185-0194-2 (print)
ISBN-13: 978-1-7185-0195-9 (ebook)

Publisher: William Pollock
Production Manager: Rachel Monaghan
Production Editors: Katrina Taylor and Hilary Mansfield
Developmental Editor: Frances Saux
Cover Illustrator: Garry Booth
Interior Design: Octopod Studios
Technical Reviewer: Tom McGuire
Copyeditor: Andy Carroll
Compositor: Jeff Lytle, Happenstance Type-O-Rama
Proofreader: James Fraleigh
Indexer: BIM Creatives, LLC

For information on distribution, bulk sales, corporate sales, or translations, please contact No Starch Press, Inc. directly at info@nostarch.com or:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900
www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: Wardle, Patrick, author.
Title: The art of Mac malware : the guide to analyzing malicious software /
Patrick Wardle.
Description: San Francisco : No Starch Press, [2022] | Includes
bibliographical references and index. |
Identifiers: LCCN 2021047239 (print) | LCCN 2021047240 (ebook) | ISBN
9781718501942 (paperback) | ISBN 9781718501959 (epub)
Subjects: LCSH: Macintosh (Computer)--Security measures. | Malware
(Computer software)--Prevention. | Software failures.
Classification: LCC QA76.774.M33 W37 2022 (print) | LCC QA76.774.M33
(ebook) | DDC 005.4/46--dc23/eng/20211105
LC record available at https://lccn.loc.gov/2021047239
LC ebook record available at https://lccn.loc.gov/2021047240

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

This book is dedicated to my parents, Stephen and Norma, who patiently and lovingly provided me both the lessons and tools to thrive.

... and to Andy #UnaMas

Patrick Wardle is the founder of Objective-See, a nonprofit that creates open source macOS security tools and trainings, and organizes the Objective by the Sea conference. Having worked at NASA and the NSA and presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to Mac security and spends his time finding Apple zero-days, analyzing Mac malware, and writing free open source security tools to protect Mac users around the world.

Tom McGuire has been working in the security industry since the late 90s. He is the CTO of a cybersecurity firm and a lecturer at Johns Hopkins University, where he teaches reverse engineering, operating system security, cryptology, and cyber risk management. He loves his family, all things security, biotech, and the Red Sox.

Apples macOSDarwinhas evolved considerably in the past two decades. From a relatively niche operating system trailing way behind Microsofts Windows, macOS has slowly but surely gained acceptance. People all over the world started realizing its powerful capabilities, coupled with the Macs superior hardware and integration into the Apple ecosystem, spearheaded by the iPhone.

But with widespread adoption came widespread threats. Gone were the days of the Mac versus PC ads, showing the PC as a sniffling, virus-infected system, while the Mac chuckles them away. Viruses, spyware, ransomware, and other malware have dramatically exploded, and by now it seems that every week some new variant emerges. Malware authors found the Mac to be a ripe breeding ground for exploitation and proliferation.

In the face of this new normal, action was needed. Although Apple integrated its own frameworks (XProtect and, more recently, Endpoint Security) and YARA antivirus signatures, there was still a gaping void when it came to intrusion detection and Mac malware detection and prevention tools.

Into this chasm stepped Patrick. That macOS Malware guy started churning out a cornucopia of free and effective security and analytics tools, through the Objective-See website. By now, Pats GitHub repository sports some two dozen tools, which have managed to level the playing field a little, giving power users the ability to monitor what goes on inside their Mac, detecting (and hopefully preventing) compromises.

The tools are open source, yet its doubtful how many people pore over sources. This is where this book fills another lacunaexplicating the ins and outs of Malware in a much-needed book. From the basics through infection vectors to the various analysis methods and techniques, Patrick elucidates Mac malware, drawing on the (unfortunately) many real-life examples.

In a perfect world, virusesboth biological and computerizedwould be easy to vanquish. Not so in ours. Thus, research into how they work, and how to prevent themwhether proactively and reactively, or a combination of techniquesis paramount.

Jonathan Levin,

Author of the macOS/iOS (*OS) Internals trilogy

A computer is made up of countless components, crafted by many discrete craftsmen. Im pretty sure Im not a computer, yet I too feel composed of unique individuals and communities. Even though there is a single name on the cover of this book, you would not be holding it in your hands today without them.

First and foremost, I want to acknowledge my parents, who expertly navigated the complexities of raising a child, deftly sublimating my rebellious tendencies into a creative and independent love of learning that has benefited me ever since.

Similarly, I am forever grateful to my older brother Keelian, who always equally challenged and inspired me. Nothing like a never-ending sibling rivalry to bring out the best in us... right?

I also want to thank my many coworkers and colleagues at the NSA and in the larger the infosec community, whose guidance and support have been invaluable over the years. Though there are far too many to name in this short section, a few, namely my close friends and colleagues Kasey, Tom, Josh, and Jon, have had a profoundly positive influence on both my personal life and career. Others, such as the brilliant Jonathan Levin and Arnaud Abbati, have always selflessly provided indispensable technical insights and mentorship, giving me both the confidence and expertise to write this book. I am lucky to count both as close friends.