Help protect yourself from signed malware in OS X

Rusli Posts: 1,019 Influencer


Help protect yourself from signed malware in OS X

With the discovery of malware signed with a valid Apple ID, here are some steps you can take to help prevent the remote chance of any such programs infecting your computer.

Topher Kessler
 May 23, 2013 8:55 AM PDT

There is no question that regardless of the computing platform you use, malware happens. To help prevent these and other unwanted programs from running, Apple includes a data execution prevention routine called GateKeeper, which offers three layers of protection. The first allows everything to run, the second allows only applications signed with a valid Apple Developer ID to run, and the third allows only programs distributed through the Mac App Store to run.

Apple provides the Developer ID option with the assumption that most who use its Developer program create legitimate and trustworthy code, since their works will be easily tracked through the required signature in their programs. Recently, though, this was shown not to be the case.

GateKeeper settings in OS X

Setting GateKeeper to its maximum level will ensure that any untested program will require extra steps before it can execute.

(Credit: Screenshot by Topher Kessler/CNET)

Last week, a new malware program called OSX/KitM.A ("KitM" apparently standing for "Kumar in the Mac"), which attempts to take screenshots and upload them to remote servers, was found. It was able to get past Apple's GateKeeper settings since it was developed under and signed with a valid Apple Developer ID under the name of Rajinder Kumar. According to F-Secure, the developer ID for this individual has since been revoked, but before this news hit, the malware created with his ID was able to infect and run on a few systems, including test systems controlled by a number of security firms.

While Apple's revocation of the ID means that the malware will no longer run without warning (provided you have GateKeeper enabled), this latest development does show that there is the potential for malware to come even from somewhat trusted sources, and when found there might be several days' delay before something can be done about it.

Overall even though it's unlikely that many people will be affected by such nefarious programs, to help protect yourself, there is one step you can take: set GateKeeper's settings even higher to only allow programs from the Mac App Store to run without warning. The programs Apple allows in the App Store are tested by its App Store team before they are permitted to be sold, which means it is highly improbable that any active malware will make it through.

GateKeeper warning in OS X

GateKeeper should issue this warning for any program not currently allowed by its database.

(Credit: Screenshot by Topher Kessler/CNET)

So far, the only malware-based problems in Apple's App Stores have been one occasion in which Windows-based malware (that which will not run in OS X) was found buried in a benign way within one iOS application, and a more recent occasion where there were remnants of malware activity that had affected an embedded MP3 in another program. However, both of these situations were by no means active malware cases, and only showed traces of prior malware activity on systems the developers had used for assembling their programs.

With GateKeeper set to only allow programs from the Mac App Store, if you run a newly downloaded program directly, you will get a warning that claims it cannot be opened because it was not downloaded from the Mac App Store. However, this does not mean you cannot run it. All you have to do is right-click the program (or hold the Control key and click) to bring up the contextual menu, and then choose Open from there. When you do so the warning will now give you an option to open the program, after which it will be added to a permitted GateKeeper group so it will run without interference in the future.

While it's a touch more inconvenient, increasing GateKeeper's security will notify you of any application that attempts to run, be it signed or unsigned, and will allow you to establish a specific set of programs that are permitted to run on your system. Additionally, the added inconvenience will only apply to the first time you run the program or any updates to the program. Once accepted as a legitimate program, you will be able to run it at your leisure.

GateKeeper is intended to be managed behind the scenes, but if you want more control over it, you can adjust its settings and either add or remove allowed programs using the command line.


  • Rusli
    Rusli Posts: 1,019 Influencer


    How to manage OS X Gatekeeper from the command line

    Apple provides three basic settings for Gatekeeper in OS X Mountain Lion, but you can manage this service in finer detail if needed.

    Topher Kessler
     January 11, 2013 10:35 AM PST

    Gatekeeper is a new security measure introduced in OS X Mountain Lion that allows the system to prevent the execution of code that does not meet certain criteria, such as possessing a valid digital signature from Apple's developer community. When setting up GateKeeper in the Security system preferences, you can set it so that only approved applications from the Mac App Store are allowed to run, additionally allow programs from approved developers to run, or you can set no restrictions and allow everything to run.

    When the restrictions are set, you can still run unapproved programs by right-clicking them and choosing Open from the contextual menu followed by confirming that you would indeed like to execute this file. With this setup, the system ensures that the program cannot be executed on its own without explicit approval from you.

    Gatekeeper settings in OS X

    By default Apple provides these three options for setting up Gatekeeper in OS X (click for larger view).

    (Credit: Screenshot by Topher Kessler/CNET)

    These restrictions by Gatekeeper are implemented through a group-based rule paradigm. By default Gatekeeper will look for aMac App Store signature in the program and then has a group rule called "Mac App Store" that allows programs with this feature to run. In addition, Gatekeeper has another built-in rule called "Developer ID" that will allow programs with valid developer IDs to run.

    This rule-based approach is how Gatekeeper works, so if you have decided to keep Gatekeeper enabled for security purposes, you can use some fairly simple Terminal commands using the "spctl" utility to manage Gatekeeper, not only to enable or disable it but also to create custom groups of programs and allow or deny them execution rights.

    Enabling and disabling Gatekeeper
    Gatekeeper status in the OS X Terminal

    This system has Gatekeeper enabled (click for larger view).

    (Credit: Screenshot by Topher Kessler/CNET)

    While the easiest way to enable or disable Gatekeeper is through the system preferences, you can also do so from the OS X Terminal with the following commands:

    spctl --master-enable
    spctl --master-disable

    In addition to enabling or disabling, you can check whether Gatekeeper is running using the status option with this command:

    spctl --status

    Determine if an application is allowed

    With Gatekeeper enabled, you can have the system check a specific application package to see whether it has privileges to run. To do so, simply type "spctl -a" in the Terminal followed by a single space, and then drag the application of choice to the Terminal window to complete the full path to the program package so it looks like the following:

    spctl -a /Path/To/

    The program can be an application bundle, a shell script, or any other executable file. When you execute this command on the targeted file, Gatekeeper will assess the file's eligibility to run and output the results to you.

    Adding a rule to allow an application
    Gatekeeper authentication dialog box

    When you add an application to a Gatekeeper rule, the system will require authentication and warn you with this dialog box (click for larger view).

    (Credit: Screenshot by Topher Kessler/CNET)

    If you find one of your installed applications is not allowed to run by Gatekeeper, then you can manually add a rule to allow it to run. This is a two-step process where you first need to create a rule to which you assign one or more applications, and followed by enabling this group in Gatekeeper.

    1. Create a rule for the application
      In the following command, we are adding a program (specified by the program path) to the rule called "MyLabel." You can name the rule anything you wish, and as mentioned above you can complete the program's full path by dragging it to the Terminal window.

      spctl --add --label "MyLabel" /Path/To/program

      Think of the label as a group to which you are adding the application, so you can repeat the above command and specify a different program to assign it to the same rule label (or use a different label if you choose). Note that this step will require you to either run the command as administrator or provide your administrator password in the authentication dialog that pops up. Without this step, malicious programs could add their own rules to Gatekeeper and then run without restriction.
    2. Enable or disable the rule
      The next step is to enable the rule so the programs represented in it can run, which can be done by using the following commands:

      spctl --enable --label "MyLabel"
      spctl --disable --label "MyLabel"

    Listing and deleting rules
    Gatekeeper rule member applications list

    In this case the programs MacPyMOL and Calibre are member applications governed by the "MyLabel" rule (click for larger view).

    (Credit: Screenshot by Topher Kessler/CNET)

    With rules created for different applications, you can enable or disable them accordingly, but the "spctl" command also has options for managing them. To see a list of all the rules on the system, simply run the following command in the Terminal.

    spctl --list

    In the output for this list, you will see your custom labels among built-in rules like the "Developer ID" and "Mac App Store" labels. Optionally, you can list just the entries for a specific label by the following command:

    spctl --list --label "MyLabel"

    You can delete any unwanted Gatekeeper rules by issuing the command option to remove them:

    spctl --remove --label "MyLabel"

    The options covered here are basic approaches to managing application execution with Gatekeeper enabled, and can be used to set up groups of programs to enable or disable on a specific system. However, the spctl command has a number of additional options for prioritizing rules, and determining details such as whether or not a package can be installed, or if a program can install other files on the system.

    Managing rules in this manner will not interfere with Gatekeeper's functions, but unless you know exactly what you are doing, be sure to not remove or edit any of the built-in rules that Apple supplies with Gatekeeper. These include the aforementioned "Developer ID" and "Mac App Store" labels, so provided that you only create and modify custom rules in Gatekeeper, then you should be good to go.

This discussion has been closed.