Four months after its debut, AV providers did not detect sneaky malware on Mac.

Av Mac

Does Apple give AV providers malware definitions? New analysis indicates no.

Enlarge / A VirusTotal screenshot showing only two AV providers detected malware, four weeks after the malware was suppressed. His macOS malware samples continued to be undetected by the majority of antivirus providers, a security researcher reported on Thursday.

Windshift is what researchers call an APT – a short term for “advanced persistent threat “–that monitors people in the Middle East. The group worked in the shadows for two years until August, when Taha Karim, a security firm researcher at DarkMatter, presented it at the Singapore Box Conference in Hack. Slides, a short description and Forbes ‘ report are here, here and here.

Some things distinguish Windshift among the APTs, reported Karim in August. One is how seldom malware infects the group’s targets. It relies instead on links within phishing emails and text messages to track the locations, online habits and other features of the targets.

Another unusual feature: In extremely rare cases, Windshift uses Mac malware to steal documents or take screenshots of desktop targets; it relies on a new technique to bypass security defenses of macOS. The above-linked Forbes article provides more information on how this technique, known as a custom URL scheme, allows attacker-controlled sites to automatically install their malware on target Macs.)

On Thursday, Mac security expert Patrick Wardle published an analysis of Meeting Agenda.zip, a rare Mac malware file that Karim had said installed. To Wardle’s surprise, VirusTotal ‘s results showed at the time that only two antivirus providers–Kaspersky and ZoneAlarm –detected the file as malicious. Then Wardle used a feature that VirusTotal searched for malicious related files and found four more. Three of them were not detected by an AV provider, while only two providers detected one.

The reason the findings were so surprising was that Apple had already revoked the cryptographic certificate used by the developers to sign their malware digitally. Apple knew about the malware.

Wardle has written:

The fact that the signing certificate(s) of all the samples are revoked (CSSMERR_TP_CERT_REVOKED) means that Apple knows about this certificate… and thus surely this malware as well… yet the majority of the samples (3, of 4) are detected by zero anti-virus engines on VirusTotal.

Does this mean Apple isn’t sharing valuable malware/threat-intel with AV-community, preventing the creation of widespread AV signatures that can protect end-users?! 🤔
Narrator: yes

In fairness, malware contacts are no longer available on the Internet on the control servers. This means that infected computers are not at risk of being monitored. The number of detection has also increased slowly in fairness during the day since Wardle published its analysis. However, the lack of timely detection is troubling, as it suggests that Apple does not give definitions of known malware to AV providers.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.