|
|
Focus on Apple
Security and Leopard (Mac OS X 10.5) Oct 25 2006 08:01PM Todd Woodward (todd_woodward symantec com) (1 replies) Re: Security and Leopard (Mac OS X 10.5) Oct 26 2006 04:14PM Philippe Devallois (phdevallois intego com) (2 replies) Re: Security and Leopard (Mac OS X 10.5) Oct 27 2006 12:53PM Simon Slavin (s slavin lancaster ac uk) (1 replies) |
|
Privacy Statement |
>
> On 26 Oct 2006, at 5:14pm, Philippe Devallois wrote:
>
> > As far as I know those binaries are AES encrypted and the key is
> > only known by Apple developers ;-)
>
> It's possible to decrypt them: the operating system needs to do that
> to run them, after all. It would be hard to encrypt something else
> the same way.
>
> > I thought about an hypothetical malware disguising itself in that
> > type of encrypted mach-o segment.
> > Not really easy to detect, without Apple assist.
>
> But extremely hard to actually do, since you'd need to know Apple's
> encryption key to do it. And pointless for your purposes since
> encrypted software doesn't gain special powers just because it's
> encrypted.
I wonder about that - as you pointed out, the OS needs to be able to
decrypt the binaries, so it needs to get the AES key.
Since the point is to make sure this is Apple hardware, the key is
probably loaded from some obfuscated location in firmware. Once that
location is discovered, that AES key will doubtless be rapidly
disseminated in the underground. And I suspect it won't take long for
the key to be discovered - it's in every single Intel Mac after all.
And, I suspect using encrypted binaries might in fact gain you
something - as long as the AES key is only distributed underground,
legitimate researchers mostly won't have access to it. So, any
AES-encrypted binaries would be much more difficult for the good guys
to reverse-engineer, to figure out what the bad guys are up to.
Only researchers who are able to cajole the keys out of Apple would be
able to reverse engineed the malware. I don't even want to speculate
about the specatcular ugliness Apple's lawyers could concoct for such
an NDA...
Knowing that key would also make it much easier to implement antivirus
evasion - your polymorphism method only has to change one bit near the
start of the encrypted segment, if the encryption uses something like
CBC or CFB (or one bit per encrypted block (128 bits for AES) if CTR
mode is used ). At that point, every copy of the malware would be
completely unrecognizable from every other.
So far we've been lucky on Macs to escape serious malware incidents.
But I think that, when (not if) we stop slipping under the radar this
way, Apple may find that it has extended a big helping hand to the
opponents...
Regards
Mark
[ reply ]