
OS X/Linker: New Mac malware attempts zero-day Gatekeeper bypass - qndev
https://www.intego.com/mac-security-blog/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass/
======
karlding
HN discussion about the 0-day [0].

[0]
[https://news.ycombinator.com/item?id=20008313](https://news.ycombinator.com/item?id=20008313)

------
viraptor
> it seems reasonable to speculate that all four files may have been uploaded
> by the same person, who forgot to mask his or her IP address until after
> uploading the first sample.

Or turned it off after the first sample. Or switches proxies randomly. It's
good they brought up that the IP can be masked, but they could go one step
further...

------
taf2
so...

sudo vi /etc/auto_master

#/net -hosts -nobrowse,hidefromfinder,nosuid

~~~
obituary_latte
What does that do?

~~~
kekebo
From the article:

 _For home users, unfortunately there isn 't a simple solution for preventing
this type of attack, until or unless Apple releases a macOS security update to
mitigate the vulnerability. Cavallarin describes a possible temporary
mitigation (opening /etc/auto_master in a text editor and adding # to the
beginning of the line that starts with /net)._

~~~
jonnycomputer
what are the implications of making this change to auto_master, beyond risk
mitigation (i.e. to everyday use)?

~~~
kekebo
Cavallarin explains it in a bit more detail on his blog[1]:

 _The first legit feature is automount (aka autofs) that allows a user to
automatically mount a network share just by accessing a "special" path, in
this case, any path beginning with "/net/". [..]_

[1] [https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-
bypas...](https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass)

Assumably commenting out the line quoted by gp disables automount for network
shares which start with "/net" in their path.

------
saagarjha
> However, because the .app inside the disk images is dynamically linked, it
> could change on the server side at any time—without the disk image needing
> to be modified at all.

Wait, what? This makes no sense: dynamic linking means that it would pull in
different libraries on the user’s machine…

~~~
bodi
It's dynamic in the context of a symlink, not meaning dynamic libraries.

~~~
saagarjha
Oh, that makes more sense. That sentence would be much improved by switching
those words around, because I’m too conditioned to apps being dynamically
linked in the library/framework :)

------
donarb
> The disk images are disguised as Adobe Flash Player installers, which is one
> of the most common ways malware creators trick Mac users into installing
> malware.

Most Mac users know that Flash is a piece of malware itself and would never be
fooled into installing it.

~~~
fortran77
What was the purpose of this statement?

~~~
donarb
It was a tongue in cheek statement about the fact that Mac users have long ago
sworn off using Flash on their systems. It's a bloated CPU-intensive piece of
crapware.

