X

Help protect yourself from signed malware in OS X

With the discovery of malware signed with a valid Apple ID, here are some steps you can take to help prevent the remote chance of any such programs infecting your computer.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

There is no question that regardless of the computing platform you use, malware happens. To help prevent these and other unwanted programs from running, Apple includes a data execution prevention routine called GateKeeper, which offers three layers of protection. The first allows everything to run, the second allows only applications signed with a valid Apple Developer ID to run, and the third allows only programs distributed through the Mac App Store to run.

Apple provides the Developer ID option with the assumption that most who use its Developer program create legitimate and trustworthy code, since their works will be easily tracked through the required signature in their programs. Recently, though, this was shown not to be the case.

GateKeeper settings in OS X
Setting GateKeeper to its maximum level will ensure that any untested program will require extra steps before it can execute. Screenshot by Topher Kessler/CNET

Last week, a new malware program called OSX/KitM.A ("KitM" apparently standing for "Kumar in the Mac"), which attempts to take screenshots and upload them to remote servers, was found. It was able to get past Apple's GateKeeper settings since it was developed under and signed with a valid Apple Developer ID under the name of Rajinder Kumar. According to F-Secure, the developer ID for this individual has since been revoked, but before this news hit, the malware created with his ID was able to infect and run on a few systems, including test systems controlled by a number of security firms.

While Apple's revocation of the ID means that the malware will no longer run without warning (provided you have GateKeeper enabled), this latest development does show that there is the potential for malware to come even from somewhat trusted sources, and when found there might be several days' delay before something can be done about it.

Overall even though it's unlikely that many people will be affected by such nefarious programs, to help protect yourself, there is one step you can take: set GateKeeper's settings even higher to only allow programs from the Mac App Store to run without warning. The programs Apple allows in the App Store are tested by its App Store team before they are permitted to be sold, which means it is highly improbable that any active malware will make it through.

GateKeeper warning in OS X
GateKeeper should issue this warning for any program not currently allowed by its database. Screenshot by Topher Kessler/CNET

So far, the only malware-based problems in Apple's App Stores have been one occasion in which Windows-based malware (that which will not run in OS X) was found buried in a benign way within one iOS application, and a more recent occasion where there were remnants of malware activity that had affected an embedded MP3 in another program. However, both of these situations were by no means active malware cases, and only showed traces of prior malware activity on systems the developers had used for assembling their programs.

With GateKeeper set to only allow programs from the Mac App Store, if you run a newly downloaded program directly, you will get a warning that claims it cannot be opened because it was not downloaded from the Mac App Store. However, this does not mean you cannot run it. All you have to do is right-click the program (or hold the Control key and click) to bring up the contextual menu, and then choose Open from there. When you do so the warning will now give you an option to open the program, after which it will be added to a permitted GateKeeper group so it will run without interference in the future.

While it's a touch more inconvenient, increasing GateKeeper's security will notify you of any application that attempts to run, be it signed or unsigned, and will allow you to establish a specific set of programs that are permitted to run on your system. Additionally, the added inconvenience will only apply to the first time you run the program or any updates to the program. Once accepted as a legitimate program, you will be able to run it at your leisure.

GateKeeper is intended to be managed behind the scenes, but if you want more control over it, you can adjust its settings and either add or remove allowed programs using the command line.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.