Help protect yourself from signed malware in OS X
With the discovery of malware signed with a valid Apple ID, here are some steps you can take to help prevent the remote chance of any such programs infecting your computer.
There is no question that regardless of the computing platform you use, malware happens. To help prevent these and other unwanted programs from running, Apple includes a data execution prevention routine called GateKeeper, which offers three layers of protection. The first allows everything to run, the second allows only applications signed with a valid Apple Developer ID to run, and the third allows only programs distributed through the Mac App Store to run.
Apple provides the Developer ID option with the assumption that most who use its Developer program create legitimate and trustworthy code, since their works will be easily tracked through the required signature in their programs. Recently, though, this was shown not to be the case.
Last week, a Mac"), which attempts to take screenshots and upload them to remote servers, was found. It was able to get past Apple's GateKeeper settings since it was developed under and signed with a valid Apple Developer ID under the name of Rajinder Kumar. According to F-Secure, the developer ID for this individual has since been revoked, but before this news hit, the malware created with his ID was able to infect and run on a few systems, including test systems controlled by a number of security firms.("KitM" apparently standing for "Kumar in the
While Apple's revocation of the ID means that the malware will no longer run without warning (provided you have GateKeeper enabled), this latest development does show that there is the potential for malware to come even from somewhat trusted sources, and when found there might be several days' delay before something can be done about it.
Overall even though it's unlikely that many people will be affected by such nefarious programs, to help protect yourself, there is one step you can take: set GateKeeper's settings even higher to only allow programs from the Mac App Store to run without warning. The programs Apple allows in the App Store are tested by its App Store team before they are permitted to be sold, which means it is highly improbable that any active malware will make it through.
So far, the only malware-based problems in Apple's App Stores have been one occasion in which Windows-based malware (that which will not run in OS X) was found, and a more recent occasion where there were remnants of malware activity that had . However, both of these situations were by no means active malware cases, and only showed traces of prior malware activity on systems the developers had used for assembling their programs.
With GateKeeper set to only allow programs from the Mac App Store, if you run a newly downloaded program directly, you will get a warning that claims it cannot be opened because it was not downloaded from the Mac App Store. However, this does not mean you cannot run it. All you have to do is right-click the program (or hold the Control key and click) to bring up the contextual menu, and then choose Open from there. When you do so the warning will now give you an option to open the program, after which it will be added to a permitted GateKeeper group so it will run without interference in the future.
While it's a touch more inconvenient, increasing GateKeeper's security will notify you of any application that attempts to run, be it signed or unsigned, and will allow you to establish a specific set of programs that are permitted to run on your system. Additionally, the added inconvenience will only apply to the first time you run the program or any updates to the program. Once accepted as a legitimate program, you will be able to run it at your leisure.
GateKeeper is intended to be managed behind the scenes, but if you want more control over it, you can adjust its settings and either.