macOS sandbox detection methods
1. Hardware model detection method
2. Check if hyperthreading is enabled
3. Memory size detection method
4. I/O Kit Registry detection method
5. Boot ROM Version detection method
6. Check if System Integrity Protection is enabled
Signature recommendations
Countermeasures
An open source SSL tunneling proxy solution that is available on multiple operating systems and can be accessed via the macOS Terminal.app Using SSL encryption to secure the connection between a remote client and the server is highly advisable. Jun 20, 2019 Mac-A-Mal anti-environment evasion module using hook and memory patching.
macOS sandbox detection methods
Most macOS-specific methods for sandbox and virtual environment detection are based on using shell commands such as “sysctl” and “ioreg”.Instead of providing code sample blocks, we show the commands and their arguments.Unfortunately, we can’t collect command outputs for various hypervisors due to Apple software licensing policy.Therefore, we compare the command outputs for physical and virtual machines when possible.
1. Hardware model detection method
The command used:
If running on native Apple hardware, the returned value contains the model name of the hardware:
On virtualized hardware, the value may contain the hypervisor name:
This technique was seen in the MacRansom malware.If the command output doesn't contain the 'Mac' substring, the malware considers that it is running in a virtual machine.
2. Check if hyperthreading is enabled
Most Apple hardware (MacBook, Mac mini) released before 2018 came with hyperthreading enabled. This means that the number of physical cores is equal to half the of logical cores.However, some hypervisors don’t provide an ability to change the number of logical cores, which is alwaysequal to the number of physical cores.
The command used:
On physical hardware, the output value of the command must be equal to '2'.This techinique was seen in the MacRansom malware.
We should note that new hardware comes with hyperthreading disabled, for example, Mac mini with 6‑core Intel Core i7 CPU. Therefore, this method should be considered outdated.
3. Memory size detection method
This method is similar to the memory size detection method used for PC. When running several virtual machines, each VM is allocated a small amount of RAM,whereas Apple physical hardware usually have more than 4 Gb RAM.
The command used:
The command returns the RAM size in bytes, for example: 17179869184.
4. I/O Kit Registry detection method
There are several ways in which virtual machine can be detected using the I/O Kit Registry.
Mac Os Download
Checking the 'IOPlatformExpertDevice' registry class
The command used:
The following fields of the IOPlatformExpertDevice class can be checked in order to detect a virtual machine:
Field | Physical hardware example value | Virtual machine example value | VM detection rule |
---|---|---|---|
IOPlatformSerialNumber | 'C07T40BYG1J2' | '0' | Equal to '0' |
board-id | <'Mac-87C4F04823D6BACF'> | <'VirtualBox'> | Contains 'VirtualBox', 'VMware', etc. |
manufacturer | <'Apple Inc.'> | <'innotek GmbH'> | Doesn't contain 'Apple' |
Checking USB device vendor names
The commands used:
Sample output on native Apple hardware:
On virtualized hardware, the value may contain the hypervisor name:
A virtual machine can be detected by checking if the command output contains a hypervisor name, for example 'VirtualBox','VMware', etc.
Another option is to call the ioreg command with the “-l” option which makes it show properties for all objects.The output should be checked against known hypervisor names, for example:
The above command counts the number of occurrences of various hypervisor names in the ioreg output.If the number of occurrences is greater than 0, the system is likely virtualized.
5. Boot ROM Version detection method
The command used:
If running on native Apple hardware, the returned value contains the letter code for the corresponding Apple product,for example, “MM” for Mac mini, “MBP” for MacBook Pro, “MBA” for MacBook Air:
If running on a virtual machine, the returned value may contain the hypervisor name:
This method is implemented in OceanLotus malware, as shown below:
6. Check if System Integrity Protection is enabled
The latest versions of macOS have the System Integrity Protection feature (SIP).If a sandbox uses a non-signed kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension.Malware may check if the SIP is enabled.
The command used:
The command returns the SIP status, for example: “System Integrity Protection status: enabled.”
Signature recommendations
There is a kind of trade-off between the number of detected evasion techniques and the false-positive rate.If we want to detect as many as possible attempts to use the evasion techniques, we should use signatures with a broad scope.If a process is created with one of the following command lines, this indicates an application is trying to use an evasion technique:
However, the commands mentioned above can be used both to perform evasion techniques and for system information gathering.To reduce the rate of false-positive detections, malware-specific signatures can be used, for example:
Evasion Tunnel Mac Os Download
Countermeasures
Apple software licensing policy doesn’t allow emulating macOS on hardware other than the original Apple hardware. It is also doesn’t not allow more than 2 virtual machines to run on one host machine.Therefore, we suggest using solutions such as DeepFreeze instead of virtualization. In addition, signed kernel extensions should be used.
OS X v10.5.1 and later include an application firewall you can use to control connections on a per-application basis (rather than a per-port basis). This makes it easier to gain the benefits of firewall protection, and helps prevent undesirable apps from taking control of network ports open for legitimate apps.
Configuring the application firewall in OS X v10.6 and later
Use these steps to enable the application firewall:
- Choose System Preferences from the Apple menu.
- Click Security or Security & Privacy.
- Click the Firewall tab.
- Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
- Click 'Turn On Firewall' or 'Start' to enable the firewall.
- Click Advanced to customize the firewall configuration.
Configuring the Application Firewall in Mac OS X v10.5
Make sure you have updated to Mac OS X v10.5.1 or later. Then, use these steps to enable the application firewall:
- Choose System Preferences from the Apple menu.
- Click Security.
- Click the Firewall tab.
- Choose what mode you would like the firewall to use.
Advanced settings
Block all incoming connections
Selecting the option to 'Block all incoming connections' prevents all sharing services, such as File Sharing and Screen Sharing from receiving incoming connections. The system services that are still allowed to receive incoming connections are:
- configd, which implements DHCP and other network configuration services
- mDNSResponder, which implements Bonjour
- racoon, which implements IPSec
To use sharing services, make sure 'Block all incoming connections' is deselected.
Allowing specific applications
To allow a specific app to receive incoming connections, add it using Firewall Options:
- Open System Preferences.
- Click the Security or Security & Privacy icon.
- Select the Firewall tab.
- Click the lock icon in the preference pane, then enter an administrator name and password.
- Click the Firewall Options button
- Click the Add Application (+) button.
- Select the app you want to allow incoming connection privileges for.
- Click Add.
- Click OK.
You can also remove any apps listed here that you no longer want to allow by clicking the Remove App (-) button.
Automatically allow signed software to receive incoming connections
Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in OS X are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall.
If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose Allow, OS X signs the application and automatically adds it to the firewall list. If you choose Deny, OS X adds it to the list but denies incoming connections intended for this app.
If you want to deny a digitally signed application, you should first add it to the list and then explicitly deny it.
Some apps check their own integrity when they are opened without using code signing. If the firewall recognizes such an app it doesn't sign it. Instead, it the 'Allow or Deny' dialog appears every time the app is opened. This can be avoided by upgrading to a version of the app that is signed by its developer.
Enable stealth mode
Enabling stealth mode prevents the computer from responding to probing requests. The computer still answers incoming requests for authorized apps. Unexpected requests, such as ICMP (ping) are ignored.
Evasion Tunnel Mac Os X
Firewall limitations
Mac Os Catalina
The application firewall is designed to work with Internet protocols most commonly used by applications – TCP and UDP. Firewall settings do not affect AppleTalk connections. The firewall may be set to block incoming ICMP 'pings' by enabling Stealth Mode in Advanced Settings. Earlier ipfw technology is still accessible from the command line (in Terminal) and the application firewall does not overrule any rules set using ipfw. If ipfw blocks an incoming packet, the application firewall does not process it.