|Platform||MacOS, OS X|
|Permissions Required||User, Administrator|
|Data Sources||Binary file metadata, Malware reverse engineering, Process Monitoring|
|Defense Bypassed||Application whitelisting, Process whitelisting, Whitelisting by file name or path|
As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD 1. The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different 2. By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.
Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.
Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.