Monday, 1 December 2014

A closer look at Mac OS X executables and iOS apps

Virustotal has always been able to scan and provide verdicts for Mac OS X executables and iOS apps, these are just some examples:
https://www.virustotal.com/en/file/b9fb26c553e793ac4c598a67447f67c85eb9e561a9b7722667f7f45e34e2f71c/analysis/
https://www.virustotal.com/en/file/c5030830203c3bf67ef49af6908cbeb6aa234fe0346d8d9ebf85d4dd5d7482be/analysis/
https://www.virustotal.com/en/file/63149fe9e2efd94d666402d637d921a6ca4dd73dcda318a7fcc82c274175d19a/analysis/
Actually, scanning capabilities regarding certain file types is a common end-user misconception, virustotal will scan any binary content, with independence of its file type, as antivirus vendors will develop signatures for any file type and target OS with independence of the OS that hosts the engines running in virustotal.

This said, two weeks ago we silently introduced a new tool to further characterize Mac OS X executables and iOS apps, extracting interesting static properties from these types of files, similar to what the pefile python module does for Portable Executables.

The new tool will extract file header information (e.g. required architecture and sub-architecture, flags, magic string, etc.), the file segments and its inner sections, any shared libraries that the executable makes use of, load commands and signature information whenever the mach-o happens to be code signed.


In the event that the Mac OS X executable is a universal binary containing mach-o files for several target systems, a characterization of each one of the embedded files will be provided. You may refer to the file details tab of the above reports in order to see an example of this new set of information.

As to iOS apps, the new tool will not only characterize the executable providing the application's main functionality, it will also generate metadata regarding the package itself (property list configuration information and embedded mobile provision data) and iTunes details.


As you may notice, this tool follows the trend of what we recently implemented regarding ELF files, hopefully it will also help in spotting and studying threats targeting Mac OS X and iOS.

No comments:

Post a Comment