{"id":1390,"date":"2025-01-13T15:18:34","date_gmt":"2025-01-13T22:18:34","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=1390"},"modified":"2025-01-23T14:13:52","modified_gmt":"2025-01-23T21:13:52","slug":"is-your-mac-os-free-from-malware","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2025\/01\/13\/is-your-mac-os-free-from-malware\/","title":{"rendered":"Is your Mac OS free from malware?"},"content":{"rendered":"\n

Since November 2024 there has been an increase on Mac OS devices infected by the Banshee Stealer malware affecting many users and companies [1].<\/p>\n\n\n\n

Apple invests a lot of resources on protecting their software and hardware, it is well known for XProtect, Notarization and Gatekeeper anti malware software that analyze the programs and the signatures of applications that are running on the Mac devices [3] .<\/p>\n\n\n\n

We have heard the saying \u201cMac OS can\u2019t get viruses\u201d <\/em>or something similar. But all tech guys know that this claim is false.<\/p>\n\n\n\n

But even with this technology already installed, there are still different kinds of malware that can successfully infect our devices and start a chaos in our personal devices or work stations. Let\u2019s analyze how the Banshee Stealer malware works and how you can be protected against it.<\/p>\n\n\n\n

\n
\n
\"\"<\/figure>\n<\/div><\/div>\n<\/div>\n\n\n\n

Even an Apple can be infected with a worm![5]<\/strong><\/p>\n\n\n\n

How can this malware affect Mac OS?<\/strong><\/h2>\n\n\n\n

Since Mac OS is based on a UNIX kernel, it only has read access permissions. So in theory it is protected against modifications and it makes it more complicated for viruses to attack specific parts of the OS and change the normal software behavior.\u00a0But there are options to bypass this “protection”.

Banshee source code has recently been released, it is a C code that modifies kernel permissions and specific modules to allow modification on sensible parts of the OS.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Part of the CPU protection code[4]<\/strong><\/p>\n\n\n\n

After allowing write permissions on the kernel, it creates backdoors and scale privileges to have more control over the computer. To do so, it is necessary to have a deep knowledge on how the Mac OS operates and how process IDs are running when the computer is on. Specially it got my attention the next code:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Part of the Banshee Stealer code trying to guess specific memory addresses[4]<\/strong><\/p>\n\n\n\n

It shows how certain memory addresses are used for specific OS operations. It is calculated at the moment of the program execution based on certain well known parameters.<\/p>\n\n\n\n

It is very interesting how they moved bits dynamically to get the correct location depending on certain memory address parameters. It clearly shows a good knowledge on how the Mac OS kernel works.<\/p>\n\n\n\n

No doubt why this malware has been used as the new malware trend. It has been used as a Malware as a Service and charged over $3,000 for a monthly subscription [2]. Fortunately (not much for Banshee\u2019s creators) the source code was leaked and the service has been canceled. But even so it is important to be protected against this malware that can steal data and make the computer unavailable.<\/p>\n\n\n\n

How can we be protected against these threads?<\/strong><\/h2>\n\n\n\n

The best protection is a combination of different measures and tools. Starting with prevention, this virus was spread in Github repository links and downloaded from uncertified software. So, safe browsing and awareness campaigns can help you to recognize the threat of getting infected by this malware.<\/p>\n\n\n\n

Also, keeping the Mac OS version up to date will help to protect devices against new malware. Although there is not a silver bullet, it is important to be constantly informed and to keep monitoring your devices to prevent any issues with our cyber security.<\/p>\n\n\n\n

References:<\/p>\n\n\n\n

[1] https:\/\/www.securityweek.com\/source-code-of-3000-a-month-macos-malware-banshee-stealer-leaked\/<\/a><\/p>\n\n\n\n

[2] https:\/\/www.securityweek.com\/source-code-of-3000-a-month-macos-malware-banshee-stealer-leaked\/<\/a><\/p>\n\n\n\n

[3] https:\/\/support.apple.com\/en-ca\/guide\/security\/sec469d47bd8\/web<\/a><\/p>\n\n\n\n

[4] https:\/\/github.com\/vxunderground\/MalwareSourceCode\/blob\/main\/MacOS\/MacOS.Rootkit.Inficere.zip<\/a><\/p>\n\n\n\n

[5] https:\/\/identeco.de\/en\/blog\/protect-macos-from-banshee-leaked-accounts-identeco\/macos-malware-virus-infecting-apple-devices-security-threat.png<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Since November 2024 there has been an increase on Mac OS devices infected by the Banshee Stealer malware affecting many users and companies [1]. Apple invests a lot of resources on protecting their software and hardware, it is well known for XProtect, Notarization and Gatekeeper anti malware software that analyze the programs and the signatures … <\/p>\n

Continue reading “Is your Mac OS free from malware?”<\/span><\/a><\/p>\n","protected":false},"author":667,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1390","post","type-post","status-publish","format-standard","hentry","category-uncategorized","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Oscar ACM","author_link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/author\/oscar-alfredo-constantino\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/1390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/users\/667"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/comments?post=1390"}],"version-history":[{"count":2,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/1390\/revisions"}],"predecessor-version":[{"id":1509,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/1390\/revisions\/1509"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/media?parent=1390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/categories?post=1390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/tags?post=1390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}