Some Insight into Apple's Anti-Virus Signatures
Last Updated: 2011-06-02 21:19:41 UTC
by Johannes Ullrich (Version: 1)
Now with Apple pushing out its first daily update to combat the latest MacDefender variant, its a good time to take a closer look at "XProtect", the Snow Leopard Anti Malware engine (or to use the Apple euphemism: "safe download list").
OS X heavily relies on XML files for configuration. These "plist" files are easy to read. The same is true for the XProtect configuration, which includes the currently valid signatures. Two files are used:
This file appears to track XProtect versions, and when they got applied.
This is the actual signature file. For example, one of the MacDefender entries looks like:
<dict> <key>Description</key> <string>OSX.MacDefender.B</string> <key>LaunchServices</key> <dict> <key>LSItemContentType</key> <string>com.apple.installer-package</string> </dict> <key>Matches</key> <array> <dict> <key>MatchFile</key> <dict> <key>NSURLNameKey</key> <string>Info.plist</string> </dict> <key>MatchType</key> <string>Match</string> <key>Pattern</key> <string>3C6B65793E43464276B6....F737472696E673E</string> </dict> [ ... 3 more 'dict' sections deleted ... Also, the string is appreviated to fit ] </array> </dict>
xpath /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist /plist/array/dict/string
Johannes B. Ullrich, Ph.D.
SANS Technology Institute