VirusTotal Adds Sandbox Execution for OS X Apps

Mac malware is a thing. It’s real. Granted it hasn’t reached the critical mass of malicious code for Windows, but recent encounters with WireLurker, XcodeGhost and YiSpecter among others have elevated the conversation to levels where it’s been legitimized.

Adding further credence, Google-owned online malware scanner VirusTotal this week announced the availability of sandbox execution for Mac OS X apps. Researchers can now upload suspicious Mac OS X Mach-O executables, DMG files or zip files containing Mac apps and get a behavioral report in return from the service.

“This is a a great tool for malware analysts, or even just inquisitive OS X users,” said Patrick Wardle, director of research of security company Synack and a well-known Apple researcher. “Being able to upload an OS X binary, have it scanned by multiple AV engines, and now have an automated behavioral analysis report should definitely expedite OS X malware triage and analysis.”

VT screenshot.

The data contained in the reports can also be integrated into OS X security tools, improve their detection and analysis capabilities.

“For example, now I’ll easily be able to see how a fairly comprehensive set of OS X malware persists (to ensure automatic (re)execution each time an infected computer is restarted),” Wardle said. “This will allow me both validate and improve tools such as KnockKnock and BlockBlock that attempt to detect persistence techniques in order to protect Mac users.”

VirusTotal said in its announcement that users will be able to scan the supported file types on the service’s website, through its OS X Uploader app, via the VirusTotal API.

“This adds an additional layer of detail the person who submitted the sample can use to understand more about the file beyond simple AV detection names,” said Ryan Olson, director of research at Palo Alto Networks, the firm that reported the WireLurker and YiSpecter malware. “From an intelligence collection perspective, behavioral analysis greatly increases the amount of information available for connecting attacks to each other.”

As more OS X machines creep into the enterprise, incident responders also figure to embrace this as a tool to combat possible Mac malware infections. The VirusTotal sandbox, however, doesn’t support document types such as PDFs that are commonly used in exploits against vulnerabilities.

“For researchers that do a lot of OS X malware analysis, I think this will be quite useful,” Wardle said. “However, I think of lot of such researchers do this analysis manually now, since there isn’t a ton of OS X malware (yet!). However as this increases, having such a service as this, will continue to become more and more beneficial.”

Wardle also expects malware writers to respond in turn with attempts at bypassing sandbox detection, something he cautioned during a talk at Black Hat this summer that could happen.

“At the time, VirusTotal was mostly just doing standard AV scanning, so this wasn’t too much of a threat to new malware,” Wardle said. “However, with VirusTotal’s new behavioral analysis, if I was a malware author, I’d be working pretty hard to ensure that if possible, my malware could defend against it being submitted (again, from a infected system that the malware was running on). As a malware analyst – I’m excited to see how the malware writers respond – because they’d be naive not to.”