Home > OS X > About Mac OS X v10.6.4 ‘XProtect’ Update

About Mac OS X v10.6.4 ‘XProtect’ Update

Pob of SophosLabs found this interesting update, please read this blog post Updated XProtect protects against OSX.HellRTS

Apple Mac OS X Snow Leopard Anti-Malware signature file ‘XProtect.plist’ has new definition detecting “OSX.HellRTS” in the latest Security Update 2010-004 / Mac OS X v10.6.4.

XProtect.plist is stored inside the Resources folder of a bundle called, CoreTypes.bundle.

CoreTypes.bundle contains specifications that allow Mac OS X uniquely identify data types, file format, associated icons and UTIs (Uniform Type Identifiers) as defined in the Info.plist file.

In this update (Mac OS X v10.6.4), there are two major update for Mac OS X detection feature (Quarantine and Anti-Malware):

1) Risk assessment for Safari extensions(.safariextz) is unsafe, which triggers Mac OS X quarantine feature and displays a warning “..Are you sure you want to open it?”.

This assessment is reflected to an XML file called System which contains risk definitions for certain file types and extensions. The risk assessment has 3 categories:

<key>LSRiskCategorySafe</key>
<key>LSRiskCategoryMayContainUnsafeExecutable</key>
<key>LSRiskCategoryUnsafeExecutable</key>

As shown below, Safari extensions (.safariextz) was added under LSRiskCategoryUnsafeExecutable key.

Apple recently released Safari  5 with support for browser extensions, and this security update make sure that nothing gets executed without a warning.

System file location:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System

2) Mac OS X Anti-Malware signature file “XProtect.plist” now includes detection for  HellRaiser version 4.2 server application.

There are 3 definitions for OSX.HellRaiser. As highlighted in the screenshot above, it’s detecting 2 components namely: rbframework.dylib and RBShell.rbx_0.129.dylib, and searches defined hex strings for a pattern matching the Hellraiser server auto launch entry (adding login items) command.

The latest XProtect.plist time stamp suggest that it was updated on 24th of April, just couple days after the discovery HellRaiser 4.2 server (in-the-wild). Unfortunately, it seems that it has to wait for the combo update as released on 15th of June.

XProtect.plist location:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Btw, it is important to take note, this security feature is not capable to detect when the server is already running in background.
Have a nice weekend!
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: