Another Mac-specific malware pops up, but Apple’s Gatekeeper still prevents infection

“A second piece of Mac-specific malware has been discovered this week, one that could expose the passwords stored in the macOS Keychain,” Mike Wuerthele reports for AppleInsider. “But once again, Apple’s Gatekeeper security — when properly configured — will block the attack from succeeding.”

“Researchers at security firm ESET have been examining a new strain of OS X malware from an unknown source, and have published a breakdown of the so-called ‘OSX/Keydnap’ package,” Wuerthele reports. “The revelation of the OSX/Keydnap package is the second Mac malware reveal in a week. On July 6, Backdoor.Mac.Eleanor was exposed, and is also easily preventable with properly configured Apple-provided security software, or by user awareness of the attack vector.”

Wuerthele reports, “AppleInsider was not able to obtain a sample of the malware to see if Apple’s Xprotect has been updated.”

Read more in the full article here.

MacDailyNews Take: The Mac’s Gatekeeper comes through yet again.

What Mac users need to know about ‘Backdoor.MAC.Eleanor’ – July 6, 2016
New Mac malware in the wild: ‘Backdoor.MAC.Eleanor’ can control FaceTime camera, steal data, more – July 6, 2016
Security experts: Apple did OS X Mountain Lion’s Gatekeeper right – February 16, 2012
OS X Mountain Lion’s Gatekeeper slams the door on Mac trojans – February 16, 2012


      1. It doesn’t beg any question. Gatekeeper is properly configured “out of the box”. You must take specific action to allow the malware to be installed. The only causing Gatekeeper to “lose its configuration” is you.

      2. Not beating too dead of a horse, but I looked at your comment again because I just can’t believe anyone who has any knowledge of OS X going back as far as Mountain Lion would actually ask that about Gatekeeper. Were you really serious or do you just like the way “Which begs the question” sounds and wanted to see it on the comment page?

        1. The question arises due to the author using “— when properly configured —” (a vague term which does not point at what exactly IS a proper configuration) rather than something like “user has not changed default settings” which according to your post below is “1-MAc App store”.

          1. Okay, maybe I shouldn’t have jumped like that, but it was not the essence of what you said, but it was the words you choose. Do you always speak in that style? Do you recognize how arrogant it seems and how it comes across like you are talking down to people?

            Aside from that … I don’t think it was particularly vague at all. It was not written as an instructional piece. If you read the full article (which you might have) rather than just the snippet posted here you would be more in touch with what the author was communicating. It does discuss other protections you may add to the mix, but not specific settings. For your benefit and in your defense, it doesn’t specify what settings constitute “properly configured”, but it is “properly configured out of the box.” The default settings afford the highest level of security offered by Gatekeeper.

    1. System Preferences >Security and Privacy tab > General – There are three options for “Allow applications downloaded from”
      1-MAc App store
      2-Mac app store and identified developers
      You choose. Choose stupidly and you pay the price. That’s what “properly configured” means

  1. If you allow an “anyone” app, because you know the source, then you would have to make a temporary change, it just won’t run. That’s the point behind signed code.

    If you are a novice, I would suggest sticking with the Mac App Store only. There are plenty of good curated programs there.

    Seems silly to me though a file with a trailing space would be treated as an executable. I think there needs to be a better way to tell what a file is. Maybe the problem is not Mac OS, but UNIX in general.

    I work with JPG files for web pages etc. The default app is Preview, which is not what I would typical go for. My habit is to right click and choose Open With, which I would immediately be suspicious that the fake JPG wouldn’t have proper information, such as belonging to Preview/Pixelmator/Photoshop. Of course going the distance and trying to open it, would suggest it was corrupt.

    Last statement. Don’t open unsolicited files, from email, etc. malware is usually encapsulated in zip or rar files because they are trying to obfuscate detection.

    Having Little Snitch and or Malware Bytes, simply installed, is just enough for the malware to abort. Don’t depend on it, but from the stories I have read, they typically give up.

    Know your source.

  2. There’s considerable goofiness around the reporting of OSX.Trojan.Keydnap.A (as it would properly be labeled). I’m waiting for a definitive writeup about the malware, which I’m told should show up Friday. We’ll see!

    1. Oh and the proper label for ‘Backdoor.MAC.Eleanor’ would be OSX.Trojan.Eleanor.A . I’m using the standard naming convention for malware. I can provide a link to the standard for those interested. The fact that few anti-malware companies bother with it points out the general state of the anti-malware community: Chaotic.

  3. Hey MDN:
    Either have your ‘take’ read “PCs not affected” or stop posting articles crowing about android malware or some other bad news for Apple competitors.

    1. Yeah, except Macs really aren’t affected either – that’s the point. You really have to work to be affected by this, unlike Windows, where your PC can get pwned just because a bad ad loads. But I just knew that wouldn’t stop smug Windows and Android using idiots from doing a victory dance.


Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.