Category Archives: malware

How to notarize your software on macOS

Apple now wants you to ‘notarize’ your software. This is a process where you upload your software to Apple’s server so it can be scanned and certified malware free. This will probably become compulsory at some point, even (especially?) if your software isn’t in the Apple app store. Apple says:

Give users even more confidence in your software by submitting it to Apple to be notarized. The service automatically scans your Developer ID-signed software and performs security checks. When it’s ready to export for distribution, a ticket is attached to your software to let Gatekeeper know it’s been notarized.

When users on macOS Mojave first open a notarized app, installer package, or disk image, they’ll see a more streamlined Gatekeeper dialog and have confidence that it is not known malware.

Note that in an upcoming release of macOS, Gatekeeper will require Developer ID signed software to be notarized by Apple.

Documentation on notarization is a bit thin on the ground, especially if you want to notarize software that wasn’t built using XCode (I build my software using QtCreator). So I am writing up my experiences here.

First you need to ensure you have macOS 10.14 and XCode 10 installed (with command line tools) and you need a current Apple developer account.

Codesign your app with ‘hardened runtime’ using --options runtime :

codesign --deep --force --verify --verbose --sign "Developer ID Application:<developer id>" --options runtime <app file>

E.g.:

codesign --deep --force --verify --verbose --sign "Developer ID Application: Acme Ltd" --options runtime myApp.app

A ‘hardened runtime’ limits the data and resourced an application can access. I’m not sure what the exact ramification of this are. But it doesn’t seem to have restrict my software from doing anything it could do previously.

You can check the signing with:

codesign --verify --verbose=4 <app file>

E.g.:

codesign --verify --verbose=4 myApp.app

Now package your app into a .dmg (e.g. using DropDMG). Then upload the .dmg to Apple’s servers:

xcrun altool -t osx -f <dmg file> --primary-bundle-id <bundle id> --notarize-app --username <username>

E.g.:

xcrun altool -t osx -f myApp.dmg --primary-bundle-id com.acme.myapp --notarize-app --username me@acme.com

You will be prompted for your Apple developer password (or you can include it on the command line).

You now have to wait a few minutes. If the upload is successful “No errors uploading ” will be shown and a unique ID will be returned. You then have to use this to request your upload be scanned:

xcrun altool --notarization-info <notarize ID> -u <username>

E.g.:

xcrun altool --notarization-info xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx -u me@acme.com

You will be prompted for your Apple developer password (or you can include it on the command line).

Hopefully you will see “Status Message: Package Approved”. If the notarization fails, you should be sent a link to an online log file describing the issue. If the notarization completes successfully you need to ‘staple’ the results to your .dmg:

xcrun stapler staple -v <dmg file>

E.g.:

xcrun stapler staple -v myApp.dmg

The stapler outputs a log including some odd phrases. Mine included: “Humanity must endure”, “Let’s see how that works out. “, “Adding 1 blobs to superblob. What about Blob?” and “Enjoy”. Weird. Hopefully it will end with “The staple and validate action worked!”.

Finally you can unpack your .dmg into a .app and verify it with:

spctl -a -v <app file>

E.g.

spctl -a -v /Applications/myApp.app

On macOS 10.14 (but not earlier OSs) it should say “source=Notarized Developer ID”. Your software should now run on 10.14 without a warning dialog. Congratulations!

It all seems rather clumsy. As you have to wait asynchronously for the unique ID to be returned from step 1 before you can complete step 2, it is not easy to fully automate in a script. This is a major pain the arse. If anyone works out a way to automate it the whole process, please let me know.

Here are some links to the various posts that I gleaned this information from:

https://cycling74.com/forums/apple-notarizing-for-mojave-10-14-and-beyond
https://www.mbsplugins.de/archive/2018-11-02/Notarize_apps_for_MacOS
https://forum.xojo.com/50655-how-to-codesign-and-notarise-your-app-for-macos-10-14-and-highe
https://forum.xojo.com/49408-10-14-hardened-runtime-and-app-notarization/11
https://stackoverflow.com/questions/53112078/how-to-upload-dmg-file-for-notarization-in-xcode
https://lapcatsoftware.com/articles/debugging-mojave.html

** Update 28-Apr-2023 **

altool is now deprecated. See Moving from altool to notarytool for Mac notarization for an update.

DarkMarket

darkmarketThis book is an interesting and disturbing glimpse into the world of cyber-crime, particularly online credit card fraud (‘carding’). It also touches on related areas, such as cyber-warfare. It is written by a journalist, so don’t expect much in the way of technical details. But, if you can get past the tacky cover artwork and dubious sub-title (‘how hackers became the new Mafia’), it is a fascinating read.

The story mainly centres around the eponymous ‘DarkMarket’, a forum in which cyber-criminals conducted their murky business. For example buying and selling stolen credit card numbers. The story of DarkMarket is known in some detail, as it was infiltrated by various government agencies and some of its key players brought to trial.

There are lots of different characters mentioned in the book, many of whom have non-English names and online aliases. This makes the story quite hard to follow. Perhaps that is inevitable given that it is a story about deception and duplicity involving many people. Nevertheless, it still provides lots of interesting insights into this dark underbelly of the Net.

Online fraud is a cooperative effort. For example, some people specialize in stealing credit card numbers, others in selling credit card skimming devices and still others in employing armies of ‘mules’ to make withdrawals from ATMs (the riskiest part of the operation). But criminals are hardly likely to trust other criminals they have never met. Especially given that some criminals (‘rippers’) specialize in ripping-off other criminals. This is where forums such as DarkMarket come in. They act as a trusted third party, providing escrow and other services to cyber-criminals. The backgrounds and motivations of the cyber-criminals seems to vary considerably. Some start off as curious hackers withot any criminal intent, but turn to the ‘dark side’, often in small increments. Often such people seem to be motivated by status and reputation more than money. Others are simply in it for the easy money.

There are many ways in which your credit card details can be stolen. For example, you hand your card to a petrol station employee. The employee quickly swipes your card through a hidden credit card skimmer before swiping it through the legitimate device (they might pretend they have dropped something behind the counter to disguise this). A small camera hidden in the ceiling records you typing your pin. The criminal has a copy of your credit card and your pin number. These can now be sold on, perhaps through a forum such as DarkMarket, to other criminals who specialize in extracting the money. They will then clone your card and instruct their ‘mules’ to extract the money from an ATM and pay it into another account, keeping a percentage for their trouble. Some of the ‘work from home’ and ‘I made £2000 in a week’ ads you see in spam emails and attached to lampposts may be from cyber-criminals trying to recruit ‘mules’ for this purpose. Sometimes the criminals will withdraw small amounts over a long period as this is less likely to be noticed than one big withdrawal.

Cyber-crime is difficult to prosecute. It is hard to establish the real identity of the criminals and the they are often based in a different legal jurisdiction to the victim. The security services have infiltrated many cyber-criminal forums. The DarkMarket server was eventually being run by an under-cover FBI agent. However even security services from the same country (e.g. the FBI and Secret Service in the US) don’t seem to be able to play nicely together and end up investigating each others agents and informants and generally tripping over each other. The author believes that the Russian security services has infiltrated many of the Russian-speaking cyber-crime forums, but have no interest in shutting them down as long as they are careful never to steal from other Russians. The banks also aren’t keen to cooperate in investigations. You and I are ultimately paying for the fraud through our credit card fees. As long as the banks are making lots of money they don’t want to upset the apple cart by revealing the scale of the fraud. It might affect their bonuses.

So don’t expect cyber-crime to go away any time soon. But do stay away from dodgy websites, keep your credit card in sight at all times, cover the keypad with one hand while you type in your PIN with the other and check your statements!

DarkMarket on amazon.com (affiliate link)

DarkMarket on amazon.co.uk (affiliate link)

“Think you can’t get a virus by visiting a web page? Think again!”

Are you just one click away from disaster? The following post on ASP forums woke me out of my complacency (reproduced with the author’s kind permission):

It happened to me today with FireFox 3.

While searching Google for some information on a movie I watched recently (wasting time, more or less), I clicked on a link that I thought was to IMDB. I only glanced at it in the Google search results before I clicked on it. As soon as the page loaded the browser closed, my desktop background was changed and some sort of fake scanner window showed up. Then I saw desktop icons appear. Then a BSOD, or so I thought.

It turns out it was a pretty common piece of malware called Smitfraud combined with a fake AV malware software called “AntiVirus XP 2008”. They kept asking me to register the software in order to clean the 2700+ virus that it found during its “scan”. The BSOD was a cleverly designed screen saver, I assume designed to make a user reboot without trying any real scanner software.

Luckily I use Acronis TrueImage to do incremental backups every night so restoring to what I had at 4AM this morning only took about an hour but it really woke me up. I had disabled the Avast resident scanner a few days ago thinking that I didn’t need it – I mean, I don’t download random EXE files from the net, I don’t visit “bad” sites and I don’t use any p2p file sharing network so I’m safe – right? WRONG! Talk about a humbling experience. Here I am, an uber nerd, and I just had my entire system hosed in about 4 seconds by visiting a website. If I weren’t obsessed with backups and redundancy I could have lost the source code to all of my software or worse, allowed some cracker kid to install a rootkit and gain access to my desktop on demand. Talk about a nightmare!

I can only assume I ran into a site exploiting some new QuickTime or Flash vulnerability. I definitely didn’t download and run anything from the website – I only clicked the link from Google.

If I could remember the site I would try to return to it in a VM with an anti-virus software enabled to see if it could catch it before bad things happened. I can only hope that my huge mistake of not turning my AV software’s resident scanner was the main thing that allowed the software to be installed.

I’ve since started using OpenDNS.org, set Acronis to do incremental updates twice a day, enabled Avast’s resident scanner and installed the Teatimer program from Spybot Search & Destroy. Oh, and I uninstalled Flash and QuickTime just in case (though I checked and I had the most recent versions of both!).

Mitchell Vincent, www.ksoftware.net

The responses included several suggestions to use the ‘Noscript’ add-on for FireFox. I have been trying it for a few days. It is slightly annoying to keep on having to OK scripts on trusted sites. But that seems a price worth paying. And don’t forget to do your back-ups.

Virus Total

Virus Total is a free service that gives you aggregate results from 36 different malware scanners. Just browse to the file you want to check on your PC and click ‘Send file’. It will quickly return the results of all the scans, hash sizes and a list of Windows system calls that the software makes.

This is a great resource for checking software you are about to install doesn’t contain malware. It is also useful for checking that your own download files haven’t been tampered with and don’t trigger false positives. Note that some software protection systems have been known to trigger false positives from malware scanners.

Thanks to a poster on this BOS thread for bringing it to my attention.