Disabling revoked cert checking for malware research on OS X

Malware research involves running malware samples, typically in VMs. Because developer codesigning certificates are trivial to acquire in the Apple ecosystem, OS X malware samples are very often code signed. When malware is discovered, Apple can and often does revoke the associated cert. While this is a good thing for end-users, it can be a hindrance for malware research.


This app has a revoked certificate

Fortunately, it is easy enough to disable this security feature.

  1. Disable OCSP and CRL checking in Keychain.disable_cert_revocation_checking
  2. Remove the CRL cache: sudo rm -rf /var/db/crls/
  3. Disable the ocspd LaunchDaemon: e.g. sudo rm /System/Library/LaunchDaemons/com.apple.ocspd.plist. If you’re running 10.11 of course you’ll need to temporarily disable SIP to do this.
  4. Reboot.

The above works on 10.10. I’m not sure if all of the above is necessary, e.g. maybe it’s sufficient to just disable the OCSPD service. It could be that half of the above isn’t needed, but I don’t know which half, so just do all of it and you’ll be happily running malware in no time.

As an aside, it’s kind of fun to read the CRL:

Bonus: now you can run things signed with compromised codesigning certificates, but another potential hindrance is Xprotect, which is the OSX-equivalent of Windows Defender. Have a look at /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist to see the file signatures for all the evil things. If something you want to run is on this blacklist, you will not be able to run it. Once again this is a beneficial protection layer for end-users, but a potential hindrance for malware researchers. Fortunately this too is easy to circumvent: just delete the plist file and reboot.

This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s