“Apple uses this technology to encrypt some of its own core components like “Finder.app” or “Dock.app”. On current OS X systems this mechanism doesn’t provide much of a protection against reverse engineering in the sense that attaching a debugger and dumping the memory is sufficient to retrieve the decrypted executable. However, this mechanism can be abused by encrypting malware which will no longer be detected by the static analysis technologies of current security solutions.”
“The difference compared to a packer is that the decryption code is not present in the executable itself and so the static analysis engine can’t recognize a stub or base itself on other data present in the executable, since all segments can be encrypted. Thus, the scan engine also isn’t able to execute the encrypted code in its own virtual machine for a more dynamic analysis.
Two other important things about the encryption system is that the private key is the same and is shared across different versions of OS X. And it’s not a chained encryption either: but per-page. Which means that changing data in the first encrypted page doesn’t affect the second encrypted page and so on.” wrote the researcher in a post.
Daniel suggests Antivirus producers the following solutions to prevent infection caused Mac malware encrypted with internal mechanisms:
… and remember that no OS is totally secure!
(Security Affairs – Apple, Mac malware)