Testing for the Strawhorse Backdoor in Xcode

In the previous blog post, I highlighted the latest Snowden documents, which reveal a CIA project out of Sandia National Laboratories to author a malicious version of Xcode. This Xcode malware targeted App Store developers by installing a backdoor on their computers to steal their private codesign keys.

Screen Shot 2015-03-10 at 2.09.50 PM

So how do you test for a backdoor you’ve never seen before? By verifying that the security mechanisms it disables are working correctly. Based on the document, the malware apparently infects Apple’s securityd daemon to prevent it from warning the user prior to exporting developer keys:

“… which rewrites securityd so that no prompt appears when exporting a developer’s private key”

A good litmus test to see if securityd has been compromised in this way is to attempt to export your own developer keys and see if you are prompted for permission.

Following these instructions from Apple, you can export your signing identity.

  1. In the Xcode Preferences window, click Accounts
  2. Click the Action button (to the right of the minus button) in the lower-left corner.
  3. Select Export Accounts from the pop-up menu.

When you export your accounts, securityd should pop up a window asking for permission to allow this action.

Screen Shot 2015-03-10 at 3.15.40 PM

If you don’t see this popup, something’s wrong, and it’s possible that your system may have been compromised to prevent the user from knowing their keys were being exported.

Since we have no samples of the malware allegedly developed for CIA, there’s no way to guarantee that this is a sure-fire way to detect compromise. Based on the slides, however, this warning should be removed on compromised systems, at least under certain circumstances.