Booter Boss Busted By Bacon Pizza Buy

A Pennsylvania man who operated one of the Internet’s longest-running online attack-for-hire or “booter” services was sentenced to five years probation today. While the young man’s punishment was heavily tempered by his current poor health, the defendant’s dietary choices may have contributed to both his capture and the lenient sentencing: Investigators say the onetime booter boss’s identity became clear after he ordered a bacon and chicken pizza delivered to his home using the same email address he originally used to register his criminal attack service.

David Bukoski, 24, of Hanover Township, Pa., pleaded guilty to running Quantum Stresser, an attack-for-hire business — also known as a “booter” or “stresser” service — that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.

The landing page for the Quantum Stresser attack-for-hire service.

Investigators say Bukoski’s booter service was among the longest running services targeted by the FBI, operating since at least 2012. The government says Quantum Stresser had more than 80,000 customer subscriptions, and that during 2018 the service was used to conduct approximately 50,000 actual or attempted attacks targeting people and networks worldwide.

The Quantum Stresser Web site — quantumstress[.]net — was among 15 booter services that were seized by U.S. and international authorities in December 2018 as part of a coordinated takedown targeting attack-for-hire services.

Federal prosecutors in Alaska said search warrants served on the email accounts Bukoski used in conjunction with Quantum Stresser revealed that he was banned from several companies he used to advertise and accept payments for the booter service.

The government’s sentencing memorandum says Bukoski’s replies demanding to know the reasons for the suspensions were instrumental in discovering his real name.  FBI agents were able to zero in on Bukoski’s real-life location after a review of his email account showed a receipt from May 2018 in which he’d gone online and ordered a handmade pan pizza to be delivered to his home address.

When an online pizza delivery order brings FBI agents to raid your home.

While getting busted on account of ordering a pizza online might sound like a bone-headed or rookie mistake for a cybercriminal, it is hardly unprecedented. In 2012 KrebsOnSecurity wrote about the plight of Yuriy “Jtk” Konovalenko, a then 30-year-old Ukrainian man who was rounded up as part of an international crackdown on an organized crime gang that used the ZeuS malware to steal tens of millions of dollars from companies and consumers. In that case, Konovalenko ultimately unmasked himself because he used his Internet connection to order the delivery of a “Veggie Roma” pizza to his apartment in the United Kingdom.

Interestingly, the feds say their examination of Bukoski’s Internet browsing records showed he knew full well that running a booter service was punishable under federal law (despite disclaimers published on Quantum Stresser stating that the site’s owners weren’t responsible for how clients used the service).

“The defendant’s web browsing history was significant to investigators for a number of reasons, including the fact that it shows that the defendant browsed an article written by a prominent security researcher referencing both the defendant’s enterprise along with a competing service, including a link provided by the researcher in the article to an advisory posted by the FBI warning that the operation of booter services was potentially punishable under federal law,” reads the sentencing memo from Assistant U.S. Attorney Adam Alexander.

That’s interesting because the article in question was actually a 2017 KrebsOnSecurity story about a mobile app tied to a competing booter service that happened to share some of the same content as Quantum Stresser.

That 2017 story referenced an FBI advisory that had just been issued warning the use of booter services is punishable under the Computer Fraud and Abuse Act, and may result in arrest and criminal prosecution.

Bukoski was sentenced to five years of probation and six months of “community confinement.” The government suggested a lenient sentence considering the defendant’s ongoing health complications, which include liver failure.

HPE acquires cloud native security startup Scytale

HPE announced today that it has acquired Scytale, a cloud native security startup that is built on the open-source Secure Production Identity Framework for Everyone (SPIFFE) protocol. The companies did not share the acquisition price.

Specifically, Scytale looks at application-to-application identity and access management, something that is increasingly important as more transactions take place between applications without any human intervention. It’s imperative that the application knows it’s OK to share information with the other application.

This is an area that HPE wants to expand into, Dave Husak, HPE fellow and GM of cloudless initiative wrote in a blog post announcing the acquisition. “As HPE progresses into this next chapter, delivering on our differentiated, edge to cloud platform as-a-service strategy, security will continue to play a fundamental role. We recognize that every organization that operates in a hybrid, multi-cloud environment requires 100% secure, zero trust systems, that can dynamically identify and authenticate data and applications in real-time,” Husak wrote.

He also was careful to stress that HPE would continue to be good stewards of the SPIFFE and SPIRE (the SPIFFE Runtime Environment) projects, both of which are under the auspices of the Cloud Native Computing Foundation.

Scytale co-founder Sunil James, writing in a blog post about the deal, indicated that this was important to the founders that HPE respect the startup’s open-source roots. “Scytale’s DNA is security, distributed systems, and open-source. Under HPE, Scytale will continue to help steward SPIFFE. Our ever-growing and vocal community will lead us. We’ll toil to maintain this transparent and vendor-neutral project, which will be fundamental in HPE’s plans to deliver a dynamic, open, and secure edge-to-cloud platform,” he wrote.

Scytale was founded in 2017 and had raised $8 million, according to PitchBook data. The bulk of that was in a $5 million Series A last March led by Bessemer. The deal closed today.

Nomagic, a startup out of Poland, picks up $8.6M for its pick-and-place warehouse robots

Factories and warehouses have been two of the biggest markets for robots in the last several years, with machines taking on mundane, if limited, processes to speed up work and free up humans to do other, more complex tasks. Now, a startup out of Poland that is widening the scope of what those robots can do is announcing funding, a sign not just of how robotic technology has been evolving, but of the growing demand for more automation, specifically in the world of logistics and fulfilment.

Nomagic, which has developed way for a robotic arm to identify an item from an unordered selection, pick it up and then pack it into a box, is today announcing that it has raised $8.6 million in funding, one of the largest-ever seed rounds for a Polish startup. Co-led by Khosla Ventures and Hoxton Ventures, the round also included participation from DN Capital, Capnamic Ventures and Manta Ray, all previous backers of Nomagic.

There are a number of robotic arms on the market today that can be programmed to pick up and deposit items from Point A to Point B. But we are only starting to see a new wave of companies focus on bringing these to fulfilment environments because of the limitations of those arms: they can only work when the items are already “ordered” in a predictable way, such as on an assembly line, which has mean that fulfilment of, for example, online orders is usually carried out by humans.

Nomagic has incorporated a new degree of computer vision, machine learning and other AI-based technologies to  elevate the capabilities of those robotic arm. Robots powered by its tech can successfully select items from an “unstructured” group of objects — that is, not an assembly line, but potentially another box — before picking it up and placing it elsewhere.

Kacper Nowicki, the ex-Googler CEO of Nomagic who co-founded the company with Marek Cygan (an academic) and Tristan d’Orgeval (formerly of Climate Corporation), noted that while there has been some work on the problem of unstructured objects and industrial robots — in the US, there are some live implementations taking shape, with one, Covariant, recently exiting stealth mode — it has been mostly a “missing piece” in terms of the innovation that has been done to make logistics and fulfilment more efficient.

That is to say, there has been little in the way of bigger commercial roll outs of the technology, creating an opportunity in what is a huge market: fulfilment services are projected to be a $56 billion market by 2021 (currently the US is the biggest single region, estimated at between $13.5 billion and $15.5 billion).

“If every product were a tablet or phone, you could automate a regular robotic arm to pick and pack,” Nowicki said. “But if you have something else, say something in plastic, or a really huge diversity of products, then that is where the problems come in.”

Nowicki was a longtime Googler who moved from Silicon Valley back to Poland to build the company’s first engineering team in the country. In his years at Google, Nowicki worked in areas including Google Cloud and search, but also saw the AI developments underway at Google’s DeepMind subsidiary, and decided he wanted to tackle a new problem for his next challenge.

His interest underscores what has been something of a fork in artificial intelligence in recent years. While some of the earliest implementations of the principles of AI were indeed on robots, these days a lot of robotic hardware seems clunky and even outmoded, while much more of the focus of AI has shifted to software and “non-physical” systems aimed at replicating and improving upon human thought. Even the word “robot” is now just as likely to be seen in the phrase “robotic process automation”, which in fact has nothing to do with physical robots, but software.

“A lot of AI applications are not that appealing,” Nowicki simply noted (indeed, while Nowicki didn’t spell it out, DeepMind in particular has faced a lot of controversy over its own work in areas like healthcare). “But improvements in existing robotics systems by applying machine learning and computer vision so that they can operate in unstructured environments caught my attention. There has been so little automation actually in physical systems, and I believe it’s a place where we still will see a lot of change.”

Interestingly, while the company is focusing on hardware, it’s not actually building hardware per se, but is working on software that can run on the most popular robotic arms in the market today to make them “smarter”.

“We believe that most of the intellectual property in in AI is in the software stack, not the hardware,” said Orgeval. “We look at it as a mechatronics problem, but even there, we believe that this is mainly a software problem.”

Having Khosla as a backer is notable given that a very large part of the VC’s prolific investing has been in North America up to now. Nowicki said he had a connection to the firm by way of his time in the Bay Area, where before Google, Vinod Khosla backed a startup of his (which went bust in one of the dot-com downturns).

While there is an opportunity for Nomagic to take its idea global, for now Khosla’s interested because of the a closer opportunity at home, where Nomagic is already working with third-party logistics and fulfilment providers, as well as retailers like Cdiscount, a French Amazon-style, soup-to-nuts online marketplace.

“The Nomagic team has made significant strides since its founding in 2017,” says Sven Strohband, Managing Director of Khosla Ventures, in a statement. “There’s a massive opportunity within the European market for warehouse robotics and automation, and NoMagic is well-positioned to capture some of that market share.”

Monday.com 2.0 workflow platform lets companies build custom apps

Monday.com, announced version 2.0 of its flexible workflow platform today, making it easier for customers to build custom apps on top of Monday.

Company co-founder and CEO Roy Mann says his product is a multi-purpose and highly flexible workflow tool, aimed mostly at medium-sized businesses. “It’s process management, portfolio management, project management, CRM management, hotel management, R&D management. It’s anything you want because we give you the building blocks to build whatever you want,” he said.

With the release of 2.0, the company is offering a code-free environment to take these building blocks and build custom applications to meet the needs of any organization or team. This can include workflow elements to set up a process inside Monday or integrate with other apps or services.

In fact, the new release includes over a hundred prebuilt automation recipes and code-free custom-automations along with more than 50 integrations with other apps, allowing project managers to build fairly sophisticated workflows without coding.

This example shows a company building a custom app to manage a hotel. Screenshot: Monday.com

The company is also opening up the Monday platform to developers who want to build applications on top of the platform. Mann says this is just the start, and the plan is to eventually add a marketplace for these apps.

“The first step will be we’re opening [the platform to developers] up in beta. [Initially], it will be for their own use and for their customers, and then we will open it up pretty soon for them to offer those apps [in a marketplace]. That’s obviously the direction,” Mann said.

With $120 million in ARR and 100,000 customers, the company has quietly gone about its business. It has 370 employees, mostly based in Israel, and has raised $273 million, according to Mann. Its most recent investment came last July — $150 million on a lofty $1.9 billion valuation.

Neo4j 4.0 graph database platform brings unlimited scaling

Neo4j, the premiere graph database development platform, announced the release of version 4.0 today, which features unlimited scaling among other updates.

Graph databases are growing increasingly important as they are used to find connections in data, such as if you bought this, you might like this related item on an e-commerce site; or if you have these friends, you might also know these people on a social site. It’s growing popular in business, and especially among data scientists, who find it useful to find relationships in large collections of data.

Neo4j founder and CEO Emil Eifrem says the company developed the graph database concept, and it has been growing and developing well. “2019 was a really good year for us, generally speaking, but I think more importantly in the graph space. We’ve chosen the category creation and go- to-market strategy when we put the word graph and database together, and we wanted to evangelize that as a concept,” he explained.

As for the new version, Eifrem says it’s a broad new release, but there are a few things he wanted to focus on. For starters is the ability to limitlessly scale. He says this is possible because of new sophisticated horizontal scaling in version 4.0. For previous versions, the company replicated data across the database, a common method for processing data, but it can slow down as the amount of data scales. They wanted to change this in the new version.

“What we’re adding now in 4.0 is partitioning. So this is what’s called ‘sharding’ in the database world. It’s this really ultra powerful feature that allows you to scale both reads and writes and size. Basically, you’re only limited by your budget, how many machines you can add,” he explained.

Another piece in the new release is the addition of role-based access. As graph databases spread from the department or team level across the organization, it becomes increasingly important to restrict certain data to only those who have access based on their role and privileges.

“Today, graph databases in Neo4j are being widely deployed across the enterprise, and now all of a sudden there’s multiple teams across the entire enterprise that wants to access the data. And then you get into security and privacy concerns,” he said. That’s where role based access can protect the data.

The new version has many other features including the ability to run multiple databases on a single Neo4j cluster and support for “Reactive” systems, which gives these kinds of developers “full control over how their applications interact with the database, including robust data pipelines, streaming data, machine learning and more,” according to the company.

Neo4j has been around 2007 and has raised over $160 million, according to Crunchbase.

Emerge raises $20M to take its digital freight marketplace for truckers up a gear

Trucking is currently the most popular mode of transporting freight in the U.S., accounting for around $12.5 billion of the $17 billion freight market, according to the Bureau of Transportation Statistics. But with thousands of small and single-vehicle operators and legacy (often paper-based) systems underpinning communications, it’s also one of the most inefficient.

Now there are signs that this is changing. A startup out of Phoenix, Ariz. called Emerge, which has built a platform for shippers and brokers to find and allocate truck freight more effectively across the long tail of available truck-based carriers (a little like a Flexport but for trucks), is announcing a round of $20 million, funding it will use to continue building out its technology, as well as to keep expanding business.

The Series A — led by NewRoad Capital Partners, with previous investors Greycroft and 9Yards Capital also participating — comes on the heels of some already strong traction for Emerge. Since being founded in 2018 by brothers Andrew and Michael Leto, the company has processed more than $1 billion in freight with 1,500% year-over-year growth between 2018 and 2019. Emerge has now raised just over $40 million and we understand that its valuation is currently at more than $100 million. 

Some of its traction so far is down to the founders. Both are vets of the trucking industry whose previous company, a multimodal shipment visibility/supply chain solutions platform called 10-4, sold to Trimble in a $400 million deal. And some of that is down to the gap in the market that Emerge is filling.

“Gap” is actually the operative word here. How shipments are booked on trucks today is quite inefficient, with orders often leaving empty spaces on truck beds that could be filled with goods going in the same direction; and in about 20% of all journeys carrying no load at all.

Part of the reason for this is the antiquated way that shippers book space on trucks, and part of the reason is because there is just simply too much fragmentation in the system, with 80% of all shipments today contract-based and the remaining 20% operating as a “spot market” and booked on the fly, and neither of them particularly efficient when it comes to truck occupancy. (Most of the latter spot market is booked through spreadsheets and email, Michael Leto, the CEO, said in an interview.)

Emerge’s solution is something of a stick-and-carrot approach that reminds me a little also of how advertising exchanges work.

A shipper that wants to use the Emerge platform essentially activates/lists its entire inventory of truck providers on the platform to get started. That list and inventory, in turn, become part of a bigger database of other providers: and again, this is a long-tail approach, with typically the trucking companies on the platform having no more than 200 trucks (and often fewer) in their fleets.

Then, when a shipper goes to Emerge to book a shipment, options are provided that might include previous truckers, but might also include others. The idea is that this provides a more efficient picture, and that in turn gets passed on as cost savings to the customers, who can typically reduce shipping costs by as much as 20% using the platform.

If the cost savings and expanded choice are the carrots, the stick comes in the form of the requirement to upload truck data and share it with other shippers: you can’t use the system without doing it.

“But it’s a network effect,” Leto explained when I asked if Emerge ever saw resistance to the model. “We allow these companies to share capacity to drive efficiencies, and to drive and lower costs with less deadhead miles. There are a lot of benefits to capacity sharing.” It doesn’t seem to have deterred too many in any case. There are currently some 30,000 carrier profiles on the platform, and 12,000 transportation entities — including carriers, brokers or other shippers — transacted in Q4 alone, speaking to activity on the platform being strong. 

Emerge is not the only company that has identified the opportunity in providing a better and more updated platform to communicate and book space in the fragmented truck market. Sennder out of Berlin — which last year raised a sizeable round of funding — has also built a platform to centralise communications around booking shipments. It, however, seems to have less of an emphasis on encouraging shippers to take the lead in expanding that network effect that Leto describes.

Others that are tackling the wider shipping and logistics market and trying to improve how it runs include Sendy out of Kenya, which recently also announced a $20 million raise; Flexport, which now has a $3.2 billion valuation; Zencargo, which has also raised $20 million; and FreightHub ($30 million), Bringg ($25 million) and NEXT ($97 million).

But within that, Emerge’s performance so far, coupled with the Leto brothers’ history as founders, is giving the startup some extra mileage as we enter the next phase of what trucking might hold, which could include a critical mass of autonomous and electric vehicles on pre-defined routes.

“Uniquely, Emerge combines an exciting new technology designed to serve existing, unmet market need with experienced industry operators and entrepreneurs,” said Tracy Black of NewRoad in a statement. “Andrew and Michael are building the most innovative marketplace we’ve seen in the freight and digital marketplace industry — bringing contracts and carriers together to create new capacity. We are excited to be leading their Series A and I am thrilled to join the board to support their growth.”

Koch Industries acquires Infor in deal pegged at nearly $13B

Infor announced today that Koch Industries has bought the company in a deal sources peg at close to $13 billion.

Infor, which makes large-scale cloud ERP software, has been around since 2002 and counts Koch as both a customer and an investor, so the deal makes sense on that level. Koch was lead investor last year in a $1.5 billion investment, wherein the company indicated that it was a step before going public.

It’s not clear if that is still the goal, as sources suggested that staying private might provide the company with more capital flexibility in the future. Daniel Newman, founder and principal analyst at Futurum Research, says staying private longer could benefit Infor in the long run.

“There have been thoughts of an IPO, but remaining private should give the company flexibility without the quarterly pressure to refine its strategy, make necessary investments in the platform and achieve the growth rates that would make the company more of an exciting IPO,” he said.

Under the terms of the deal, Koch will be buying out the remaining equity stake in Golden Gate Capital, a secondary investor in last year’s investment. The company’s management team will remain in place and Infor will act as a standalone subsidiary of Koch.

Company CEO Kevin Samuelson, as you would expect, saw the deal as a positive move that allowed the company to operate with a well capitalized parent behind it. “As a subsidiary of a $110 billion+ revenue company that re-invests 90% of earnings back into its businesses, we will be in the unique position to drive digital transformation in the markets we serve,” he said in a statement.

Jim Hannan, executive vice president and CEO of enterprises for Koch Industries, saw it similarly, with Koch’s deep pockets helping to propel Infor in the future. “As a global organization spanning multiple industries across 60 countries, Koch has the resources, knowledge and relationships to help Infor continue to expand its transformative capabilities,” he said in a statement.

Holger Mueller, an analyst at Constellation Research, says it’s a strange deal on its face, but if Koch leaves Infor alone, it might work out. “When you think you have seen it all, something new comes along: A regular enterprise buys a top-five ERP vendor. Now [we’ll have to see] if Koch can ensure Infor keeps building market leading software, using Koch as showcase, or becomes the Koch software affiliate.

“The latter would be an unfortunate outcome. On the positive side, enterprise software built from real user validation, that can also serve as a reference, can be very powerful,” Mueller told TechCrunch. He said it could work out great, but also has the potential to go very wrong, depending on how Koch manages a software asset.

Infor is a huge company. As we reported last year at the time of its investment:

Infor may be the largest company you never heard of, with more than 17,000 employees and 68,000 customers in more than 100 countries worldwide. All of those customers generated $3 billion in revenue in 2018. That’s a significant presence.

Chargebee offers free subscription billing to Extra Crunch members for up to $100K in revenue

Extra Crunch is excited to announce a new community perk from automated subscription billing startup Chargebee. Starting today, annual and two-year members of Extra Crunch can receive free subscription invoicing until $100,000 in revenue is reached. You must be new to Chargebee to claim this offer.

Chargebee helps you succeed with subscription billing. Chargebee replaces in-house billing systems and spreadsheets by giving teams the ability to set up subscription plans and trials, run pricing experiments at scale, analyze accurate subscription analytics and much more, out of the box. 

Chargebee integrates with payment gateways like Stripe, Braintree and PayPal and business applications such as Xero, QuickBooks and Salesforce. You can learn more about the benefits of Chargebee here.  

You can sign up for Extra Crunch and claim this deal here.

Extra Crunch is a membership program from TechCrunch that features how-tos and interviews on company building, intelligence on the most disruptive opportunities for startups, an experience on TechCrunch.com that’s free of banner ads, discounts on TechCrunch events, and several community perks like the one mentioned in this article. Our goal is to democratize information for startups, and we’d love to have you join our community.

Sign up for Extra Crunch here.

New annual and two-year Extra Crunch members will receive details on how to claim the perk in the welcome email. The welcome email is sent after signing up for Extra Crunch. If you are already an annual or two-year Extra Crunch member, you will receive an email with the offer at some point over the next 24 hours. If you are currently a monthly Extra Crunch subscriber and want to upgrade to annual in order to claim this deal, head over to the “account” section on TechCrunch.com and click the “upgrade” button.  

This is one of several community perks we’ve launched for annual Extra Crunch members. Other community perks include a 20% discount on TechCrunch events, 100,000 Brex rewards points upon credit card sign up and an opportunity to claim $1,000 in AWS credits. For a full list of perks from partners, head here.

If there are other community perks you want to see us add, please let us know by emailing travis@techcrunch.com.

Sign up for an annual Extra Crunch membership today to claim this community perk. You can purchase an annual Extra Crunch membership here.

Disclosure:

This offer is provided as a partnership between TechCrunch and Chargebee, but it is not an endorsement from the TechCrunch editorial team. TechCrunch’s business operations remain separate to ensure editorial integrity.  

Does Asana’s planned direct listing reveal the company’s true value?

Hello and welcome back to our regular morning look at private companies, public markets and the gray space in between.

Asana, a well-known workplace productivity company, announced yesterday it has filed privately to go public. The San Francisco-based company is well-funded, having raised more than $200 million; well-known, due in part to its tech-famous founding duo; and valuable, having last raised at a $1.5 billion valuation.

Each of those factors — plus the fact that Asana is going public — makes the company worth exploring, but its plans to offer a direct listing instead of a traditional initial public offering make it irresistible.

Today, we’ll rewind through Asana’s fundraising and valuation history. Then, we’ll mix in what we know about its financial performance, growth rates and capital efficiency to see how much we can tell about the company as we count down to its public S-1 filing. The Asana flotation is going to be big news, so let’s get all our facts and figures straightened out.

Valuations and revenue

macOS Security Updates Part 3 | Apple’s Whitelists, Blacklists and Yara Rules

In the previous two posts, we looked at how to keep yourself informed when Apple make silent updates to macOS’s built-in security tools and how to run diffs on the MRT.app to get an understanding of what’s new. In this final post on macOS security updates, we’ll take a look at how Apple use whitelisting, blacklisting and Yara rules in XProtect and Gatekeeper and how to see what’s new.

Blacklists in XProtect

The XProtect bundle is located at

/Library/Apple/System/Library/CoreServices/XProtect.bundle

on 10.15 and above. For earlier versions, it’s the same path but without the /Library/Apple at the beginning.

Within the bundle, the items we are interested in are in the Resources folder. Be sure to use a local copy either by downloading from Apple’s sucatalog as described in Part 1, or copying the XProtect bundle inside CoreServices to a working directory in your home folder.

image of files in xprotect

Let’s begin with the XProtect.meta.plist. This file appears to have two functions. The first is to block legitimate plug-ins such as Flash Player that fall below a specified minimum version. These older versions have generally been found to contain known security flaws that could potentially undermine the security of the OS. Whether an update is available or not is also recorded for each entry.

image of plug-in blacklist

The second function of XProtect.meta.plist is to blacklist known malicious extensions. This is done by specifying both the extension’s bundle identifier and the developer ID.

image of extensions blacklist

As the images above show, this file is not obfuscated in any way, and a simple diff will show us the difference from one version to another. This file has burgeoned from a mere 6.5K a year ago to 23K today, with 129 developer IDs added to the blacklist since Dec 2018. However, in general, changes are infrequent, and since Safari extensions are now bundled as part of an Application, we suspect that the function of this file may entirely or partially have been superseded by the gk.db file that began to appear in the Resources folder with macOS 10.15 Catalina. Let’s take a look at that next.

If we dump this database, we can see that it consists of a bunch of entries for blocking certain Apple developer “Team IDs”.

image of gk.db dump

Currently, there are 133 entries.

$ sqlite3 gk.db .dump | grep blocked_teams | wc -l

This is actually shorter by about nine entries than earlier versions, but note that some of the bundle identifiers match those found in the earlier XProtect.meta.plist.

First, let’s extract all the Developer Ids from the meta.plist and dump to a text file:

$ grep -A1 'Developer Identifier' XProtect.meta.plist | grep string | sed 's/[]//g' | sort -u > metaIDs

Now let’s do the same thing with the gk database:

$ sqlite3 gk.db .dump | grep -i values | cut -d' -f2 | sort -u > gkIds

Inspection of these files shows that many of the same Team IDs exist in both, but there are also additional entries and omissions in each, too, making it difficult to determine exactly how these two files interrelate. One theory is that the entries in gk.db represent Developer IDs that have failed malware scans after attempting Notarization, but at the moment that remains unconfirmed. The gk.db is a much blunter tool than the meta.plist as it appears to blacklist all products signed by Team ID alone, whereas the meta.plist appears to be specifically focused on products that match both the Team ID and bundle identifier for each entry.

Discerning Changes to XProtect’s YARA Rules

The other two files in the XProtect. bundle function as detection rules or signatures for the built-in macOS “AV” engine. Both are lightly obfuscated but easily reversed. Of the two, the most important is the XProtect.yara file, which is an ASCII document containing a list of Yara rules. If you scroll through this document, you’ll see a bunch of signature definitions like this:

example xprotect yara rules

If you’re not familiar with how YARA rules work start here, but the basic idea is easy to understand, Each rule specifies some data that may exist in the file to be scanned, usually strings, and some conditions about how the data should be matched. The strings themselves are hex encoded ASCII or data bytes from a sample of the malware that the rule is intended to match.

Reversing individual strings is simple enough just by echoing the string on the command line and piping it through XXD or Rax2:

$ echo '6C61756E636863746C206C6F6164207E2F4C6962726172792F4C61756E63684167656E7473' | xxd -r -p

I use a short AppleScript in BBEdit’s Scripts folder to convert individual strings of interest:

tell application "BBEdit"
	set n to ""
	set t to contents of (selection of its front window)
	set x to (do shell script "echo " & t & "| xxd -r -p") as text
	set selection to x
end tell

 

You could adapt that to convert the entire file instead of a selection, or use Python and a BBEdit text filter is another option. For the most part, we only want to see the changes since the previous version, and so to do that, we’ll first run a diff on the old and new version, and pipe that into a new document.

$ diff old_XProtect.yara new_XProtect.yara | grep > > changedXProtect.yara

If we grep that file for the “rule ” we get a nice count of how many new rules have been added. We can then check out what strings each rule detects by using our script or text filter to reverse the hex back into ASCII.

image of new rules added

The remaining file is the XProtect.plist file, which appears to contain much of the same information as the .yara file, but in a different format. This file also does simple hash matching on files as well as string pattern matching.

image of xprotect plist

Although it’s worth keeping an eye on, I haven’t seen any changes to this file in more than 12 months, and I strongly suspect that it’s been abandoned by Apple in favor of the YARA file. This file remains unchanged from at least Dec 2018 (XProtect version 2101 is the oldest one I still have on file) to Feb 2020 (XProtect version 2112). A BBEdit text filter for decoding the patterns is available here.

Whitelisting through Gatekeeper

That pretty much covers inspecting changes in XProtect, but the gk.db we looked at above – despite the initials, is not the same as the whitelisting functions provided by Gatekeeper, which live at the following path:

/private/var/db/

Herein there are two relevant bundles, gke.bundle and gkopaque.bundle.

image of gatekeeper files

The gkopaque.bundle has been around in some form or another since 10.9 Mavericks. Inside its resources folder we’ll find the gkopaque.db. Let’s look at the schema first:

image of gkopaque

We can examine the .tables to see what kind of data it holds.

image of database tables

There are three tables, but conditions only holds two entries related to Google Chrome and the merged table is empty. In contrast, if we “SELECT” everything from the whitelist table, we’ll find there’s over 70,000 entries. Each entry is two SHA1 hash blobs, that the table says represent “current” and “opaque”. Other researchers have found that this is either partially or entirely a list of legacy apps that Apple have deemed to be “OK”, but which due to changes in code signing format would not pass Gatekeeper on more modern versions of the operating system. If that’s correct, then the whitelisting in gkopaque is probably of little more than historical interest.

The new-to-Catalina gke.bundle contains two files, gke.auth and gk.db and its function is not entirely clear. Yes, that’s the same name as the file we earlier investigated inside the XProtect bundle, but despite the name, the two are not identical and it’s more likely that this bundle is involved in whitelisting rather than blacklisting. The gk.db here holds only two tables:

image of gke.bundle

The timestamp_exceptions table is a data file, while the settings table is fairly sparse, with a single entry:

image of settings

The Gke.auth file turns out to be an XML file and is straightforward to read.

image of gke.auth file
image of gke auth plist

Each entry includes a SHA1 cdhash that likely matches the same hash used in code signing. The file currently contains over 30,000 lines with some 2,623 individual entries. A cursory attempt to match any of the cdhashes from signed software in the Applications folder on my own machine did not find any matches, but given what we know of the overall structure of the security tools used in macOS, it seems fair to say that this file is used to allow applications that match the rule to pass Gatekeeper without further hindrance. Precisely why these two thousand or so exceptions need to be hardcoded is a mystery we will save for another day. The end of the file contains a UUID and a version number, which makes it easy to diff and check for updates.

image of gke.auth version

Wrapping Up

As we have seen, macOS uses a combination of whitelisting, blacklisting and simple Yara rules to fight malware through XProtect and Gatkeeper. Earlier in this series we looked at the MRT.app, which Apple uses for post-infection clean up. Keeping an eye on changes to these technologies is useful for security researchers to ensure that any threat actors that Apple have detected are known to the rest of the security community. This is vital, for while Apple make a brave attempt to block and detect malicious threats, the nature of their tools means that they can be and regularly are bypassed.

We hope this series has given you some tools and examples to help you investigate those changes for yourself if you’re interested in doing so. And if you enjoyed this series of posts, sign up to any of our social media feeds (below the line) or the weekly blog newsletter (to the left) to find out when we post our next macOS content.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security