top | item 37058012

(no title)

I was trying to figure out how long I had possibly been running the infected code. I was certainly in a state today where binaries were running with revoked signatures. What I couldn’t tell is if this state was only for a few minutes or hours, or if it was days or weeks.

If Apple only revoked the dev certificate (and possibly XProtect) today, that would make sense. But if it was revoked a ways back, then it would be concerning that it would require a reboot (with no prompting) for a regular user to fully kill the running background processes.

Actually, thinking about this further, if Apple had revoked the certificates before today, others would probably have noticed it and investigated given the “Move to trash” dialog and the strong assertion of “this is malware” in it.

discuss

No comments yet.