BlockBlock
Me: "please alert me anytime, anything is persistently installed"
BlockBlock: "you got it 😇"
Malware installs itself persistently, to ensure it's automatically re-executed at reboot. BlockBlock continually monitors common persistence locations and displays an alert whenever a persistent component is added to the OS.
compatibility: OS X 10.9+
current version: 0.9.7 (change log)
zip's sha-1: 6b07d713afd43cb008239906b6b033e3f282a697
current version: 0.9.7 (change log)
zip's sha-1: 6b07d713afd43cb008239906b6b033e3f282a697
BlockBlock is currently still a beta product. This version isn't as fully tested as Objective-See's other software, and thus may contain bugs. If you find any issues while using this beta, please send an email to bugs@objective-see.com and I'll try fix them ASAP!
To install BlockBlock and gain continual protection, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:
Then, simply double click on 'BlockBlock_Installer.app' and press the 'Install' button.
Because BlockBlock utilizes file- & process-monitoring capabilites that require system privileges, during installation the OS will display an authorization prompt. Once authorized, BlockBlock can complete its installation process, ensuring continual protection.
BlockBlock can also installed (and uninstalled) via that commmandline, which may be more condusive to automated or managed installations:
- -install
install BlockBlock - -uninstall
uninstall BlockBlock
//install
$ sudo BlockBlock.app/Contents/MacOS/BlockBlock -install
BLOCKBLOCK: install ok!
//uninstall
$ sudo BlockBlock.app/Contents/MacOS/BlockBlock -uninstall
BLOCKBLOCK: uninstall ok!
$ sudo BlockBlock.app/Contents/MacOS/BlockBlock -install
BLOCKBLOCK: install ok!
//uninstall
$ sudo BlockBlock.app/Contents/MacOS/BlockBlock -uninstall
BLOCKBLOCK: uninstall ok!
Once installed, BlockBlock will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock will display an informative alert:
This alert contains the name and path of the process that installed the persistent component, as well as details about the actual persistent component. Moreover, it shows if the process (that created the persisted item) is signed by Apple, signed by a 3rd-party, or is unsigned:
signed by Apple proper (i.e. core OS X/macOS binary)
signed via a developer ID, or ad-hoc
not signed ("code object is not signed at all")
BlockBlock has the ability query VirusTotal to see if either the process or startup item that was persisted, is known malware. Clicking on the 'virus total' button will generate a network request, which contains the path, name, and hash of both the process and startup item. Once the query is complete the popover will display the name of the items, along with their detection ratios and links the full reports on VirusTotal.com. If either item is flagged by any of the anti-virus engines on VirusTotal, the detection ratio will be highlighted in red:
To view the ancestry of the process that installed the persistent component, simply click the 'ancestry' button on the right-hand side of the alert popup:
If the process or persisted component is untrusted, simply click the 'Block' button to remove, or block, the installed component. Of course, if the process and component are legitimate (e.g. trusted OS or 3rd-party software), clicking 'Allow' will instruct BlockBlock to take no action. Click the 'remember' button to tell BlockBlock to automatically re-perform the same action (block or allow) for the same event. Allowed actions will be whitelisted, and persistently remembered. They are saved in the /Library/Objective-See/BlockBlock/whitelist.plist file. Blocked actions will, by design, only be remembered until a reboot.
Although BlockBlock runs continually in the background, it has been designed with efficiency in mind. As such, has minimal impact on the system.
To control BlockBlock, click its status bar icon (found at the top of your screen). This will bring up a menu with options to disable/enable BlockBlock, uninstall it completely, configure preferences, or provide more information (and manually check for updates).
There are several preferences that can control BlockBlock. These can be accessed by clicking on 'Preferences' via BlockBlock's dropdown status bar menu:
The following, describes BlockBlock's preferences:
- 'enable logging'
When selected, this option will inform BlockBlock to log various events, such as alerts and user actions. The log file is located at: ~/Library/Application Support/com.objectiveSee.BlockBlock/BlockBlock.log
- 'run in passive mode'
When selected, this option will configure BlockBlock to run silently. In other words, no alerts will be shown to the user, and all persistence events will be allowed (though logged to BlockBlock.log).
- 'run in headless mode'
When selected, this option will remove BlockBlock's icon & menu from the status bar. To restore, run the BlockBlock from the terminal, with the -unhide flag:$ /Library/Objective-See/BlockBlock/BlockBlock.app/Contents/MacOS/BlockBlock -unhide
- 'disable update check'
When selected, this option will tell BlockBlock to never automatically check for new versions. Updates can still be performed manually, by clicking on the 'About Blockblock' option in BlockBlock's dropdown menu, then clicking on the 'update check' button.
Technical Details
Though BlockBlock is conceptually simple, it is a rather complex piece of software. BlockBlock is made up of three main components, a kernel extension, a user-mode daemon running as root, and a user-mode agent running as the logged-in user (there can be multiple such agents if BlockBlock is installed for several users on the same system). The kernel extension tracks process creations, which are consumed by the daemon, which also monitors various persistence locations to detect any new items. Specifically the daemon (currently) watches for new kexts, launch daemon & agents, and new login items via the fsevents device (/dev/fsevents). Any time a new item is created, the daemon will broadcast a message from the root session to the final component of BlockBlock: the agent that is running within the context of the relevant user's session. The agent will then display an informative UI alert to the user, and convery the user's wishes (e.g. block or allow) back to the daemon.
If the user clicks 'Block', the daemon will attempt to remove, or block, the detected persistent component. The logic for this depends on the type of persistent component that was detected. For kernel extentions it will delete the kext bundle, for launch items (daemons & agents) it will delete the item's binary and plist, while for login items it will delete the binary and remove it from the login item database. BlockBlock will also attempt to kill the persistent process component if it has already been started.
Although BlockBlock can be completely removed and uninstalled by clicking 'Uninstall' from the drop-down menu in the status bar, or via the commandline (with the -uninstall flag) it can be manually uninstalled as well.
//uninstall kext
$ sudo kextunload -b com.objectiveSee.kext.BlockBlock
$ sudo rm -rf /Library/Extensions/BlockBlock.kext
//uninstall launch daemon
$ sudo launchctl unload /Library/LaunchDaemons/com.objectiveSee.blockblock.plist
$ sudo rm -rf /Library/LaunchDaemons/com.objectiveSee.blockblock.plist
//uninstall launch agent
$ launchctl unload ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist
$ rm -rf ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist
//remove application's support directory (log file, etc)
$ rm -rf ~/Library/Application Support/com.objectiveSee.BlockBlock
//remove binary & make sure all running tasks are killed
$ sudo rm -rf /Library/Objective-See/BlockBlock.app
$ sudo killall BlockBlock
$ sudo kextunload -b com.objectiveSee.kext.BlockBlock
$ sudo rm -rf /Library/Extensions/BlockBlock.kext
//uninstall launch daemon
$ sudo launchctl unload /Library/LaunchDaemons/com.objectiveSee.blockblock.plist
$ sudo rm -rf /Library/LaunchDaemons/com.objectiveSee.blockblock.plist
//uninstall launch agent
$ launchctl unload ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist
$ rm -rf ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist
//remove application's support directory (log file, etc)
$ rm -rf ~/Library/Application Support/com.objectiveSee.BlockBlock
//remove binary & make sure all running tasks are killed
$ sudo rm -rf /Library/Objective-See/BlockBlock.app
$ sudo killall BlockBlock
Errors
BlockBlock may 'error out' in various situations. For example, if the OS is unsupported (pre-Mavericks) or the installer does not receive the required permissions, an error will be shown:
Due to BlockBlock's various components (launch daemon, agent, & kext), installation and unistallation are somewhat complex. If either fail, check the system log (via the Console.app) for details. If an uninstall fails, BlockBlock can be fully manually uninstalled (as described above).
Other errors may be displayed at run-time. For example, if BlockBlock detects a new persistent item, but cannot block it (when the user clicks 'Block'), an error popup box will be displayed.
Finally, if BlockBlock encounters an unrecoverable error it should not crash, but rather display an error popup, then exit. This error page describes how such bugs may be reported so that I can try to fix the issue :)
Components/Capabilities/Footprints
The following table briefly summarizes BlockBlock's components, capabilities, and system footprint:
| Executable Component | Capability | System Footprint/Impact |
|---|---|---|
| BlockBlock_Installer.app | Installs or uninstalls Block | Install: a) copies BlockBlock to /Library/Objective-See/BlockBlock b) copies the kernel component to /Library/Extensions/BlockBlock.kext c) creates plist for the launch daemon in /Library/LaunchDaemons/com.objectiveSee.blockblock.plist d) creates plist for the launch agent in ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist e) starts the kernel component and both the launch daemon and agent Uninstall: a) stops the kernel component and both the launch daemon and agent b) removes the kernel component, /Library/Extensions/BlockBlock.kext c) removes the launch daemon's plist, /Library/LaunchDaemons/com.objectiveSee.blockblock.plist d) removes the launch agent's plist, ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist e) removes the BlockBlock binary, /Library/Objective-See/BlockBlock |
| BlockBlock.kext | Located in /Library/Extensions Monitors the creation of new processes, in to correlate them to persistence events |
None |
| BlockBlock.app | Located in /Library/Objective-See/BlockBlock Monitors for persistent file events and notifies the user |
Creates /Library/Objective-See/BlockBlock/whitelist.plist if user whitelists any 'allowed' actions.
If logging is enabled, creates ~/Library/Application Support/com.objectiveSee.BlockBlock |
In terms of networking code, each time BlockBlock starts, it queries https://objective-see.com/products.json to see if there is a new version of the tool. This can be disabled via the 'disable check for updates' option in BlockBlock's preferences pane. Other than this simple version check, it contains no other networking capabilities.
FAQs
Q: Why does the BlockBlock Installer need my password?
A: To monitor the file system for persistence events, as well as to track the creation of new processes, BlockBlock needs to interface with core OS components (the kernel, and 'fs events') This requires elevated privileges. Also if the user clicks, 'block' when a persistence event is detected, BlockBlock will terminate the process and remove the persistent item. Again, this action (may) require elevated privileges.
Q: BlockBlock alerted me that something was trying to persist, should I be worried?
A: By design BlockBlock doesn't try to determine if something is malware or not; it simply alerts anytime anything tries to persist. So more often than not, the alert is simply due to some legitimate software performing an install. However, it's still wise to examine the item that is persisting. Perhaps google the name and hash of the file, run strings on it, or if you are really concerned about a specific item, email me at patrick@objective-see.com and attach the file :)
Q: Why does BlockBlock access the network?
A: When BlockBlock is started, it connects to Objective-See.com to check if there is a new version of the product. Specifically, it reads the file products.json, which contains the latest version number of BlockBlock. No user or product information is collected nor transmitted. Other than this version check, the only other networking code found in BlockBlock relates to VirusTotal (anti-virus) queries. As described above, when a user clicks the 'virus total' button in the alert window, this will send generate a request which contains the file's path, name, and hash. Note that the automated version checking can be disabled via the 'disable update checks' option in BlockBlock's preferences.