Mac malware running as root is not an uncommon occurrence, Lysa Myers, virus hunter at Mac antivirus vendor Intego, said Thursday via email. "The two most common ways to achieve root access is by way of exploits and social engineering. Social engineering being far and away the most common, as it's often fairly easy to trick someone."
Social engineering in this context consists of the malware program masquerading as a legitimate program and asking the user to grant it administrative access.
"I'm personally worried about how easy it is to gain root on a Mac," Salonen said. "Not because of vulnerabilities, but because you end up doing it all the time in day-to-day use."
"For example, I just browsed my /Applications folder, and noticed that a majority of my apps are owned by root," Salonen said. "Even non-critical stuff like IRC clients, video players, games, tiny helper apps, even the official Twitter client. Each of those installers had root access at some point. I don't remember explicitly giving Twitter root access. I just remember running a typical installer. It's scary."
Mac malware authors have already shown an interest in keychain data. "One threat called DevilRobber discovered last year used a script to harvest passwords," Myers said. "The main trick in that instance was that it would automatically validate the system dialog box that prompts the user to allow their keys to be exported."
There isn't much Apple can do to ultimately stop attackers with root access from stealing credentials stored in a user's keychain. However, there are some methods to make it a bit harder.
Apple could, for example, better obfuscate the keychain master password key in memory and make it harder for a tool like keychaindump to find it and extract it, Arnaud Abbati, a malware analyst at Intego, said Thursday.
Apple did not return a request for comment regarding its keychain design choices or the security implications of Salonen's tool.