A Rotting Security Apple?

Drew Amorosi examines recent malware threats to Apple’s OS X operating system
Drew Amorosi examines recent malware threats to Apple’s OS X operating system
AppleCare staff were told to deny the existence of the MacDefender malware during an onslaught that saw tens of thousands of users seeking help with the fake AV
AppleCare staff were told to deny the existence of the MacDefender malware during an onslaught that saw tens of thousands of users seeking help with the fake AV

Apple has long touted its Mac as the more secure, faster running alternative to the Windows operating system. Remember the Mac vs PC commercials featuring sneezing comedian John Hodgman? He played the part of the infected PC (which we can assume runs Windows), while his counterpart represents a, presumably, virus-free Mac. “Last year there were over 114,000 known viruses for PCs”, Hodgman says, to which his Mac counterpart replies: “For PCs, but not for Macs”.

This ad was from the 2006–07 timeframe, but are its claims still true? It’s a good question, especially in light of all the recent predictions that malware will begin to affect Macs in larger numbers, in addition to some attacks that have already taken place. The recent spate of fake anti-virus specifically targeting the Mac has thrown into question whether or not Apple has a lock on the most secure operating system, and makes us wonder: Has Apple been permanently welcomed to the malware party?

Crying Wolf

Although the Mac OS has largely been spared the malware onslaught of its more ubiquitous Windows counterpart, this has not stopped security researchers and vendors from predicting an impending surge in Mac-focused attacks. Nor have they missed an opportunity to point out when attacks on the Mac and Apple’s applications have occurred, likely because of their infrequent and novel nature.

Intego is one such security vendor that specializes in Mac security – a niche that comprises far fewer players. The firm’s 2009 annual report highlighted several malware strains affecting the Mac throughout the year, noting that far more exploits targeted the OS X operating system and applications meant to run on it than ever before. Among these were the iServices Trojan Horse, which affected pirated versions of Apple’s iWork ’09 productivity suite and was downloaded by more than 20,000 users via BitTorrent sites. In this case, the trojan opened a backdoor on infected Macs, connected them to remote servers to download new code, and enslaved the machines as part of a botnet.

Zombie machines, it appeared, were no longer reserved for just those running Windows. Yet Intego made a rather puzzling declaration in its report. While acknowledging that the Mac OS X contains a number of flaws, it called the operating system “more secure than Windows”. It’s a rather curious statement, Infosecurity notes, because so many other malware researchers would argue quite the contrary – that the Mac OS is no more secure than Windows, but just targeted by malware writers less frequently.

"[MacDefender] may have been just a test to see what was possible on the Mac side. It’s the beginning of a wave of trying out new attacks on new platforms"
Andy Hayter, ICSA Labs

Nevertheless, Intego was correct in pointing out that malware for the Mac OS was on the rise when compared to previous years. “Mac market share is increasing”, a company spokesperson told Infosecurity at the time, “and Mac users are less security-savvy than Windows users”. This is presumably because Windows users have a long history with malware threats, and therefore can identify the tell-tale characteristics of an infected machine more easily. When asked if Mac users were no longer immune to the malware threat, the same spokesperson fired off a rather blunt reply: “No, and they haven’t been for years”, adding that malware threats for Mac users are “the norm” from now on.

The increasing market share of desktops and laptops running Mac OS X also led one researcher from Spain-based PandaLabs to predict an increase of threats affecting the operating system in 2011. (According to the most recent data from Gartner, in a declining PC market, Apple’s market share has grown from roughly 4% in Q1 2006 to 9.7% in Q4 2010 – a rather significant increase.) Luis Corrons, the technical director of PandaLabs, cited this increasing market share as one reason why he expected malware threats to increase for Mac users.

“Of most concern is the number of security holes affecting the Apple operating system”, Corrons wrote in December 2010 when offering up his predictions for the coming year. “Let’s hope they get ‘patching’ as soon as possible, as hackers are well aware of the possibilities that such vulnerabilities offer for propagating malware.”

There May be Trouble Ahead

Then there was the “2011 Threat Predictions” report from McAfee Labs, which foretold an increase in malware attacks on the Mac for the year to come. The report observes that security professionals – via online forums and conferences – have long experimented with targeting the Mac OS, seeking out vulnerabilities that can be potentially exploited.

The report notes that McAfee Labs had seen malware of “increasing sophistication” for the Mac in 2010 and that they “expect this trend to continue in 2011”.

The report’s section on threats it envisioned for Apple in the year to follow concluded with a dire warning: “The lack of user understanding regarding exposure on these platforms and the lack of deployed security solutions make a fertile landscape for cybercriminals. McAfee Labs expects to see botnets and Trojans move from a rare encounter to a more common occurrence on Apple platforms in 2011.”

Just as Intego had highlighted, a user base that’s actually less sophisticated with respect to security – contrary to popular belief – was a major weakness of the Mac OS, because not everyone is, after all, an expert in security. They want their Mac because it looks cooler or, perhaps vainly, because it costs more than your average PC. But this may lead to an unfamiliarity with social engineering tricks that are the Mac user’s Achilles’ heel. Put in other words, just because Macs are more expensive and presumably employed by higher-end users, that does not necessarily make them more security savvy.

Prophecy Fulfilled

It started as a slow trickle. It was even a bit humorous – or attempted to be. What we are speaking of is a Mac OS trojan dubbed BlackHole RAT by security firm Sophos in late February of this year. The malware’s anonymous author released details of the virus’ beta version that, when activated, displayed on a Mac user’s screen: “I am a Trojan Horse, so I have infected your Mac Computer. I know most people think Macs can’t be infected, but look, you ARE infected!”

While this is typical of many of the proof-of-concept exploits that have been published for the Mac OS, the author warned this was a new virus, still in development, and would be sure to add more – presumably useful – features in the future.

Less than a week later, Chet Wisniewski, a researcher with Sophos, was contacted by one malware author when he apparently fingered the wrong creator for the recently discovered BlackHole RAT. “While the BlackHole RAT Trojan seems to be copying the behavior of DarkComent [a trojan for Windows], the lack of functionality and the unsophisticated user interface clearly offended the author, who felt it was necessary to set the record straight”. But what surprised Wisniewski the most about the clarification over attribution was the fact that he learned about two separate Mac trojans being developed within the timeframe of just one week.

"There is nothing about the Mac operating system that makes it inherently safer"
Neil Daswani, Dasient

Then May rolled in, giving reason for the prognosticators to pat themselves firmly on the back. Sparked by the increase in web traffic surrounding the death of Osama bin Laden, numerous research labs began reporting fake anti-virus being delivered via drive-by downloads when Mac users browsed certain sites ranked high on search engine results.

The original malware was dubbed MacDefender, and had one fatal visual flaw from the perspective of an experienced Mac user: the fake “Windows” pop-up screen came up within the Safari browser screen, rather than the typical display someone would see on the Mac. Another shortcoming was that the fake AV required the user to enter their admin password to begin the installation.

The lesson, however, was learned quickly, as an improved version of the malware began circulating. This time, it mirrored the true appearance of a window on a Mac. It was the dawn of a new era for the relationship between the Mac and malware, as the operating system had finally become a target of the type of fake anti-virus scam that has plagued Windows users for years.

In a revealing examination by ZDNet’s Ed Bott, the reporter noted one AppleCare representative as telling him that the line’s call volume had increased four to five-fold, with “the overwhelming majority of our calls…about this MacDefender and its aliases”.

Bott then obtained a memo, dated May 16, 2011, that instructed the AppleCare support staff to disregard the malware threat. “Apple care does not provide support for removal of the malware”, the memo said, continuing “You should not confirm or deny whether the customer’s Mac is infected or not”.

No confirmation, no support, and no response, as Apple failed to reply to the allegations when contacted by Infosecurity for comment. It would not be the last time that America’s tech darling chose to remain silent (except, perhaps, when reporting its financial results).

Apple would finally acknowledge the existence of MacDefender – and its variants MacSecurity and MacProtector – when the company promised OS X updates that would automatically remove the family of fake AVs.

Just two days later came MacGuard, a variant that sidestepped the fixes Apple issued in its security update just one day earlier. This time the malware writers took advantage of a default setting in the Safari browser that allowed “safe” files to be downloaded automatically, bypassing the need to enter the admin password to complete installation of the fake AV. Apple moved more swiftly to plug the gap, and issued a security update on May 31 to resolve the issue.

All totaled, the damage was not that severe, but when compared to what preceded it, the MacDefender episode was a relative bloodbath. More than 100,000 Macs – perhaps even far more – were feared infected, and McAfee called the month of May, “A Mac malware monsoon”.

Craig Schmugar, a researcher with McAfee Labs, revealed statistics that demonstrated an explosion in detected malicious binaries for the Mac OS X during the month of May. The results were off the charts and dwarfed anything the firm’s lab had seen all year.

“Sadly, many Windows users have grown accustomed to the tactics of those who seek to gain control over their PCs”, he warned in a blog post. “But even sadder will be the non-Windows users who have lived in ignorant bliss.”

The Cupertino Shuffle

Apple failed to respond to repeated requests for comment on this story, or to explain its approach to security. But that did not stop us from enlisting the opinions of a few experts in the security field. Those we did consult seemed united in their interpretation of why MacDefender was so effective in infecting so many Macs, so quickly. The social engineering aspect of dire warnings presented in fake AV pop-up boxes were to blame, and there were multiple reasons why they were so effective.

“I think malware affecting both the Mac platform, and mobile platforms, will continue to rise”, says Neil Daswani, CTO and co-founder of internet security firm Dasient. “There is nothing about the Mac operating system that makes it inherently safer”, he adds, noting that the only reason Mac users have survived the malware threat relatively unscathed thus far is Mac’s far smaller market share.

“There is nothing that protects Mac users from social engineering more than Windows users”, Daswani reminds us.

“It was a social engineering attack”, agrees Andy Hayter, anti-malcode program manager at ICSA Labs, the independent security product testing arm of Verizon. The malware researcher says ,“The opportunity to take advantage of Mac users that heretofore had not seen fake AV programs running on their computers took them by surprise, which is why many people fell victim to this.”

While MacDefender was primarily encountered via what he calls socially engineered drive-by downloads, “Mac users were not used to seeing something that comes up on their computer that says ‘you’re infected’”.

"MacDefender is a perfect example of a social engineering threat"
David Harley, Mac Virus

Hayter says this recent malware attack on Macs should be viewed from the broader industry perspective, which is experiencing slumping PC sales in favor of devices running mobile operating systems.

“I think you will slowly see an increase over time in attacks on the Mac and an increase in sophistication of the attacks”, he acknowledges. “On the other hand, you have other platforms that are growing faster. The Mac platform is popular and growing, but it’s not growing in leaps and bounds like iOS and Android are. The odds will be better attacking Android and iOS devices, and this may have been just a test to see what was possible on the Mac side. It’s the beginning of a wave of trying out new attacks on new platforms”, Hayter says.

David Harley, security researcher and author/editor of the Mac Virus blog, is also in accordance with Daswani and Hayter. “MacDefender is a perfect example of a social engineering threat”, he agrees.

“There were isolated incidents of fake AV that was Mac-specific a year or two ago, but they didn’t really attract much attention. [MacDefender] is easily the most successful attack we have seen target the Mac.

“I think this was more a case of seeing what the victim market was like, rather than testing Apple or the security industry particularly”, he adds.

Still, Harley was critical of the Apple approach to security and combating malware. “Their rather stealth approach to dealing with occasional malware is probably not the best they could take”, he believes. “Apple have painted themselves into a bit of a corner as they have started trying to update [the operating system] to meet each variant as it occurs – and it’s not their strength. My opinion is that they feel they have to do something to maintain the idea that anti-virus in the Mac context is not really necessary. They are basically their own mini-AV solution, and they can get away with this approach at the moment because there is not an enormous population being hit by these threats.”

For now, at least, no large population has been affected along the lines of a Windows user base. This may not always be the case, however, moving forward.

Dawn of a New Day

So, will the industry see more attacks on the Mac OS going forward? “I would suspect an upward trend, rather than a downward trend – but a lot of Apple’s market is not the Mac OS but the i-gadgets, and that’s a different market altogether”, says Harley, reminding us that the future of computing is not on top of the desk, but rather in our pockets.

“Most of this stuff is really the bad guys testing the water, rather than a sustained attack”, he asserts. Harley, who describes Apple’s approach to security as “aloof”, says that the creators of MacDefender were likely surprised that Apple reacted to the outbreak at all – as he certainly was.

Hayter, who characterized Apple’s initial response to MacDefender as “laissez faire”, does believe that Apple is improving its approach to vulnerability disclosure by releasing more patches and making them more public. “Going forward, on the support side”, he adds, “you may see a more sympathetic response from Apple then occurred with the MacDefender fake AV, where they basically denied it for awhile.”

He also predicts more malware for the Mac along the lines of what we witnessed with MacDefender. Hayter says the toolkit used to create the malware looks very much like a Windows toolkit. “Somebody will take the opportunity to use a Window-based toolkit, modify it to run on an OS platform, and try to do this again”, he warns.

“They may take a different approach, but fake AV is fake AV, and just as many people fall for it in the PC world, you will see the same percentage of people fall for it in the Mac world”.

David Harley would likely fall into this same line of thinking. He believes the operating system is mostly irrelevant, as none of them have the market cornered on a more secure architecture. “But some of the security measures Apple have put into the operating system have been less timely and less complete”, he contends. “The main problem on any platform is socially engineered threats, not vulnerabilities.”

It underlines the fact that, regardless of which nifty device you may have purchased from the man in the mock turtleneck, security is more often a people problem rather than a technology one.

What’s hot on Infosecurity Magazine?