Mac-focused malware is big and getting bigger

Hardy gave a presentation during this year’s SecTor Conference in Toronto, Canada, noting that a new development for 2012 is APTs that now often include malware specifically designed to compromise Macs.

“Mac users have long thought they’re safe, for a variety of reasons including: ‘nobody ever targets us’ (not anymore!), ‘Macs are based on Unix so have additional security’ (not if new vulnerabilities are found, or you choose to run the program), and ‘we’re not using Internet Explorer or Outlook so most threats don’t work’ (other software can be just as buggy),” noted Lidija Sabados, Citizens Lab researcher, in introducing the talk.

Aside from the well-documented Flashback botnet, which was believed by Kaspersky to at one point to control 700,000 machines, malware families like the one that includes SabPab (related to the known LuckyCat campaign), Lamadai and MacControl are becoming more prevalent, Hardy cautioned.

Hardy offered some forensics in his talk, according to Forbes: The Olyx/Lamadai/Sadpab Mac APT family is directly related to CVE-2011-3544, he explained, which is an Oracle Java vulnerability. SadPab offers victims a link that directs the user to Web pages with Java .jar files. "Sabpab is seen by organizations that are regularly targeted," Hardy said. "We'll probably see more of this one in the future."

The Maccontrol APT attack meanwhile is bundled into a zip file with a hardcoded link to the APT author's command and control center. Hardy said Maccontrol is still an ongoing threat, with multiple generators sending out material.

But Apple itself may be too complacent in its belief that Macs are inherently more secure: It took four months to patch the SabPab flaw after Oracle provided a public update. And the Flashback malware, which began seriously infecting Macs in February and March 2012, was not patched until May.

Thus, end users should remain vigilant, Hardy noted. "This is a new space, people are building up their tools and authors, and just getting started," he said. "Targeted groups will not stop being targeted."

A recent report by Sophos found that one in five Macs harbor malware. That was out of an analysis of 100,000 Mac computers running its anti-virus software.

Hardy suggested that aside from avoiding clicking on unknown links, Mac users should use a trusted service like Google Drive to open and share items online, and only with known companions.

What’s hot on Infosecurity Magazine?