Malware set to take a big bite out of Apple in 2013

While to date it has been much more profitable to attack Windows than to learn new skills needed to target the smaller OS X user community, that is set to change in 2013, the security firm predicts, as Apple penetration increases and smarter Mac malware like Morcut begins to make the rounds.

According to Forrester Research analyst Frank Gillette, “almost half of enterprises (1,000 employees or more) are issuing Macs to at least some employees – and they plan a 52% increase in the number of Macs they issue in 2012.” That doesn’t even count the number of Macs, iPads and iPhones that are brought into enterprise environments on a bring-your-own-device (BYOD) basis.

Accordingly, Sophos said in its 2013 outlook that it is seeing a big uptick in Mac infections: In a typical week, it detects 4,900 pieces of OS X malware on Mac computers, it said.

“Growing Mac usage means many IT organizations must objectively assess, mitigate and anticipate Mac-related malware threats for the first time,” said Sophos. “And the risks are clearly increasing.”

In 2012, Macs were in the spotlight thanks to the Mac OS X Trojan Flashback/Flashfake epidemic that peaked in April 2012. Flashback infected more than 700,000 Macs, making it the biggest known Mac OS X infection to date and, as Kaspersky pointed out in its year-end analysis, it destroyed the myth that non-Windows platforms are immune to large-scale outbreaks. At the infection’s peak, Sophos’ free Mac anti-virus product identified Flashback-related malware on approximately 2 .1% of the Macs it protected.

Between Flashback and 2011’s sustained Mac attack by the fake anti-virus MacDefender, a pattern is emerging that security teams should eye going into 2013: Mac malware is often a rehash of what has already been unleashed in the Windows world. Developers aren’t spending the time to reinvent the wheel for the new platform.

“[MacDefender] was the first significant Mac attack to be distributed via search result pages that attracted users to legitimate sites that had been poisoned with malware,” said Sophos, noting that this is a well-known trick in the Microsoft world. “MacDefender is worth discussing today because it shows how Mac malware often follows in the footsteps of older Windows attacks. One sensible way to anticipate the future of Mac malware is to see what’s happening now to Windows users.”

For instance, Mac administrators might reasonably expect new customized attacks relying on server-side polymorphism. “While both MacDefender and Flashback have been beaten back, they each show Mac malware authors becoming more agile,” Sophos said. “We’ve seen the authors changing the delivery mechanisms of existing malware and pursuing new zero-day exploits.”

One such new threat in the wild is the Morcut/Crisis family of fake anti-virus software, discovered in July 2012. These gambits generally work by convincing users to provide personal credit card information for software they don’t need, and present a relatively low risk to enterprises. Morcut/Crisis, however, is different.

“Designed for spying, Morcut can remotely monitor virtually every way a user communicates: mouse coordinates, IM, Skype call data, location information, the Mac’s webcam and microphone, clipboard contents, keystrokes, running apps, web URLs, screenshots, calendar and address book contents, alerts, device information and even file system metadata,” Sophos noted.

Morcut appears as a Java Archive file (JAR) claiming to be digitally signed by VeriSign. If installed by the user, Morcut deploys kernel driver components to hide and run without the administrator’s authentication; a backdoor component that opens the Mac to other network users; command and control to accept remote instructions and adapt its behavior; and, most importantly, code for stealing user data.

“If Morcut spreads, it will represent a serious threat to internal corporate security and compliance,” said Sophos. “Its capabilities especially lend themselves to targeted attacks aimed at capturing information about specific known Mac users in pivotal organizational roles. In contrast to most earlier Mac malware, it also reflects an extremely thorough understanding of Mac programming techniques, capabilities and potential weaknesses.”

Worryingly, similar backdoor techniques are already appearing elsewhere, and have been embedded in an exploit kit for the first time.

“The kit, OSX/NetWrdRC-A, is primitive, flawed and easily halted,” said Sophos. “But it’s a harbinger of more sophisticated and dangerous attacks to come.”

Researchers also found that Mac users can be a danger to others as well. A common source of Windows malware on Macs today is fake Windows Media movie or TV files. These files contain auto-forwarding web links promising the codec needed to view the video, but deliver zero-day malware instead. “Windows Media files generally won’t run on Macs, but Mac users often torrent these files to improve their ‘ratios’ on private tracker sites, without realizing the contents are malicious,” Sophos noted. “Windows users then attempt to play the videos and become infected.”

The creep of Apple into the workplace is not likely to abate anytime soon. Forrester’s Gillett pointed out at the beginning of the year that 21% of information workers are using one or more Apple products for work, but that culturally, there is a push for there to be many, many more. “I started seeing a few employees at large established tech vendors using Macs, where corporate IT usually doesn’t support them and seeing a disproportionate number of Macs among Starbucks loungers,” he said in a blog. “The clincher was the behavior of CTOs at two large infrastructure software companies that have a group of CTOs that work across the company. In both cases, almost all of them were using Macs – and they were making fun of the remaining Windows holdout for using a ‘typewriter.’ Of course, the iPad added to this phenomena, which is visible when you walk down the aisle of long haul flights in the US – there are lots of iPads, especially in first class.”

Sophos noted that IT departments should take note of this phenomenon and take action now to get ready for the Mac onslaught ahead for 2013. “Since Macs are often used by senior executives and creative teams who need maximum control over their computers, you may need to accept that some Macs will be untrusted,” researchers explained. “But untrusted should not mean unprotected. You should still offer users whatever protection is practical. And organizations can’t forget legal requirements associated with security and breach notification. These requirements may be especially important to enforce where senior executives are involved.”

What’s Hot on Infosecurity Magazine?