loading...

Straight facts about mac malware

How much malware for Mac is there?

The amount of Mac-specific malware remains negligible compared to other platforms (namely Windows). However, Mac malware is steadily on the rise and it is not just about the numbers anymore. Today a well thought-out and targeted malware can cause damage on an unprotected Mac.

Does my Mac need an antivirus?

The truth is that no operating system is 100% secure. Even if it was, vulnerabilities in applications, such as Java/Java Virtual Machine, can be exploited by malware. A high-performing antivirus adds layers of security, decreasing the exposure to potential threats.

Is Mac OS X malware a recent development?

The first examples of Mac OS X malware go back to 2004 with the detection of OSX/Opener (Renepo). OSX/Leap.A followed in 2006, along with other forms of threats developed against Mac OS X.

Is my Mac vulnerable to Windows malware?

Windows malware does not pose any danger to your Mac, even though a Mac can act as a carrier. This means that you can unwittingly pass along infected files from your Mac to other devices.

Does malware pose a threat for Mac OS X?

In recent years, ESET Malware Research Lab has detected and identified over ten new malware families specifically targeting the Mac OS X platform. For instance Flashback trojan that has infected hundreds of thousands of Mac machines.

Mac Threats in time

  • 2004

    • Amphimix (MP3Concept)

    • Opener (Renepo)

  • 2005

  • 2006

    • Leap

    • Inqtana

  • 2007

    • Jahlav (RSPlug)

  • 2008

    • MacSweep

    • iMunizator

  • 2009

    • Tored

  • 2010

    • Hovdy

    • HellRTS (HellRaiser)

    • OpinionSpy

    • Boonana

  • 2011

    • BlackHole (darkComet, MusMinim)

    • MacDefender

    • Olyx

    • Flashback

    • Revir and Imuler

    • Devilrobber (Miner)

    • Tsunami (Kaiten)

  • 2012

    • Lamadai

    • Sabpab

    • Morcut (Crisis)

Amphimix (MP3Concept)

The first acknowledged OS X malware (i.e., not seen in the wild)

This is a Proof of Concept (PoC) Mac Trojan seen early in 2004 that masqueraded as an MP3 file using an .MP3 icon. Its main importance is in the timing – it is generally regarded as the first acknowledged piece of OS X malware – rather than its impact: it was not seen “in the wild” and subsequent changes to the Finder effectively countered the vulnerability it exploited.

Its only payload was to display a dialogue box saying “Yep this is an application. (So what is your iTunes playing right now?)” At the same time it launched iTunes and tried to play a 4-second MP3 audio clip of “wild laughter” (apparently a man laughing).

Amphimix

Opener (Renepo)

Shell script with backdoor and spyware functionality


This was a (bash) shell script. The installation required either admin access or physical access to the target machine and write access to system areas and utilities.

Once installed as a Startup Item it was intended to run as root without the need to invoke sudo (a utility mostly found in Unix-like or Unix-derived operating systems that allows a user account to run system programs at a higher privilege level).
By version 2.3.8, the version usually reported, it was installing a variety of backdoor and spyware functions, stealing a range of configuration and application information, and also included password-cracking and other decryption functionality.
Author DimBulb is credited “for inspiration” by the author of the osxrk rootkit, from September 2004. 

########################################################################
# opener 2.3.5a - a startup script to turn on services and gather user info & hashes for Mac OS X
########################################################################
# Originally written by DimBulb
# Additional code: hard-mac, JawnDoh!, Dr_Springfield, g@pple
# Additional ideas and advice: Zo, BSDOSX
# This script runs in bash (as is noted by the very first line of this script)
# To install this script you need admin access or
# physical access (boot from a CD or firewire/usb, ignore permissions on the internal drive) or
# write access to either /Library/StartupItems /System/Library/StartupItems or
# write access to any existing StartupItem (which you can then replace with this script) or
# write access to the rc, crontab, or periodic files (and have them run or install the script) or
# you could trick someone who has an admin account into installing it.
# It should go in /System/Library/StartupItems or /Library/StartupItems (when it is executed it
# will move itself to /System/Library/StartupItems)
# Since it is a StartupItem it will run as root - thus no "sudo" commands are needed. If you run
# it as any other user most of the commands will generate errors! (You could sudo ./opener)
# Save start time and date for performance testing

Leap

The first true OS X worm


It appeared at the beginning of 2006 and attracted a great deal of media attention. It used a graphic icon for a JPG image to pass itself off as a Unix executable, and claimed to be screenshots of the latest Leopard Mac OS X 10.5 in order to entice users to click on it. Leap was spread through the iChat messenger client, using a file called latestpics.tgz.

The malware required user interaction in order to spread, and used Spotlight to infect all the files it found on disk.

Inqtana

Proof of Concept worm exploiting a Bluetooth vulnerability

This was a Proof of Concept worm targeting OS X systems. It was written in Java and spreads through a directory traversal vulnerability in Apple’s Bluetooth system which was subsequently fixed by the vendor (2005-2006).

It modified the setting of launchd to make sure its code was executed at boot time, thus ensuring persistence (that is, it continued to load at every system reboot).

It attempted to spread by sending OBEX Push requests to other Bluetooth devices, though its spread was limited by the use of a time-limited library version, meaning that it could not spread after February 24, 2006. Inqtana.D significantly developed the attack in that it didn’t require any user interaction in order to install, and once installed the backdoor access was available through Ethernet or AirPort, not just Bluetooth.

Jahlav (RSPlug)

DNS Changer

The family of DNS changing malware includes binaries identified as OSX/Jahlav, OSX/DNSchanger, OSX/Puper, OSX/RSPlug (and sundry variations according to individual vendor naming conventions). Some vendors regard it as consisting of more than one family originating with the same author, but such distinctions are not maintained consistently across the vendor community.

This group is also closely related to the Zlob family, associated with similar malicious functionality on Windows platforms. This type of malware was found in great numbers in the wild. It is predominantly found as a DMG file containing an installation package named install.pkg.

It has been distributed using various schemes such as fake codecs, an approach commonly used by malware on other platforms. The ultimate purpose of this malware is to change DNS settings of an infected host, potentially enabling the attacker to alter Internet content accessed from an infected system. A script named preinstall, executed at the beginning of the installer process, performs these malicious actions. A set of shell commands is launched to write the script to disk and execute it. An interesting point relating to OSX/Jahlav is that this threat uses server side polymorphism to generate new copies of its binaries, probably in an effort to evade detection by intrusion detection systems and antivirus software. Script files are also obfuscated using various shell tools such as uuencode, sed, and tail to conceal, vary or reverse the order of the commands and hamper analysis.

ESET threat descriptions:

Related blogs:

MacSweep

First OS X scareware

Also known as Troj/MacSwp-A, OSX_MACSWEEP, MacSweeper, this threat was first reported in January 2008 and is sometimes described as the first OS X scareware (or fake security application).

Most of the descriptive material applying to OSX/MacSweep also applies to iMunizator: in fact, some vendors flag iMunizator as OSX/MacSweep.B, and some sources reported an almost identical screen for both “products” saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” The program flags a number of perfectly legitimate applications as privacy violations, malware, bad cookies, “compromising files” and so on , and anyone trying to remove them is told they need to buy the MacSweep software.

iMunizator

Rogue AV application

Also known as OSX/Imunisator, Troj/MacSwp-B, OSX_MACSWEEP.B, OSX/AngeloScan, this was first reported in late March, 2008. iMunizator was essentially a retread of OSX/MacSweep (MacSweeper), or “another Rogue AV.”

The “call to action” in this case was again a screen saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC”. Wouldn’t it be nice if you could get an application to clean the Internet?

The program flags a number of perfectly legitimate applications as “trash”, and any victim naive enough to try to remove them is told they need to buy the iMunizator software. Amusingly (in a black sort of way), iMunizator tries to tell you that the apps it flags may compromise the victim’s credit card.

iMunizator

Tored

Proof of Concept worm spread via email

This Proof of Concept malware was discovered in 2009 and called Mac/Tored.AA. The name is a modification of the original name found in the binary file, which was OSX.Raedbot. This worm was able to spread through email using its own SMTP engine.

It could also contact a command and control server on the Internet to receive additional commands. Functionally, it therefore closely resembles certain classic Windows mass-mailers as well as many bots. However, we have not seen any instance of Mac/Tored.AA in the wild.

Hovdy

Information-gathering spyware

The OSX/Hovdy malware family is a set of scripts designed to gather as much information as possible from a host and send it back to a potential attacker.

In some variants, the information is sent back in an email with the subject Howdy, hence the name. Some variants were programmed as a bash script while other variants are programmed using AppleScript. We saw around a dozen different variants of the OSX/Hovdy script malware.

HellRTS (HellRaiser)

Information-stealing backdoor trojan with remote control capability

This is a backdoor trojan that can be controlled remotely. It attempts to send captured information (including files and screenshots) to a remote machine, using HTTP, FTP, and SMTP.

In order to get sensitive information it displays the following dialog box:

iMunizator

The trojan acquires data and commands from a remote computer or the Internet. It may also:

  • run executable files
  • execute shell commands
  • shut down/restart the computer
  • log off the current user
  • send data to the printer
  • open a specific URL address
  • change the sound volume
  • open the CD/DVD drive
  • play sound/video
  • open web page using user’s default browser
  • watch the user’s screen content

ESET threat description:

OpinionSpy

Spyware with backdoor and remote control capability

This program was first reported around the beginning of June 2010 and was associated with software calling itself PermissionResearch or PremierOpinion.

This spyware masking itself as a market research utility was offered as part of the installation process for a number of screensavers. It also acted as a backdoor and could be controlled remotely.

OpinionSpy

ESET threat description:

Related blogs:

Boonana

Multi-platform social engineering trojan

This Java-based Trojan that attacks Macs, Linux and Windows systems became notorious in October 2010 when it spread through social networking sites, passing itself off as a video and using the well-worn “Is this you in this video?” trick reminiscent of Windows malware.

Boonana is  a trojan downloader (a Java applet) that executed an installer, which, in turn, modified system files so that an outside attacker did not need passwords in order to access the system. Moreover, the trojan periodically checked in with a Command-and-Control (C&C) server for updated instructions. There were also reports of the malware being spammed out through email.

When the potential victim runs the "video", a message is generated suggesting that the video can’t be watched without installing special software.

Boonana

If the user falls for the trick, the Java applet runs on their Windows, OS X or Linux computer. For Windows systems, however, a registry entry is added, while for OS X files are copied to /Library/StartupItems and a script called OSX updates is created.

This is very much social engineering-focused malware: its initial attack is on the user, not on the platform, and it isn’t self-launching in the first instance. In other words, the malware requires user consent to be installed. While the intended functionality is similar to the notorious Koobface worm, the actual code in Boonana doesn’t resemble Koobface’s, which is why ESET hasn’t used that name as an identifier, though some vendors have done so.

Boonana

Related blog:

BlackHole (darkComet, MusMinim)

Multi-function backdoor trojan

This RAT (Remote Access Tool) came to light early in 2011. It was described as a beta version by its author:

“Welcome to BlackHole RAT. Now this is the Beta Version, and there are funktions (sic). Have Fun;)“

BlackHole

The user interface also includes some German words such as Ablage and Bearbeiten, though the messages are in (more or less) English.

“…I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can’t be infected, but look, you ARE Infected!”

BlackHole

According to comments in the code, there was intended to be a more stable version in due course.

So, Im a very new Virus, under Development, so there will be much more functions when im finished.

However, the darkComet RAT project was declared terminated in June 2012.

BlackHole’s abilities included the following:

  • Execute shell commands remotely.
  • Direct the user’s browser to its own choice of web page.
  • Create a text file on the desktop.
  • Perform shutdown, restart and sleep operations: in fact, it may put up a window from which the user can only escape by letting it reboot the machine as a demonstration of its capabilities.
  • Pop up a fake Finder message asking the victim to enter the administrator password.

The name notwithstanding, there is no obvious connection between this Blackhole and the Black Hole exploit kit.

ESET threat description:

MacDefender

The first major Mac malware

This fake AV has also been reported as calling itself MacProtector, MacDetector, MacSecurity, Apple Security Center, MacGuard, and MacShield. Appearing in May 2011, it is probably the most widespread rogue anti-virus on the Mac to date.

The infection was spread via poisoned search engine results on image searches. When a bad link was followed in a search, the user was presented with an alert that trojans or other threats have been detected on the system.

MacDefender

At the start of the attack, either a simple dialog box over the browser window or a fake Finder window is displayed. The malware was updated over time to present a user interface more like a native OS X application and less like a Windows application. Subsequent variants were also deployed that were capable of installing through a fake Finder window requiring the user to enter administrator credentials. If the victim clicked on the "Cancel" or "Remove All" buttons instead of closing the browser normally (or if necessary, with Force Quit), it was able to install the software anyway. It also took advantage of Safari’s default setting ‘Open “safe” files after downloading’ to download and open the malware automatically.

MacDefender

Once the malware was installed and launched, the victim was told that the software was an Unregistered Copy, and given the option of registering and paying for it.

MacDefender

Related blogs:

Olyx

A malware-downloading backdoor

A backdoor that allows the infected machine to be controlled remotely by receiving data and instructions for its operation over the Internet via a remote Command-and-Control (C&C) server in a botnet.

It may use known Java exploits to gain access to the victim’s system. The trojan contains an IP address to which it tries to connect over port 80 using TCP.

Olyx

It may execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • various file system operations
  • execute shell commands
  • send the list of files on specific drive to a remote computer

ESET threat description:

Flashback

The largest Mac botnet to date

OSX/Flashback.A is a trojan downloader that tries to download other malware from the Internet, and at the same time the Flashback botnet is the largest Mac botnet to date. The Flashback attack uses social engineering to entice the user to download and install the malware.

The malware presents a standard and professional looking installer screen to create a backdoor via a dynamic library called Preferences.dylib. Once installed, it uses RC4 encryption to communicate with a remote server, and transmit data such as the users MAC address, OS version, UUID, and more. The malware could also potentially be used to allow the malware author to inject code into the target Mac.

A later variant of OSX/Flashback included exploit code for CVE-2012-0507, a Java exploit also used by the Blackhole exploit kit. This meant that the trojan was able to infect computers without user interaction. Oracle released a Java update that addressed the problem, as did Apple, later on.

The malware collects information about the infected computer, its operating system, and system settings, and tries to send the information on to a remote machine. It receives data and instruction from a Command & Control server via HTTP. It quits immediately if Little Snitch is detected on the system and removes itself from the computer.

ESET recommends disabling Java in Safari and OS X, if it is not needed most of the time.

The trojan displays the following picture:

Flashback

In September 2012, ESET released a comprehensive technical analysis of the Flashback threat.

ESET threat description:

Related blogs:

Revir and Imuler

Dropper/ downloader backdoor with spyware capability

These two examples of malware are usually referred to as distinct threats, even though Revir is the dropper and downloader and Imuler.A is the backdoor that carries the sting.

The malicious application poses as a PDF file, and even displays a PDF embedded in its own body. This payload displays some politically contentious Chinese text while the app extracts a downloader that fetches and installs a backdoor Trojan (Imuler). The backdoor is intended to communicate with a C&C (Command and Control) server.

The most striking similarity between this and the techniques used by Windows malware is in the use of a phased infection process using several components. The PDF is not booby-trapped with some kind of 0-day threat, as is so often the case with targeted malware, but is simply a component of the malware, which must be executed before the PDF can be displayed. The Imuler Trojan acquires data and commands from a remote computer whose URL is embedded within it, or over the Internet using HTTP.

The malware can execute the following operations:

  • capture screenshots
  • send files to a remote computer
  • send various information about the infected computer
  • download files from a remote computer and/or the Internet
  • run executable files
  • extract ZIP archive

ESET threat descriptions:

Related blogs:

Devilrobber (Miner)

Bitcoin-generating spyware using Torrents to spread

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as The Pirate Bay. Like a number of Mac trojans, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

Devilrobber performs the following malicious activities:

  • Opens ports and listens for C&C servers
  • Steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
  • Acts as spyware, forwarding usernames and passwords to a remote server
  • Noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
  • It may also be looking for files that contain child abuse material

ESET threat description:

Tsunami (Kaiten)

IRC-controlled backdoor

This is an IRC-controlled backdoor that enables the infected machine to become a bot for Distributed Denial of Service (DDoS) attacks. It contains a hardcoded list of IRC servers and channels that it attempts to connect to for targeting instructions

The malware is a version of the elderly Linux/Tsunami malware (also known as Kaiten), recompiled as a Mach-O binary to run under OS X. Of low risk, but apparently a work in progress: a second version shows some “improvements.”

First detected in 2002 for Linux-based systems, once installed, this backdoor Trojan intended to listen for instructions transmitted over IRC. Its command set is focused on various attacks, but its ability to execute shell commands has the potential for many other types of actions. The list of accepted commands is taken from the comment block in the Linux C source code.

Tsunami

In addition to enabling DDoS attacks, the backdoor can also enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the capability to essentially take control of the affected machine.

ESET threat description:

Related blog:

Lamadai

A Backdoor targeting Tibetan NGOs

This was a malware attack targeting Tibetan NGOs (Non-Governmental Organizations). The attack consisted of luring the victim into visiting a malicious website, which then would drop a malicious payload on the target’s computer using Java CVE-2011-3544 vulnerability and execute it.

The webserver would serve a platform-specific JAR (Java Archive) dropper based on the browser’s UserAgent String in order to infect Windows and OS X systems.

OSX/Lamadai.A has built-in features typical of a backdoor: namely the download and execution of an arbitrary file, uploading of local files to the operator’s Command-and-Control (C&C) server, and spawning of a command-line shell. It is the Mac OS X payload of a multi-platform attack exploiting the Java vulnerability (CVE-2011-3544) to infect its victims.

The OS X-specific dropper was also served to Linux clients. However, since the dropped payload is designed for OS X only, Linux clients will not be infected. OS X uses the Mach-O file format for its executable files. For OSX/Lamadai.A, the Mach-O executable was compiled for 64-bit only, which is unusual since Mach-O binaries normally contain both the 32-bit and 64-bit versions of the executable.

ESET threat description:

Related blogs:

Sabpab

Backdoor Trojan with remote control capability

The trojan serves as a backdoor. It can be controlled remotely and acquires data and commands from a remote computer or the Internet, using HTTP to contact an URL in its own body. This malware, like the highly prevalent Flashback variant, exploits the CVE-2012-0507 vulnerability.

It can execute the following operations:

  • send the list of files on specific drive to a remote computer
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • capture screenshots

It seems to have originated on 16th March 2012 or even a little earlier. Reports indicate a link between SabPab (or SabPub – vendor detection names vary) and APT attacks labeled Luckycat. There may even be a link with attacks on Tibetan activists. Later attacks have used Word documents exploiting the CVE-2009-0563 buffer overflow vulnerability in Microsoft Office. A later variant of this malware does not use Java exploit CVE-2012-0507, so Apple’s updates do not provide protection for this elderly Office vulnerability.

ESET threat description:

Morcut (Crisis)

Multi-platform spyware trojan

Morcut is an OS X Trojan specific to Snow Leopard and Lion (some reports suggest that it can run on Leopard, but tends to crash): it can install without any action on the part of the user, is persistent (survives reboot), and has rootkit capabilities that are activated if the infected system is running under root.

Morcut hasn’t been seen in the wild to date: the initial samples were uploaded directly to the VirusTotal multi-scanning engine site. The malicious JAR file includes a Java class file misleadingly called WebEnhancer that checks the Java Virtual Machine (JVM) it is running under to see if the operating system is Windows or OS X. If the JVM is running under Windows, it installs a version of Win32/Swizzor; if it’s OS X, it installs OSX/Crisis.

Crisis is neither the first nor the only attempt at hardware-independent malware, but the significance of the fact that the attempt is being made should not be underestimated, even though there are more technically-interesting aspects to the whole malware package: in particular, the range of activity and data the malware is meant to monitor put it right in the spyware category. The sensitive data it can compromise includes IM transactions, location, keystrokes and mouse movement, contents of the clipboard, running processes, and an assortment of other device and environment information that is tracked.

Related blog:

Get protection

ESET Cyber Security Pro

Get a free 30-day trial today

Back to top
www.eset.com © 2013 ESET North America. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET spol. s r.o. or ESET North America. All other names and brands are registered trademarks of their respective companies.