Posted by: David Harley | May 13, 2010

Apple Security: snapshots from 1997 and 2010

I got back yesterday from the iAWACS and EICAR conferences in Paris, where Andrew Lee (now with K7 Computing), Pierre-Marc Bureau (a colleague at ESET) and I presented on “Perception, Security, and Worms in the Apple”. Our paper is now available here, by kind permission of EICAR.

Apple’s customer-base seems to be rejoining the rest of the user community on the firing line. In recent years, criminals have shown increasing interest in the potential of Mac users as a source of illicit income, using a wide range of malware types, while issues with jailbroken iPhones have highlighted weaknesses in Apple’s reliance on a white-listing security model.

A recent survey carried out on behalf of the “Securing our eCity” community initiative, however, suggested that Mac (and, come to that, PC users) continue to see the Mac – or at any rate OS X – as a safe haven, while Apple seems wedded to the idea that it has no security problem.

However, analysis of hundreds of samples received by our virus labs tells a different story. While the general decline of old-school viral malware is reflected in the Macintosh statistics, we are seeing no shortage of other malicious code including rootkits such as WeaponX, fake codec Trojans, malicious code with Mac-specific DNS changing functionality, Trojan downloading and installation capability, server-side polymorphism, fake/rogue anti-malware, keyloggers, and adware (which is often regarded as a minor nuisance, but can sometimes have serious impact on affected systems).

Nor is this just a matter of Mach-O (Mach Object File) format binaries: scripts (bash, perl, AppleScript), disk image files, java bytecode and so on are also causes for concern. While neither the possibility nor the actual existence of a threat always equates to the probability of its having measurable impact, we take the position that the tiny proportion of compromised machines reflects, at least in part, the still limited market penetration of Apple products. The surprisingly swift escalation of exploits of a single iPhone vulnerability from PoC code to multi-platform hacker tool to functional botnet has perhaps been given more exposure than its impact in terms of affected machines might deserve, yet it demonstrates how closely criminal elements are watching for any weakness that might be turned to advantage.

A security model based on white-listing and restricted privilege, implemented on the presumption of the user’s conformance with licence agreements, can fail dramatically where there is an incentive to circumvent security for convenience or entertainment. Some types of attack (phishing is an obvious example) are completely platform agnostic because the “infected object” is the user rather than something on the system. Security reliant on the inability of a user to gain privileged access may lead to disaster if it fails to anticipate the ingenuity of hobby hackers and criminals alike, or the possibility of a conjunction of social engineering and technical vulnerability.

This paper will compare the view from Apple and the community as a whole with the view from the anti-virus labs of the actual threat landscape, examining: 

  •  The ways in which the Apple-using community is receiving increasing attention as a potential source of illegitimate profit 
  • Reviewing the directions likely to be taken by malware over the next year or two 
  •  Assessing the likely impact of attacks against Apple users
  •  The implications for business and for the security industry in an age of interconnectivity, interoperability, and the paradox of accelerated computing power on ever-shrinking devices.

Surprisingly, some of the people I talked to were also interested in the paper I presented at Virus Bulletin in 1997, so I’ve also made that available again here, mainly for its historical interest.

Abstract:

The Apple Macintosh has received little recent attention from virus writers or, indeed, anti-virus researchers. Though the number of native Mac viruses has stayed virtually static for several years, the recent upsurge of macro viruses has not left the Macintosh community unscathed. Many viruses which infect Microsoft Office applications will do so as happily on a Macintosh as on a PC. Even Mac users who don’t use vulnerable applications or application versions may, without appropriate anti-virus software, unknowingly pass on infected files. Many Mac sites, however, are only just waking up to these facts, belatedly and expensively. This paper briefly reviews the shared history of viruses and the Mac, summarizes the current situation and considers future possibilities and strategies.

David Harley FBCS CITP CISSP
Mac Virus Administrator
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com

About these ads

Responses

  1. [...] You can get more information and both papers here. [...]

  2. [...] You can get more information and both papers here. [...]

  3. It’s interesting that you keep referring back to jailbroken iphones as an example of the “risks” to Apple users. Yes, if users go to the effort of jailbreaking their phones then they are at increased risk (although in truth the real risk and enabler of botnets etc is the use of an unsecured SSH client, not jailbreaking itself), but that’s down to the user, and entirely the responsibility of the user. An iPhone in its native state, with firmware that hasn’t been deliberately circumvented and corrupted by the user, is absolutely secure.

    As for Macs, the question – as it must have been in 1997 when your first paper was published – is show me the money. Where is all this malware? Why isn’t it spreading across the “orchard” like Dutch Apple Disease?

    Apple are now (by market capitalisation) bigger than Microsoft, and higher profile than ever before, and yet we’re still waiting on that first virus or fast-spreading bit of malware to really make any impact on the Mac world. Is it really going to come any day now, or is it actually much harder for any hacker to achieve than you suggest?

  4. Tim:

    An iPhone that hasn’t been jailbroken is not absolutely secure. It isn’t susceptible to the SSH issue, but it can be and has been compromised in other ways. But the point isn’t clear and present danger to all iPhone users right now, it’s what it tells us about Apple’s “my way or the highway” security model. Clearly you don’t have a problem with that (and I’ve heard the argument that “if the user does something silly, it’s entirely his own fault” many times over the years from Apple users, so you’re not alone). I do. Perhaps because I come from a support background, and I’m painfully aware of how one user’s action can cause massive disruption to others. Since I don’t have your faith in the absolute security of the iPhone, I have no difficulty envisaging such a possibility. I make no claims about when or even if: I do say that there is no guarantee that it won’t happen, and if it does, Apple will still be saying it isn’t their problem.

    That first paper was written at a time when Mac users were a serious problem in the enterprise, because they believed that there was no need for them to think about security, and they were dispersing malware to all and sundry. It took me years to get funding for Mac AV for the organization I worked at, but it came through rather quickly after I cleaned several hundred files infected with three different viruses off a VIP’s Powerbook. Soon after that paper came out, the Autostart worm damaged Mac data all over the world.

    Are we going to see problems like those on OS X systems? I seem to have left my crystal ball at home. But there is no absolute reason why we shouldn’t. And you sure as eggs can’t tell me it didn’t happen in the 90s, because I spent a lot of time cleaning up some of those messes…

  5. [...] now. But as I’ve been talking quite a lot about Mac threats in the past month or two (see http://macviruscom.wordpress.com/2010/05/13/apple-security-snapshots-from-1997-and-2010/ for example), there’s been curiosity about what we’ve been seeing in the way of OS X [...]

    • Hi, Ryan.

      I hadn’t come across that. Interesting comment thread. Abandoned notwithstanding, I’ll put a link on my resources page.

      Cheers!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

Join 38 other followers

%d bloggers like this: