Mac Virus

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.

David Harley, 15th April 2020

[While I’m not maintaining this page – or, come to that, this site – currently, I should flag the pretty good MacOS Malware Pedia implemented by Checkpoint. Hat tip to Virus Bulletin, who drew my attention to that page in their March 11th newsletter.  DH, 11th March 2019.]

[TL:DR; Yes, this is way out of date, for those of you who’ve commented: it’s unlikely that I’ll add anything to this page now. While most Mac malware is comparatively low in impact, there’s too much of it to keep tending this page at the expense of other work. DH, June 2017]

[Updated 12th April 2016, quoting this article.]

Once upon a time (back when I wrote an FAQ document on ‘Viruses and the Macintosh’ (which is still around in cobwebby bits of the internet, but hopelessly outdated), it was actually feasible to list all the Macintosh malware known at that time. In fact, the ‘Pre-OS X malware‘ page on this site is founded on the last version of that document, updated when I still had some control over where it resided.

And for quite a while, the same applied to OS X malware. Not any more. I haven’t actually looked at Bit9’s report 2015 – The Most Prolific Year in History for OS X Malware because it requires registration, but John Leyden’s article for The Register  tells us in summary that ‘This year, there have been 948 OS X malware samples, compared with 180 in the years 2011-14 inclusive.” There’s no need to panic: 90% of 2015 samples analysed by Bit9 and Carbon Black use the version of the Load command superseded in 2012 with the release of OS X 10.8 (Mountain Lion).

Anyway, I didn’t deliberately abandon the list of OS X malware on this page in 2011, I don’t think it would be particularly useful to try to catch up now in the hope of listing all current OS X malware. I’m not at present planning to update this Timeline page either, though that’s more a matter of time management. While OS X isn’t exactly a hotbed of malware – especially when compared to Windows – there is a lot more Mac malware than there used to be, and I don’t think it would be useful or practical to go on trying to list it all here.

[Updated 7th November 2011]

Added links to some further information from F-Secure about OSX/Devilrobber to the appropriate section below.

[Updated 4th November 2011]

I’ve just been reminded of a threat descriptions database I should have added to this list: PC Tools’ iAntivirus page includes a threat descriptions page here. Brief descriptions, but plenty of them.

[Updated 1st November 2011]

OSX/Devilrobber (a.k.a. OSX/Miner)

• It opens ports and listens for C&C servers
• It steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
• It acts as spyware, forwarding usernames and passwords to a remote server
• It noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
• It may also be looking for files that contain child abuse materia

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Interestingly, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

• Devilrobber: Bitcoin Miner preys on Snow White
• New Malware DevilRobber Grabs Files and Bitcoins, Performs Bitcoin Mining, and More
• DevilRobber Mac OS X Trojan horse spies on you, uses GPU for Bitcoin mining
• Backdoor:OSX/DevilRobber.A [Added 7th November 2011]
• F-Secure description [Also added 7th November 2011]

OSX/Tsunami.A

A version of the elderly Linux/Tsunami malware (also known as Kaiten), recompiled as a Mach-O binary to run on OS X. Low risk, but apparently a work in progress: a second version shows some “improvements”. More info:

• OSX/Tsunami: flooding new markets
• OSX/Tsunami: a little more water with that
• OSX/Tsunami.A: old code, new platform
• Updates on OSX/Tsunami.A, a Mac OS X Trojan
• Linux Tsunami hits OS X
• Tsunami backdoor for Mac OS X discovered
• http://blog.intego.com/tsunami-backdoor-can-be-used-for-denial-of-service-attacks/
• Backdoor:OSX/Tsunami.A (blog)
• Backdoor:OSX/Tsunami.A (description)

[Updated 28th October 2011]

Sophos Mac Malware Descriptions

You may notice that this page is nowhere near keeping up with the flood – ok, trickle – of Apple-targeting malware that we’ve seen this year. No, that doesn’t mean there wasn’t any: it means that this page is a low priority. I should, however, certainly have mentioned before Graham Cluley’s excellent article “The short history of Mac malware: 1982 – 2011” – in fact, I did mention it, but only in the main Mac Virus blog, not as a resource to check on for malware descriptions. It’s not encyclopaedic, but it’s certainly an excellent summary.

[Updated 26th February 2011]

Blackhole RAT (darkComet, MusMinim):

Updated 1st April (no, I don’t think it’s a joke)

SecureMac describes a later variant it’s labelled BlackHole RAT 2.0a, which is said to be distinctly different to the variant described by Intego.

• https://macviruscom.wordpress.com/2011/04/01/if-you-knows-of-a-better-black-ole/
• http://www.securemac.com/blackholerat2-bulletin.php
• http://blog.intego.com/2011/03/30/intego-discovers-new-improved-blackhole-rat-variant/
• https://macviruscom.wordpress.com/2011/03/30/superrat-non-event-horizon/

Updated 30th March (info on later variants)

• http://www.securemac.com/blackholerat-bulletin.php
• http://blog.intego.com/2011/03/30/intego-discovers-new-improved-blackhole-rat-variant/
• BlackHole RAT is Really No Big Deal
• https://macviruscom.wordpress.com/2011/02/26/macrat-blackhole/
• http://ithreats.net/2011/02/25/rat-blackhole/
• http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-backdoor-trojan-now-in-beta/

RAT (Remote Access Tool) which targets both Windows and Mac users. Described as a beta version by its author, but already includes an interesting range of functions. The user interface includes some German words/command options.  The author refers to it as Blackhole ( but Sophos analysis indicates that it’s a variant of the Windows malware commonly referred to as darkComet: however, the apparent author of darkComet has denied it and says he’s developing his own – oh joy…). Sophos detects it as OSX/MusMinim-A: other AV researchers have samples, so other products will detect it too (contact your vendor if in doubt).

[Updated 22nd January 2011]

Symantec blog on the high proportion of Macs recruited into the Boonana botnet.

[Updated 21st January 2011]

I can’t believe I forgot to mention that Graham had updated his blog post to include Autostart! But he did.

Meanwhile, I came across a description of the Top 5 malicious programs that affect OS X, according to malwarecity.com, which is a BitDefender initiative. It includes short but to-the-point descriptions of:

• Jahlav
• RSPlug
• HellRTS
• OpinionSpy
• Boonana

[Updated 24th November 2010]

No, this is not the week I get on with adding some more descriptions to this page. In the New Year, maybe. In the meantime, though, I notice that Graham Cluley has put up a blog including the highlights of Apple-targeted malware to date. While it’s not particularly detailed or comprehensive (surprisingly, it doesn’t mention 1998’s AutoStart worm), it’s accurate (as I’d expect), and you may find it of some interest.

Apple Mac malware: A short history

[Updated 22nd September 2010]

Predictably, my virtual ear has just been bent by someone assuming that because there are only a couple of descriptions here, that’s all the OS X malware there is. Sorry, but it isn’t. I simply don’t have time to put into this project right now: going back over descriptions for earlier malware simply isn’t a priority, and right now I’m up to my ears in conferences and can’t find time even to detail more recent malware.

Perhaps Old Mac can find some time for this, but I wouldn’t bet on it. As I remarked in a comment below, ESET’s OS X sample collection is now well into the thousands. There’s some information on the most common malware types and families in the EICAR paper on Apple security on the resources page at https://macviruscom.wordpress.com/mac-malware-resources/papers/ though that paper is now quite a few months old.

Ryan Russell’s blog at http://ryanlrussell.blogspot.com/2006/10/os-x-malware.html is not up-to-date (he didn’t have time to update either) but includes more individual items than I’ve managed so far.

David Harley

[Updated 14th June 2010]

This is an embryonic information resource with information (or links to information) about specific Mac threats. This may not be the biggest project in the world (Mac threats tend to be counted in hundreds, not tens of millions, as is the case with PC threats), but it will take a finite amount of time, which I’m a little short of, so in the first instance, at least, I’m likely to add descriptions as they’re asked for, rather than chronologically or in order of importance. Descriptions may also be modified as I find time to work on them, and the format is likely to become a little less rough-and-ready.

 OSX/OpinionSpy

Also Known As:

Associated with software calling itself PermissionResearch or PremierOpinion

First reported

1st June 2010

Discussion on Mac Virus:

• https://macviruscom.wordpress.com/2010/06/02/mac-spyware-osxopinionspy/
• https://macviruscom.wordpress.com/2010/06/05/osxopinionspy-7art-screensavers/
• https://macviruscom.wordpress.com/2010/06/12/premieropinion-revisited-again/

Information from Intego, including initial alert:

• http://blog.intego.com/2010/06/01/intego-security-alert-osxopinionspy-spyware-installed-by-freely-distributed-mac-applications/
• http://blog.intego.com/2010/06/02/further-information-about-the-osxopinionspy-spyware/
• http://blog.intego.com/2010/06/04/spyware-is-back-in-tainted-screensavers/

Discussion on the ESET blog:

• http://www.eset.com/blog/2010/06/02/mac-malware-osxopinionspy
• http://www.eset.com/blog/2010/06/05/osxopinionspy-revisited
• http://www.eset.com/blog/2010/06/14/more-on-osxopinionspy

Analysis by Methusela Cebrian Ferrer: http://ithreats.net/2010/06/02/premieropinion-spyware-now-in-mac-os-x/

Discussion by Paul Ducklin: http://www.sophos.com/blogs/duck/g/2010/06/02/mac-osx-monitorware/

Description by McAfee: http://vil.nai.com/vil/content/v_267638.htm

OSX/MacSweep

Also Known As

Troj/MacSwp-A, OSX_MACSWEEP, MacSweeper

First reported

January, 2008

Description

The first OSX scareware (or fake security application), or at any rate the first widely-recognized as such. Published by “KiVVi Software”, who covered themselves with glory by stealing most of the text from their self-description from Symantec’s web site, changing only the company name.

Most of the descriptive material applying to OSX/iMunizator also applies to MacSweep: in fact, some sources reported an almost identical screen for both “products” saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” The program flags a number of perfectly legitimate applications as privacy violations, malware, bad cookies (Down, Cookie! Down, boy! Naughty Cookie!), compromising files and so on , and anyone trying to remove them is told they need to buy the MacSweep software.

Perhaps the most interesting thing about these early Mac-specific ventures into the rogue application market is that they were also early examples of rogue security software that presents itself as something other than straightforward fake anti-virus or fake anti-spyware. Presumably the authors were taking into account that most Apple-users don’t believe that there is any Apple malware.

Further information

http://www.f-secure.com/weblog/archives/00001362.html

http://blog.intego.com/2008/01/15/scareware-tries-to-trick-mac-users-into-buying-worthless-software/

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmacswpa.html

http://vil.nai.com/vil/content/v_143952.htm

http://en.wikipedia.org/wiki/MacSweeper

OSX/Imunizator

Also Known As

OSX/iMunizator, OSX/Imunisator, Troj/MacSwp-B, OSX_MACSWEEP.B, OSX/AngeloScan

First reported

Late March, 2008

Description

As the fact that some vendors call it MacSweep.B indicators, Imunizator was essentially a retread of OSX/MacSweep (MacSweeper), the first OSX scareware (or fake security application), or at any rate the first widely-recognized as such.

The “call to action” in this case was a screen saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” (that’s the capitalization offered by the product’s screen, not mine: I know the difference between a raincoat, an Apple computer, and a Media Access Control address…).

Wouldn’t it be  nice if you could get an application to clean the Internet?

The program flags a number of perfectly legitimate applications as “trash”, and any victim naive enough to try to remove them is told they need to buy the Imunizator software. Amusingly (in a black sort of way), Imunizator tries to tell you that the apps it flags may compromise the victim’s credit card.

Pot, kettle….

Perhaps the most interesting thing about these early Mac-specific ventures into the rogue application market is that they were also early examples of rogue security software that presents itself as something other than straightforward fake anti-virus or fake anti-spyware. Presumably the authors were taking into account that most Apple-users don’t believe that there is any Apple malware. (Yes, I said that about MacSweep, too.)

Further information

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmacswpb.html

http://vil.nai.com/vil/content/v_144297.htm

http://blog.trendmicro.com/scareware-software-makes-its-second-round-on-mac-os/

http://www.h-online.com/…/More-fake-anti-spyware-for-the-Mac-734693.html

http://www.intego.com/news/ism0801.asp

http://blog.intego.com/2008/03/28/new-scareware-targets-mac/

David Harley CITP FBCS CISSP
Mac Virus Administrator