I got back yesterday from the iAWACS and EICAR conferences in Paris, where Andrew Lee (now with K7 Computing), Pierre-Marc Bureau (a colleague at ESET) and I presented on “Perception, Security, and Worms in the Apple”. Our paper is now available here, by kind permission of EICAR.
Apple’s customer-base seems to be rejoining the rest of the user community on the firing line. In recent years, criminals have shown increasing interest in the potential of Mac users as a source of illicit income, using a wide range of malware types, while issues with jailbroken iPhones have highlighted weaknesses in Apple’s reliance on a white-listing security model.
A recent survey carried out on behalf of the “Securing our eCity” community initiative, however, suggested that Mac (and, come to that, PC users) continue to see the Mac – or at any rate OS X – as a safe haven, while Apple seems wedded to the idea that it has no security problem.
However, analysis of hundreds of samples received by our virus labs tells a different story. While the general decline of old-school viral malware is reflected in the Macintosh statistics, we are seeing no shortage of other malicious code including rootkits such as WeaponX, fake codec Trojans, malicious code with Mac-specific DNS changing functionality, Trojan downloading and installation capability, server-side polymorphism, fake/rogue anti-malware, keyloggers, and adware (which is often regarded as a minor nuisance, but can sometimes have serious impact on affected systems).
Nor is this just a matter of Mach-O (Mach Object File) format binaries: scripts (bash, perl, AppleScript), disk image files, java bytecode and so on are also causes for concern. While neither the possibility nor the actual existence of a threat always equates to the probability of its having measurable impact, we take the position that the tiny proportion of compromised machines reflects, at least in part, the still limited market penetration of Apple products. The surprisingly swift escalation of exploits of a single iPhone vulnerability from PoC code to multi-platform hacker tool to functional botnet has perhaps been given more exposure than its impact in terms of affected machines might deserve, yet it demonstrates how closely criminal elements are watching for any weakness that might be turned to advantage.
A security model based on white-listing and restricted privilege, implemented on the presumption of the user’s conformance with licence agreements, can fail dramatically where there is an incentive to circumvent security for convenience or entertainment. Some types of attack (phishing is an obvious example) are completely platform agnostic because the “infected object” is the user rather than something on the system. Security reliant on the inability of a user to gain privileged access may lead to disaster if it fails to anticipate the ingenuity of hobby hackers and criminals alike, or the possibility of a conjunction of social engineering and technical vulnerability.
This paper will compare the view from Apple and the community as a whole with the view from the anti-virus labs of the actual threat landscape, examining:
The ways in which the Apple-using community is receiving increasing attention as a potential source of illegitimate profit
Reviewing the directions likely to be taken by malware over the next year or two
Assessing the likely impact of attacks against Apple users
The implications for business and for the security industry in an age of interconnectivity, interoperability, and the paradox of accelerated computing power on ever-shrinking devices.
Surprisingly, some of the people I talked to were also interested in the paper I presented at Virus Bulletin in 1997, so I’ve also made that available again here, mainly for its historical interest.
The Apple Macintosh has received little recent attention from virus writers or, indeed, anti-virus researchers. Though the number of native Mac viruses has stayed virtually static for several years, the recent upsurge of macro viruses has not left the Macintosh community unscathed. Many viruses which infect Microsoft Office applications will do so as happily on a Macintosh as on a PC. Even Mac users who don’t use vulnerable applications or application versions may, without appropriate anti-virus software, unknowingly pass on infected files. Many Mac sites, however, are only just waking up to these facts, belatedly and expensively. This paper briefly reviews the shared history of viruses and the Mac, summarizes the current situation and considers future possibilities and strategies.
David Harley FBCS CITP CISSP
Mac Virus Administrator
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence
Also blogging at: