Apple Malware Timeline

24th October 2016: In case you hadn’t noticed, I haven’t been trying for some years to keep this page updated with all significant Apple malware. In fact, since I’m now semi-retired, it may not be updated at all. This doesn’t mean, as one misguided fanboi tried to make out a couple of years ago, that there is no significant OS X or iOS malware. It means that there’s only one of me, and I have other priorities.

[Updated 12th April 2016, quoting this article.]

Once upon a time (back when I wrote an FAQ document on ‘Viruses and the Macintosh’ (which is still around in cobwebby bits of the internet, but hopelessly outdated), it was actually feasible to list all the Macintosh malware known at that time. In fact, the ‘Pre-OS X malware‘ page on this site is founded on the last version of that document, updated when I still had some control over where it resided.

And for quite a while, the same applied to OS X malware. Not any more. I haven’t actually looked at Bit9’s report 2015 – The Most Prolific Year in History for OS X Malware because it requires registration, but John Leyden’s article for The Register  tells us in summary that ‘This year, there have been 948 OS X malware samples, compared with 180 in the years 2011-14 inclusive.” There’s no need to panic: 90% of 2015 samples analysed by Bit9 and Carbon Black use the version of the Load command superseded in 2012 with the release of OS X 10.8 (Mountain Lion).

Anyway, I didn’t deliberately abandon the list of OS X malware on this page in 2011, I don’t think it would be particularly useful to try to catch up now in the hope of listing all current OS X malware. I’m not at present planning to update this Timeline page either, though that’s more a matter of time management. While OS X isn’t exactly a hotbed of malware – especially when compared to Windows – there is a lot more Mac malware than there used to be, and I don’t think it would be useful or practical to go on trying to list it all here.

[As a commenter has pointed out, I haven’t been updating this since 2013. Sorry, but it hasn’t been a priority. It certainly doesn’t mean there hasn’t been anything worth noting since early 2013, but I’ve no particular incentive to keep it updated currently. It’s still up here for purely historical reasons.]

[Version 1.02 5th February 2013: added 2nd paragraph with links to ESET’s timeline, which  is rather more polished (and in some aspects more complete) than this one.]

[Version 1.01 21st September 2012: added Graham Cluley’s timelines to the resources list and removed some redundant text.]

Introduction

While there is already information on some Apple malware on the Malware Descriptions page, this will present a more chronological view of the Mac threatscape, though some items will be covered in more detail than others. This is very much a work in progress and I make no claim to be all-inclusive, but it seems to be something people want.

By the way, if you’ve seen the ESET’s recently published page  Straight Facts about Mac Malware*, you may notice some resemblance to the descriptions in this timeline and on the Mac Virus Malware Descriptions page: that’s because I had quite a lot of input into ESET’s page, not because one site is ripping off the other’s content. 🙂 ESET’s page is well worth a look, as it’s rather a neat infographic presentation and in some aspects more complete than this timeline, though I expect I’ll do some more work on it one of these days.

We (Rob Slade and I) included a little information on pre-Mac malware in ‘Viruses Revealed’: I’ll summarize here in due course, though it’s hardly a priority. It’s amazing how few Apple II and Lisa users I’m in touch with, these days. In fact, I may be one of the last users of Mac OS 9.2…

Pre-OS X Mac malware is listed here, though not in chronological order: that page is extracted from the Virus and the Macintosh FAQ, version 2.

Because of the nature of the malware problem, I can’t always guarantee that the order and dating is strictly correct. In fact, I was only maintaining Mac Virus very sporadically in the early noughties, so am indebted to Ryan Russell for  filling in some of the gaps on malware I didn’t write about at the time.

But let’s start here, around 2004.

2004

Amphimix/MP3Concept

This is a Proof of Concept (PoC) Mac Trojan that masqueraded as an MP3, using an .MP3 icon . Its main importance is timing – it’s sometimes regarded as the first acknowledged OS X malware – rather than its impact. It displayed a dialogue box saying “Yep this is an application. (So what is your iTunes playing right now?)” , launched iTunes and tried to play a 4-second MP3 audio clip of ‘wild laughter’ (a man laughing).

2004 Opener(Renepo)

This was a (bash) shell script. The script header gives a good idea of what it was supposed to do.

########################################################################
# opener 2.3.5a - a startup script to turn on services and gather user info & hashes for Mac OS X
########################################################################
# Originally written by DimBulb
# Additional code: hard-mac, JawnDoh!, Dr_Springfield, g@pple
# Additional ideas and advice: Zo, BSDOSX
# This script runs in bash (as is noted by the very first line of this script)
# To install this script you need admin access or
# physical access (boot from a CD or firewire/usb, ignore permissions on the internal drive) or
# write access to either /Library/StartupItems /System/Library/StartupItems or
# write access to any existing StartupItem (which you can then replace with this script) or
# write access to the rc, crontab, or periodic files (and have them run or install the script) or
# you could trick someone who has an admin account into installing it.
# It should go in /System/Library/StartupItems or /Library/StartupItems (when it is executed it
# will move itself to /System/Library/StartupItems)
# Since it is a StartupItem it will run as root - thus no "sudo" commands are needed. If you run
# it as any other user most of the commands will generate errors! (You could sudo ./opener)
# Save start time and date for performance testing

Installation required either admin access or physical access to the target machine and write access to system areas and utilities. Once installed as a StartupItem it was intended to run as root, without any need to invoke sudo. Sudo is a utility mostly found in Unix-like or Unix-derived operating systems that allows a user account to run system programs at a higher privilege level without necessarily having super-user privileges – unlike su, which requires the user to know the super-user password.

By version 2.3.8, according to Macintouch reports, it was installing a variety of backdoor and spyware functionality, stealing a range of configuration/application information and including password cracking and other decryption functionality. AV descriptions tend to focus on this version.

I’d be reluctant to classify it as a rootkit in its own right, but it seems to have been associated with the osxrk rootkit (September 2004). (That blogger casts doubt on some of the commentary at Macintouch.)

OS X rootkits

As rootkits were originally a (mostly) Unix-specific attack and OS X is based on BSD Unix, it’s unsurprising that OS X-specific rootkits started to appear after Apple support for OS 9.x ended and OS X was becoming the only option for Apple’s expanding user-base. By 2004-2005, a number of rootkits were known to be in existence, though their impact on the user community as a whole was low. However, more recent threats have frequently included a measure of rootkit/stealth functionality, even if they weren’t classified as OS X rootkits. Some threats aimed at jailbroken iOS devices also have rootkit functionality.

osxrk Rootkit

###################################
# osxrk : OS X – Rookit
#
# the burning man – Public Release 0.2.1
# Sept. 2004
#
# by g@pple
#
# greets and thanks to Dim Bulb, Dr. Springfield, Jawn Doh!, B-r00t!,
# the fbsdrk & fbsdrootkit teams for inspiration.

The header indicates a conceptual link with the development of Renepo. It comes with its own version of netcat, which wasn’t originally supplied with OS X.

Togroot rootkit (2004)

This basic rootkit has to be installed by an account with root privileges.  That is, it’s for maintaining control rather than for ‘rooting’ i.e. getting itself installed in the first place using privilege escalation). Once installed, however, the attacker can get root access using “/givemeroot” and “su”.

Ryan Russell dates it to 8th September 2004 and cites an interesting thread at O’Reilly. Included netcat, which wasn’t originally supplied with OS X, as a component.

WeaponX rootkit (2004)

Rather less basic than Togroot, though it still needs to be manually installed. It hooks the setuid, kill, chmod and write APIs, conceals network communications and the identity of the logged-in user, and can change/escalate the privileges of a running process. Over time, we have seen compiled versions of the WeaponX rootkit (which contains a number of subverted programs and source code) submitted for analysis, suggesting that some attackers have made active use of the Proof of Concept code in an attempt to hide the presence of their malware on a system.

ESET considered the threat real enough to compile a description: OSX/Rootkit.Weapox.A.

2005

Sony rootkit

The Mac rootkit built for Sony was somewhat overshadowed by the fuss over their PC rootkit, of course, but has some significance in that rootkit/stealth functionality is often on the borderline between legitimate and malicious irrespective of platform. Some would say, however, that Sony crossed that line, but that isn’t a judgement we feel compelled to make here. Hat tip to Ryan Russell for reminding me about it.

2006

Mac/Leap.A

Leap is often considered to be the first true OS X virus (or worm), though not according to some elements of the Mac fanboi community, generally notorious for attempting to redefine threat definitions in order to deny or minimize the importance of Mac malware.

It appeared at the beginning of 2006 and attracted a great deal of media attention. It used a graphic icon to pass off a Unix executable as a JPG image, claimed to be the latest Leopard Mac OS X 10.5 screenshots, and was spread through the iChat messenger client, using a file called latestpics.tgz. It required user interaction in order to spread, and used Spotlight to infect all the files it found on disk. (Listed in CME, 2006; Van Oers, 2006; Harley, Bureau & Lee, 2010)

More references:

OSX/Inqtana

Kevin Finisterre’s code for a Proof-of-Concept worm targeting OS X systems was released in February. It was written in Java and spreads through a directory traversal vulnerability in Apple’s Bluetooth system which was subsequently fixed by the vendor (2005-2006). It modified the setting of launchd to make sure its code was executed at boot time, thus ensuring persistence (that is, it continued to load at every system reboot) It attempted to spread by sending OBEX Push requests to other Bluetooth devices, though its spread was limited by the use of a time-limited library version, meaning that it couldn’t spread after 24th February 2006. Inqtana.D significantly developed the attack in that it didn’t require any user interaction in order to install, and once installed the backdoor access was available through ethernet or Airport, not just Bluetooth.

Variant report dating by Ryan Russell as February 22nd:

Inqtana.A:

Inqtana.B:

Inqtana.C:

Inqtana.D

OSX.Macarena

Dated by Ryan Russell as 2 November, 2006

(Hat tip to Ryan Russell)

Not malware but something of a milestone:

How to install without the admin password. (another hat tip to Ryan Russell)

2007

Badbunny

Sophos report.

RSPlug – DNSChanger

The family of DNS changing malware includes binaries identified as OSX/Jahlav, OSX/DNSchanger, OSX/Puper, OSX/RSPlug (and sundry variations according to individual vendor naming conventions). Some vendors regard it as consisting of more than one family originating with the same author (Ferrer, M., 2009), but such distinctions are not maintained consistently across the vendor community. This group is also closely related to the Zlob family, associated with similar malicious functionality on Windows platforms. This type of malware is the one for which we have found by far the most files in the wild. It is predominantly found as a DMG file containing an installation package named install.pkg.

It has been distributed using various schemes such as fake codecs, an approach commonly used by malware on other platforms. The ultimate purpose of this malware is to change DNS settings of an infected host, potentially enabling the attacker to alter content accessed from an infected system. The malicious actions are taken by a script named preinstall executed at the beginning of the installer process. This script launches a set of shell commands to write its script to disk and execute it. An interesting point relating to OSX/Jahlav is that this threat uses server side polymorphism to generate new copies of its binaries, probably in an effort to evade detection by intrusion detection systems and antivirus software. Script files are also obfuscated using various shell tools such as uuencode, sed, and tail to conceal, vary or reverse the order of the commands and hamper analysis.

As Pierre-Marc Bureau summarized it for a presentation we did at EICAR (this description is from the actual paper):

  • Your typical malware operation
  • Poses as fake codec
  • Server side polymorphism
  • Use the preinstall script from installation packages
  • Changes DNS settings on infected hosts
  • We have seen hundreds of variants in the wild

Note that some vendors make more of a distinction between these families than I’ve done here, as the reference to a paper by Methusela Cebrian Ferrer indicates. (See the Sources and Resources section below).

Some ESET threat descriptions:

2008

MacSweep/Immunizator

OS X users are not immune to scareware (fake security software and so on), and in fact the number of such nuisances/threats has shown signs of escalating in 2012. Scareware isn’t just fake AV: we see many rogue applications pretending to clean or optimize Apple computers that were in fact fraudulent and of no use to any computer. These are (with some editing) the descriptions from the Malware Descriptions page.

OSX/MacSweep

Also known as Troj/MacSwp-A, OSX_MACSWEEP, MacSweeper, this was first reported in January 2008. It is sometimes described as the first OSX scareware (or fake security application), though it probably wasn’t. Published by “KiVVi Software”, who covered themselves with glory by stealing most of the text from their self-description from Symantec’s web site, changing only the company name.

Most of the descriptive material applying to OSX/MacSweep  also applies to iMunizator: in fact, some vendors flag iMunizator as OSX/MacSweep.B, and some sources reported an almost identical screen for both “products” saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” The program flags a number of perfectly legitimate applications as privacy violations, malware, bad cookies (Down, Cookie! Down, boy! Naughty Cookie!), compromising files and so on , and anyone trying to remove them is told they need to buy the MacSweep software.

OSX/Imunizator

Also known as OSX/iMunizator, OSX/Imunisator, Troj/MacSwp-B, OSX_MACSWEEP.B, OSX/AngeloScan, this was first reported in late March, 2008.Imunizator was essentially a retread of OSX/MacSweep (MacSweeper).

The “call to action” in this case was again a screen saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” (that’s the capitalization offered by the product’s screen, not mine: I know the difference between a raincoat, an Apple computer, and a Media Access Control address…).

And wouldn’t it be nice if you could get an application to clean the Internet?

The program flags a number of perfectly legitimate applications as “trash”, and any victim naive enough to try to remove them is told they need to buy the Imunizator software. Amusingly (in a black sort of way), Imunizator tries to tell you that the apps it flags may compromise the victim’s credit card.

Pot, kettle….

Perhaps the most interesting thing about these early Mac-specific ventures into the rogue application market is that they were also early examples of rogue security software that presents itself as something other than straightforward fake anti-virus or fake anti-spyware. Presumably the authors were taking into account that most Apple-users don’t believe that there is any Apple malware (though this is probably less the case since Flashback), but may be concerned about privacy issues.

Further information

Yet more information:

Mac/PokerPlay

  • Poses as a Poker game
  • Asks the user to enter his username and password until it matches the system’s credentials
  • Sends the username and password to a remote host
  • Enables SSH to let the attacker connect and control the machine

More info:

2009

OSX/Tored.AA

This Proof of Concept malware, probably of French origin, was discovered in 2009 and called Mac/Tored.AA. The name is a modification of the original name found in the binary file, which was OSX.Raedbot: by convention, security companies avoid using the names of malware chosen by the malware author. This worm was able to spread through email using its own SMTP engine. It could also contact a command and control server on the Internet to receive additional commands. Functionally, it therefore closely resembles certain classic Windows massmailers as well as many bots. However, we have not seen any instance of Mac/Tored.AA in the wild.

2010

Mac/Hovdy.A

The Mac/Hovdy malware family is a set of scripts designed to gather as much information as possible from a host and send it back to a potential attacker. In some variants, the information is sent back in an email with the subject Howdy, hence the name. Some variants were programmed as a bash script while other variants are programmed using AppleScript. We have seen just under a dozen different variants of the Mac/Hovdy script malware.

April 2010 – HellRTS – a.k.a. HellRaiser

This is the description furnished by Pierre-Marc Bureau for our EICAR presentation:

  • Trojan construction kit
  • Publicly available on the Internet
  • Uses Mach-O binaries with lots of embedded libraries
  • Gives complete control of an infected computer to the attacker
  • A bit like SubSeven that was available for  Windows a few years ago.

ESET’s threat description: OSX/HellRTS.AA

 OSX/OpinionSpy

Associated with software calling itself PermissionResearch or PremierOpinion

First reported

1st June 2010

Discussion on Mac Virus:

Information from Intego, including initial alert:

Discussion on the ESET blog:

Analysis by Methusela Cebrian Ferrer

Discussion by Paul Ducklin:

Description by McAfee:

Summary by Pierre-Marc Bureau (www.eicar.org/files/apple_security_eicar.pdf)

  • Trojan construction kit
  • Publicly available on the Internet
  • Uses Mach-O binaries with lots of embedded libraries
  •  Gives complete control of an infected computer to the attacker
  • A bit like SubSeven  that was available for  Windows a few years ago.

 October 2010 – OSX/Boonana

Lots of comment in the Mac Virus blog.

March 2011: Blackhole RAT (darkComet, MusMinim):

(From the Mac Virus Threat Descriptions page with a little editing.)

This is a RAT (Remote Access Tool) which targets both Windows and Mac users. Described as a beta version by its author, but already included an interesting range of functions. The user interface includes some German words/command options.  The author referred to it as Blackhole. Sophos analysis indicatesd that it’s a variant of the Windows malware commonly referred to as darkComet: however, the apparent author of darkComet denied it and claimed to be developing his own).

SecureMac describes a later variant it’s labelled BlackHole RAT 2.0a, which is said to be distinctly different to the variant described by Intego.

Info on later variants:

2011

May 2011 – MacDefender

[watch this space]

 July 2011 – Olyx

 September 2011 – Flashback

Commentary on Mac Virus.

 September 2011 – Revir

Commentary on Mac Virus.

September 2011 – Imuler

Commentary on Mac Virus.

OSX/Devilrobber (a.k.a. OSX/Miner) [October 2011]

  • It opens ports and listens for C&C servers
  • It steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
  • It acts as spyware, forwarding usernames and passwords to a remote server
  • It noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
  • It may also be looking for files that contain child abuse materia

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Interestingly, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

OSX/Tsunami.A [October 2011]

This is a version of the elderly Linux/Tsunami malware (also known as Kaiten), recompiled as a Mach-O binary to run on OS X. Low risk, but apparently a work in progress: a second version shows some “improvements”.

The Linux backdoor Trojan from 2002 was intended, once it managed to install itself, to listen for instructions transmitted over IRC. Its command set is focused on various DDoS (Distributed Denial of Service) attacks, but its ability to execute shell commands has potential for many other types of attack.  The list of accepted commands is from the comment block in the Linux C source code.

The OS X version was recompiled as a 64-bit Mach-O binary, rather than the original ELF format native to Linux. That version resembled the Linux version but the IRC channel, server and password had been changed.

Unlike the first sample, later versions will survive a reboot, making it “persistent” in a technical sense, but not really an APT (Advanced Persistent Threat): no 0-days or leading-edge techniques here. There was also a change of C&C (command and control) server and IRC channel are being used. These builds work on 32-bit Intel x86-driven and Motorola PowerPC-driven Macs, not just x64. A blog by ESET’s Robert Lipovsky noted that:

“In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code.  The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine.”

More info:

[Updated 28th October 2011]

March 2012 – Lamadai

Commentary on Mac Virus

ESET blogs on Lamadai by Alexis Dorai-Joncas:

April 2012 – Sabpab

Commentary on Mac Virus

ESET Description OSX/Sabpab.A

May 2012 – FileCoder

[placeholder]

July 2012 – Morcut – a.k.a Crisis

OSX/Crisis is a Trojan specific to Snow Leopard and Lion, it doesn’t require user action to install, is persistent (survives reboot) and has rootkit capabilities that are activated if the infected system is running under root. However, it hasn’t been found in the wild to date: samples were found on Virus Total. Which poses the interesting question as to what ‘in the wild’ really means in the 21st century.

The malicious JAR file includes a Java class file (misleadingly called WebEnhancer ). This checks on whether the Java Virtual Machine in which it finds itself is running under Windows or OS X. If the JVM is running under Windows, it installs a version of Swizzor: if it’s OS X, it installs OSX/Crisis. The malware checks for a variety of device, environmental information, including the monitoring of IM transactions, location, and keypresses.

OSX/Crisis, Mountain Lion security, Safari vulnerabilities and a BIOS blast from the past

PoC EFI rootkit:

July 2012 at Black Hat: EFI rootkit for Macs demonstrated

Sources and resources:

 

Responses

  1. Nothing since 2012? what about the Bash bug? that effected Linux,unix,mac. Great info, keep up the good work!

    • I’m afraid this page and site aren’t so much a priority for me these days. Still, two years is a long time. I’ll try and find some time to update this in the next month or so. No promises!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: