Is Mac malware dead or just resting?
Bigfoot, the Loch Ness Monster, aliens with anal probes, and Mac malware: long-rumored, but short on confirmed sightings. Until recently.
In May we had our first genuine Mac malware outbreak with Mac Guard a.k.a. MacDefender and a bunch of other names. It followed the tried-and-true Windows malware method of fake anti-malware software. Once installed, it caused a lot of problems and then demanded money to solve them. Apple created a signature check system that can't really work in the long run, but within a few weeks the attacks ran their course. They weren't followed up, at least not in a big way.
Few have followed the MacDefender phenomenon as closely as Ed Bott on ZDNet. Ed's take on where it all went and where it will go is that bigger and badder things await Mac users, and I have to agree with him. There are signs of sophisticated research going on, such as the dual-platform keylogger identified by Microsoft a week ago.
The Mac version is named Olyx: "The Mach-O binary file targets Mac OS X users. It installs and runs in the background without root or administrator privileges. It disguises itself as a Google application support file by creating a folder named 'google' in the /Library/Application Support directory, where the backdoor installs as 'startp'. It also keeps a copy in the temporary folder as 'google.tmp'.
"It creates 'www.google.com.tstart.plist' in the /Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in - this applies to all accounts on the system. The backdoor initiates a remote connection request to IP address 184.108.40.206, where it continues to make attempts until established".
This was a rather sophisticated attack. The Windows version had a legitimate code signature using a certificate from Chinese CA WoSign which has since been revoked.
Malware researcher Mila Parkour says that Olyx was used in targeted attacks and speculates, based on other content in the attack, that Chinese human rights activists were the intended victims.
And yesterday F-Secure found a new Mac Trojan masquerading as a Flash installer. Once installed it makes changes to the HOSTS file in order to change web pages the user visits. F-Secure lists www.google.com.tw (Google in Taiwan) as an example. The user sees malicious Google pages instead of the real one and search results are poisoned.
What MacDefender proved was that attacks such as these can get through, that few users have 3rd party security and that Apple does not have an effective way to address the problem.
My prediction, and this is mostly just a wild guess, is that the real bad news comes in about a month when the kids get back to school and start having fun with the new Macbooks and iMacs they got. That would be a good time to launch such an attack.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.