There’s a belief that Mac users are not susceptible to malicious software. Well, there WAS a belief… A vast research on Mac malware reveals that 2015 has been the worst so far in terms of security. The brand new report on the subject was recently published by the IT security company Bit9 + Carbon Black Threat Research team.
It took the team 10 weeks to gather and analyze the data, necessary for such a paper. During that period, the researchers analyzed more than 1,400 unique OS X malware samples. The conclusion only came naturally – in 2015, the malware current towards Macs is quite strong and devastating. Their report is dubbed ‘2015: The Most Prolific Year in History for OS X Malware’. The team’s research efforts may have just cracked the illusion that Macs are immune to hacks in comparison with PCs running the Windows OS.
What Does the Research Emphasize on?
The team has closely observed the vulnerabilities in OS X, and the malware pieces that took advantage of them. They also collected samples. One good example here is the XcodeGhost. The XcodeGhost tools implement malicious components into applications created with Xcode. Furthermore, it was recently reported that OS X El Capitan – the twelfth major release of OS X, launched in September – contains serious security flaws in the Gatekeeper and Keychain features. To prove their point, the team has created a timeline of Mac malware, which looks like that:
2004 – 2006
- Renepo – The 1st Mac OS X clear-cut malware.
- Leap – a Mac worm that was spread via iChat.
2007 – 2009
- Jahlav – a Trojan that infected the DNS settings, similarly to Windows malware.
- MacSweep – a malware known as scareware that tricked users into buying rogue products.
2010 – 2012
- Boonana – the JavaScript Trojan that also affected Linux and Windows.
- MacDefender – a scareware piece generating fake security alerts.
- FlashBack – a malware that exploits a security bug in Java, the most spread Mac malware so far.
2012 – 2014
- Lamadai – a backdoor that exploits a Java vulnerability.
- Kitm – a malware performing targeted attacks.
- Hackback – similar to the one mentioned above.
- LaoShu – a Trojan hat spreads spam via undelivered mail parcels.
- Appetite – a Trojan that targets government organizations.
- Coin Thief – malware that steals BitCoin logins via cracked Angry Birds apps.
How do researchers explain the uptake in Mac Malware? Here’s one pretty good justification:
“This rise in Mac OS X malware comes after several years of rapid OS X market share gains, with 16.4 percent of the market now running OS X, including expanding deployment in the enterprise. This represents a growing attack surface for sensitive data, as 45 percent of companies now offer Macs as an option to their employees.”
Mac Malware Behavior Explained
As we already said, the analysis was based on over 1,400 samples, open sources, and incident response engagements. To evaluate the Mac threats, researchers can’t use common Windows malware analysis tools. To skip over this obstacle, the Bit9 + Carbon team used a number of custom and prebuilt tools such as fs_usage, dtrace, and opensnoop.
They utilized the tools and created special machines for dynamic analysis, that were run along with the custom-built Carbon Black sandbox. Thanks to these approaches, the team successfully identified common actions performed by Mac malware like file creations and network communications, observe command & control infrastructure and artifacts that were part of the malware execution.
OS X Malware Utilizes Features Such as LauchDaemons/LaunchAgents
Other leveraged features include login items and browser plugins. Another discovery that was made is that Mac malware resides in ‘userland’ and supported persistence mechanisms, instead of attempting to reside in ‘kernel-land’ by writing custom kernel extensions.
Another curious revelation made by the researchers was that adapting Unix/Lunux malware to OS X wasn’t observed, not to the point they expected. It was only logical to suspect such adaptions due to OS X’s roots in FreeBSD. Unix-style malware brought to OS X wasn’t monitored in the 10-week analysis.
Have a look at the whole Bit9 + Carbon Black report .