Apple Computer took a bold step recently in its battle against malicious software that runs on its Mac operating system. The Cupertino company pushed out a software update that disabled Java applet for web browsers that run on the Mac OS X platform - instructing users who want to use the applet to download it directly from Oracle, the company that manages Java.
The small act was seen as an effort to distance Apple and OS X from the troubled Java platform, which has been the source of a string of critical, 'zero day' security holes in recent weeks. It was also belated recognition that Apple had been caught flat-footed back in April, when a wave of Mac infections caused by the Flashback Trojan was attributed to Apple's delay in pushing out an Oracle fix for Java to its own version of Java for OS X. The infection hit hundreds of thousands of systems globally in February and March, enrolling more than 600,000 Mac systems in a global botnet - the first major malware outbreak targeting Apple systems in more than a decade.
But, behind the griping about Java is a slowly dawning awareness that Mac malware may be the "new normal," as online attacks that target the OSX operating system are on the rise. Malware for the Mac OS X operating system is still rare. But a researcher who works with prominent human rights groups says that sophisticated, targeted attacks against OS X are more and more common.
Seth Hardy, a senior security analyst at The University of Toronto's Citizen Lab says that his team has seen a sharp increase in malware specifically targeting Macs in the last year, and that Mac-based attacks have made the leap to automated exploit packs, increasing the likelihood that unprotected Mac users could be the victim of an attack.
Hardy presented the findings of Citizen Lab's research on Mac-focused advanced persistent threat (APT) attacks at the recent SecTor security conference in Toronto. Citizen Lab works on a volunteer basis with human rights organizations. They have been called in to help with a number of sophisticated attacks, many against organizations directly or indirectly involved with human rights and the promotion of democracy. Most famously, they uncovered a sophisticated campaign of cyber espionage, dubbed "GhostNet," directed at the Dalai Llama and the Tibetan government in exile.
Sophisticated attacks against Mac systems aren't new. Kaspersky Lab noted a wave of targeted, APT-style attacks using a piece of malware dubbed "MacControl" back in June. The company speculated that a prevalence of high profile Mac users might be the cause. The Dalai Lama, for example, was famously photographed using a 17" MacBook Pro (with the Retina display, no less!). Hardy said that investigations in the last eighteen months reveal a pattern of "deeply targeted attacks" against human rights organizations and non-governmental organizations (NGOs), including many Mac-specific attacks.
In his presentation at SecTor, Hardy presented data from one advanced attack first detected in May, 2011. The attacks combined spear phishing e-mail sent to individuals within the target organizations. The e-mails appeared to come from the accounts of real people, and contained content relevant to the recipients. Each contained URLs pointing to legitimate organizations, and a ZIP archive attachment that contained the Mac-specific malware payload. Mac users who opened the attachment were infected with a version of two malicious programs: Revir and iMuler, which are capable of downloading other malicious programs and monitoring activity on infected systems.
Citizen Lab is now tracking at least four separate families of Mac-focused malware that are being used in targeted attacks against human rights organizations, with names like Sabpab, Lamadai, MacControl. Many of those malware families are actively being developed, with new variants appearing at regular intervals, Hardy said. At least one family, dubbed Davinci, appears to be a gray ware Mac surveillance software package developed for the law enforcement community.
Organizations or individuals who believe that the Mac platform is a barrier to attacks - particularly targeted attacks - need to wake up, Hardy said. "If the target is there and valuable enough and they use Mac, the tools (to compromise the target) exist and will be used," he said.