Targeted attacks against Mac users continue to climb
Mac OS X users are at more risk from advanced persistent threats, according to one researcher
Seth Hardy, a senior security analyst at The University of Toronto's Citizen Lab
Apple Computer took a bold step recently in its battle against malicious software that runs on its Mac operating system. The Cupertino company pushed out a software update that disabled Java applet for web browsers that run on the Mac OS X platform - instructing users who want to use the applet to download it directly from Oracle, the company that manages Java.
The small act was seen as an effort to distance Apple and OS X from the troubled Java platform, which has been the source of a string of critical, 'zero day' security holes in recent weeks. It was also belated recognition that Apple had been caught flat-footed back in April, when a wave of Mac infections caused by the Flashback Trojan was attributed to Apple's delay in pushing out an Oracle fix for Java to its own version of Java for OS X. The infection hit hundreds of thousands of systems globally in February and March, enrolling more than 600,000 Mac systems in a global botnet - the first major malware outbreak targeting Apple systems in more than a decade.
But, behind the griping about Java is a slowly dawning awareness that Mac malware may be the "new normal," as online attacks that target the OSX operating system are on the rise. Malware for the Mac OS X operating system is still rare. But a researcher who works with prominent human rights groups says that sophisticated, targeted attacks against OS X are more and more common.
Seth Hardy, a senior security analyst at The University of Toronto's Citizen Lab says that his team has seen a sharp increase in malware specifically targeting Macs in the last year, and that Mac-based attacks have made the leap to automated exploit packs, increasing the likelihood that unprotected Mac users could be the victim of an attack.
Hardy presented the findings of Citizen Lab's research on Mac-focused advanced persistent threat (APT) attacks at the recent SecTor security conference in Toronto. Citizen Lab works on a volunteer basis with human rights organizations. They have been called in to help with a number of sophisticated attacks, many against organizations directly or indirectly involved with human rights and the promotion of democracy. Most famously, they uncovered a sophisticated campaign of cyber espionage, dubbed "GhostNet," directed at the Dalai Llama and the Tibetan government in exile.
Sophisticated attacks against Mac systems aren't new. Kaspersky Lab noted a wave of targeted, APT-style attacks using a piece of malware dubbed "MacControl" back in June. The company speculated that a prevalence of high profile Mac users might be the cause. The Dalai Lama, for example, was famously photographed using a 17" MacBook Pro (with the Retina display, no less!). Hardy said that investigations in the last eighteen months reveal a pattern of "deeply targeted attacks" against human rights organizations and non-governmental organizations (NGOs), including many Mac-specific attacks.
In his presentation at SecTor, Hardy presented data from one advanced attack first detected in May, 2011. The attacks combined spear phishing e-mail sent to individuals within the target organizations. The e-mails appeared to come from the accounts of real people, and contained content relevant to the recipients. Each contained URLs pointing to legitimate organizations, and a ZIP archive attachment that contained the Mac-specific malware payload. Mac users who opened the attachment were infected with a version of two malicious programs: Revir and iMuler, which are capable of downloading other malicious programs and monitoring activity on infected systems.
Citizen Lab is now tracking at least four separate families of Mac-focused malware that are being used in targeted attacks against human rights organizations, with names like Sabpab, Lamadai, MacControl. Many of those malware families are actively being developed, with new variants appearing at regular intervals, Hardy said. At least one family, dubbed Davinci, appears to be a gray ware Mac surveillance software package developed for the law enforcement community.
Organizations or individuals who believe that the Mac platform is a barrier to attacks - particularly targeted attacks - need to wake up, Hardy said. "If the target is there and valuable enough and they use Mac, the tools (to compromise the target) exist and will be used," he said.
"Mac users have long thought themselves safe, but that's never been the case," Hardy said. The unfounded belief in Macs invulnerability is a huge asset to attackers, he said. Most successful malware attacks still rely on some degree of human interaction. Mac users, accustomed to clicking web links and opening e-mail file attachments without fear of infection, are more compliant victims.
Apple, itself, bears some of the blame. The company has also carried over a long tradition of intense privacy and insularity to its security operation - a marked contrast to Microsoft's efforts over the last decade to be open about security issues and engage the security community. "Apple is pretty much the opposite. They're still closed. They're still more likely to respond with hostility to security researchers. You're more likely to talk to a lawyer than an engineer," he said.
Other security firms have also documented a rise in malware for Mac systems, in parallel with increased consumer and business adoption of Mac OS X.
Graham Cluley at the anti-malware firm Sophos said his company has only anecdotal evidence of APT attacks against Mac systems, but notes that researchers there have seen Mac malware become more sophisticated as malware authors have warmed to the prospect of targeting the growing global population of Mac users.
The security firm McAfee reported in May that they saw a steady increase in Mac malware in the first part of 2012 - a trend that it expects to continue through the end of the year. However, some perspective is in order: McAfee identified some eight million new malware samples in the first quarter of 2012. Of those, just 400 - .005% - were Mac-focused malware or fake antivirus programs, the company said.
No surprise: though many companies (including Sophos) now offer anti malware products for the Mac OS X operating system, use of them is far less common than on Windows systems. For now, most Apple users rely on Apple, itself, to provide them with the means of looking for and removing malware infections, using operating system updates that include malware signatures for newly identified malware. It's a model that works well enough as long as the number of Mac threats remains low and slow moving, and as long as the population of new threats is small. But Cluley said that the top-down model gives malware authors plenty of time to modify their malware to evade Apple's signatures, while a sharp increase in malware for Mac may well overwhelm Cupertino and leave Mac users unprotected.
For now, the options for Mac users are about the same as for Windows users, say Hardy, Cluley and others. Organizations that have employees on Macs should employ a "defense in depth" strategy. Organizations need to be aware of what Mac-specific threats are out there and how to identify them. Finally, user education is key, said Hardy.
"Your users should know what a malicious e-mail attachment or link might look like. They should be trained to refrain from opening unexpected or strange e-mail attachments, or from clicking on links in e-mail messages," he said.
Related: Mac malware stats
Sophos surveyed 100,000 Mac systems for 7 days running the company's free anti-malware software for Mac. They found 2.7% of the Macs carried OS X malware, and 20% carried Windows malware. The breakdown is as follows:
|Top Mac malware found||% based on 2,700 infected Macs|
|Top Windows malware found||% based on 20,000 infected Macs|