Guest Editorial by Gadi Evron
"The Mac is going main-stream" is just one of the catch-phrases that we've seen in the past two weeks when reading about the Trojan horse infecting Apple Mac OS X users. This attack has created a lot of controversy in the security realm. What's so special about this Trojan horse that everybody is so jazzed up about it? What risk are Apple users facing and is the world going to end?
Today, most Trojan horses allow an attacker to control the infected computer remotely (over the Internet) and do whatever he or she pleases, as if it was their own, from stealing web site credentials and identities to popping the CD tray open or using the now compromised computer for more attacks. They "own" that computer.
While in the past Trojan horses were considered few, mostly used in targeted attacks if at all (anti-virus experts refused to even acknowledge the need for their software to detect these), in the past decade they became widespread. In fact, the vast majority of all malware seen today is, at least in part, a Trojan horse.
This Trojan horse attacking Apple users is far from special. It hijacks DNS -- when you access domain name for known sites such as Google, it will redirect you instead to a malicious web site where further exploitation or fraud can be done. It accomplishes infection by what security experts call Social Engineering. When going to a pornographic web page, the user will be asked to download a codec in order to view a video. In turn, he or she will be asked to approve its installation using their administrator password. Then (and only then) will they be infected.
This method of infection isn't sophisticated and it makes us think only complete fools would fall for it. Isn't downloading a new codec to be able to view a video of any sort sound very reasonable? It is something most of us would immediately approve of without a thought? We have to remember most computer users are not technically savvy or aware of security risks. Also, let's be honest, when it comes to porn we are all fools.
User infections happen in many different ways, but the three main ones are a malicious attachment in e-mail, a fake or compromised infectious web site and network scanning. Of these, we can reach a relatively high level of security in e-mail by not opening attachments and using spam filtering and an (updated) anti virus, we can avoid being attached via network scanning by using a firewall and making sure our operating system (say, Windows as an example) is up to date with all updates and patches installed.
Surfing the web is a problem as although exploits are used to infect us through the web browser (some of which we can defend against by using an up-to-date browser with a fully patched operating system), a lot of these attacks are done -- successfully -- by the very same social engineering trick.
The bad guys, or more to the point, the cyber-criminals, use rings of thousands of web sites to infect as many people as they can. They collect statistics on what operating systems and browsers site visitors are using, what exploit was successful in attacking them (if one is used), what language were their browsers set to, etc. This way they can maximize their revenue by being as in touch with their target victim population as they can be.
In the past, although constantly under attack by security experts for their lax security policies, Apple OS X users were far more secure than Microsoft users using Windows. Although OS X has security features Windows (up to Vista) did not have, such as users not running as administrator, this supposed immunity is mainly due to past public attacks against the Mac being mostly theoretical, a proof-of-concept of sorts. Times have changed, and Apple now uses x86 CPUs (same as Windows), which makes writing malicious software for its OS X operating system that much simpler. Obscurity can no longer protect Mac users.
In this new Trojan horse attack, although no inherent software vulnerability was exploited, it was committed by a cyber-criminal group that simply added the Mac to their victim pool. If we were to enter the same malicious web sites from a Windows computer (using a Windows browser User-Agent) we would be served with a Windows Trojan horse instead of an OS X one.
People are falling for social engineering schemes, daily, hourly, if not by the minute, no matter what operating system they use.
But, that is not what's significant about this attack. What's significant is that criminal elements now target Mac users, and once that flood-gate is open, there is no going back.
Apple has a history of unpatched software vulnerabilities that if the history of Windows tells us anything, can potentially later on be utilized to attack its clients. Most Mac users do not run anti-virus software. Without going into the tech-religious debate whether Mac users are smarter than the average user (which I believe to be silly) it is clear that they will be targeted from now on as these criminal elements have revenue goals to meet.
At the very least many of Apple's users have a sense of security with the operating system they use, false or otherwise, they do not expect attacks. In this regard I'd go as far as to compare OS X to Windows 98: "OS X is the new Windows 98". OS X has better security and doesn't let users run as Admin -- it is a superior operating system. Why then do I make such a crude comparison? The eco-system of unpatched vulnerabilities, criminal elements targeting an unwitting user population are comparable to what used to happen with Microsoft users back when Windows 98 came out. The one main difference is the backlog of unpatched vulnerabilities Apple needs to cope with.
Security for a corporation is a business process with business decisions. Although, stuck in my niche, I am far from happy with some of Apple's choices in regard to security in the past; I can't ignore the business validity of these same choices. Investing in security when there is no commercial incentive is not financially smart. That being said, the lesson Apple is now going to learn is that not investing in security ahead of time means the losses are much higher than they could have been.
From a technical security perspective this Trojan horse attack is nothing special. From a business perspective it means upcoming losses and from an operation security perspective it means it's now Apple season.
The world is not going to end; the Sun will in fact rise tomorrow. That does not mean Apple's day has not come -- as far as the underground economy is concerned. The next two years are going to be interesting.
* Gadi Evron is Security Architect for Afilias global registry services and recognized globally for his work and leadership in Internet security operations. He is the founder of the Zero-Day Emergency Response Team (ZERT), organizes and chairs worldwide conferences, working groups and task forces. He is considered an expert on corporate security and counterespionage, botnets, e-fraud and phishing.