Anatomy of a malware attack: the complete Mac Defender timeline

Anatomy of a malware attack: the complete Mac Defender timeline

Summary: Over the past two months, I have written extensively about Mac Defender, a nasty bit of malware that plagued Apple and its customers in May and June. This is a confusing story, one that evolved rapidly. If you're trying to make sense of it all, this timeline should help.

SHARE:
17

Over the past two months, I have written extensively about the sustained malware attack that OS X users had to deal with throughout the month of May, until the criminal gang behind it suddenly shut down on June 23.

Update: One possible explanation for the sudden shutdown? The head of the gang that processed payments for the rogue outfit was arrested on June 23.

Anyone who tries to argue that this was no big deal has simply not been paying attention. It was enough to thoroughly disrupt Apple's normally smooth-running support operation, and Apple responded in unprecedented fashion by publicly adding significant new malware detection and removal features in an update to Snow Leopard that was also incorporated into the new Lion update. Making that sort of system-level change is neither easy nor cheap.

This is a confusing story, one that evolved significantly over time. If you're trying to make sense of it all, this timeline should help. It includes a link to each post I published on the subject, with the date/time stamp and an excerpt. (I've also included a link to one excellent third-party post.)

Just scanning this chronology should give you a better understanding of how this attack evolved. Click any link to dig a little deeper.

Coming soon to a Mac near you: serious malware

May 2, 2011, 9:42am PDT

[N]ow that Macs have achieved a critical mass of success in the marketplace, they’ve attracted the attention of malware authors. According to a report from a Danish IT security company, an underground group has completed work on a fully operational kit specifically designed to build malware aimed at the Mac OS platform.

Why malware for Macs is on its way

May 5, 2011, 12:02pm PDT

The guys who run these operations are not master hackers—they are thugs who use point-and-click malware construction kits that they buy from rogue programmers. It’s a thriving business. And so far that software category, like so many legitimate software businesses, has been built on Windows. Its overwhelming market share meant that’s where the money was.

[…]

A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.

[…]

My prediction is that the bad guys are still “testing market conditions,” and waiting for the right time for their grand opening. I think we’ll see a few more of these tentative probes—beta tests, if you will—before anyone unleashes a truly widespread attack. The trouble is, in this market, Mac users aren’t the customers—they’re the product.

Photo gallery: Mac malware in the wild

May 6, 2011 12:39pm PDT

What a Mac malware attack looks like

May 6, 2011, 1:09pm PDT

It is easy to dismiss this as a crude attempt, and indeed, I don’t think many people are likely to fall for this attack. But dismissing this sample because it’s not particularly well done is like dismissing an entire computing platform because of a single poorly written app.

[…]

And note that the bad guys get better over time. This attack might be crude, but that doesn’t mean the next one will be. I have seen some remarkably effective phishing attempts. In the hands of a skilled gang of thieves, this approach could cull out the weaker members of the Mac herd and create some genuine headaches for the friends or co-workers who have to provide emergency technical support.

An AppleCare support rep talks: Mac malware is "getting worse"

May 18, 2011, 5:21am PDT

Over the weekend, I got an e-mail from an AppleCare support rep, who was responding to my recent reports of Mac malware being found in the wild. At least one prominent voice in the Mac community dismisses these reports as “crying wolf.” The view from inside an Apple call center says it’s for real: “I can tell you for a fact, many, many people are falling for this attack.”

A May 19 post by Jacqui Cheng at Ars Technica, Malware on the Mac: is there cause for concern? confirms many details of the scale of this problem:

A support specialist who we'll call Carl works at an Apple Authorized Campus Store and threw in his two cents as well. "I have never had to remove a virus or malware from a Mac until this month," Carl told Ars. "Now we have had a handful of people come in with MAC Defender on their computer."

[...]

It gets worse as the stores scale up. We spoke to another Apple Store Genius, who we'll refer to as Andy, whose store services a couple thousand Macs per week. "There's been a very real uptick in the number of malware instances we've seen," Andy, said, adding that in the past, 0.2 percent of the Macs brought into Andy's store might have a malware problem—"most always DNS trojans."

That has changed in the last three weeks. Nowadays, something like 5.8 percent of machines Andy's store sees have a malware-related issue, almost entirely made up of MAC Defender or some variant.

Crying wolf? Apple support forums confirm malware explosion

May 18, 2011, 11:00am PDT

Yesterday I spent several hours going through discussions.apple.com and collecting requests for help from Mac users who have been affected by this issue. I found more than 200 separate discussion threads, many of them from people who have been tricked into installing this software and are desperately trying to remove it. It started with four posts on April 30; this past weekend there were 42 unique, new discussion threads on this subject.

I am not unfamiliar with Apple’s forums. I’ve done similar searches in the past, especially after reading some of those same posts that Gruber called out from 2008. I have never found more than one or two in-the-wild reports. This time, the volume is truly exceptional.

Apple to support reps: "Do not attempt to remove malware"

May 19, 2011, 5:00am PDT

Apple is actively conducting an internal investigation into the Mac Defender malware attack I wrote about yesterday ... An internal document with a Last Modified date of Monday, May 16, 2011 notes that this is an “Issue/Investigation In Progress.”

The document (shown below) provides specific instructions for support personnel to follow when dealing with a customer who has called AppleCare to request help with this specific attack.

[…]

  • Do not confirm or deny that any such software has been installed.
  • Do not attempt to remove or uninstall any malware software.
  • Do not send any escalations or contact Tier 2 for support about removing the software, or provide impact data.
  • Do not refer customers to the Apple Retail Store. The ARS does not provide any additional support for malware.

Page 2: Apple responds -->

<—Previous page

This is a continuation of the Mac Defender timeline, as documented in real time at this blog.

Apple continues to tell support reps: do not help with Mac malware

May 23, 2011, 11:49pm PDT

So how big is the problem? Apple’s silence makes it impossible to know for sure. However, I’m told that the division that handles Mac support calls receives between 10,000 and 20,000 calls a day. If 25% of those calls are related to this issue, which has been going on for 25 days, the total number of customers affected could be between 60,000 and 125,000, and growing.

Update May 24, 4:30PM PDT: Apple has now posted a support article on its website: How to avoid or remove Mac Defender malware. A note at the top of the article says:

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.

Mac malware authors release a new, more dangerous version

May 25, 2011, 12:05pm PDT

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

[…]

The new architecture seems to be a specific response to Apple’s instructions in the Mac Defender security note: “In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password.”

In this new variation, no password is required as long as you’re logged in using an administrator account. That might lull a potential victim into thinking they’re safe.

New Apple antivirus signatures bypassed within hours by malware authors

May 31, 2011, 1:59pm PDT

After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes Apple one step closer to turning an obscure security feature into something very close to full-fledged antivirus software.

Security Update 2011-003 includes changes to the File Quarantine feature, which beginning with Snow Leopard also includes antimalware checks for files downloaded through web browsers, e-mail, and other common paths. This update includes definitions for Mac Defender and its known variants, as well as an automated removal tool. It works only with the most recent version of Snow Leopard, 10.6.7. Earlier versions of OS X are apparently not included.

[...]

Here's a start-to-finish, unedited "before" video that shows how the Mac Guard fake AV program goes from a seemingly innocent Google search result to a full install in just three clicks, with no password required. This demo uses the latest version of OS X 10.6 and the default browser, Safari, with its default settings.

Why Windows users should care about malware on Macs

June 6, 2011, 5:17am PDT

As I noted last week, Apple has begun playing a frustrating game of cat and mouse with the bad guys. They have released a new set of malware definitions for the XProtect feature in OS X 10.6.7 every day since they released Security Update 2011-003 last week. Six days, six updates so far. And each time the criminals behind the Mac Defender family have revised their product within a few hours so that it bypasses those signatures.

[…]

As a result, new victims are showing up on Apple’s support forums every day looking for help. In a cursory search yesterday, I found more than a dozen fresh reports of infections by the latest Mac Shield variant.

[…]

The trouble is, there are a billion PCs and nearly 50 million Macs in the world. Even that seemingly tiny success rate of 0.01%—1 in 10,000—means the bad guys will divvy up more than $5 million in revenue over the course of a month. And that doesn’t count whatever they’re able to pilfer if they steal and reuse the credit card numbers they harvest.

Has Apple done enough to fight malware on Macs?

June 19, 2011, 4:36pm PDT

The anti-malware feature in Security Update 2011-003 is clearly a stopgap solution designed to disrupt a single threat—Mac Defender. Until Apple addresses the glaring insecurity in Safari, it’s hard to take their response seriously.

I still believe the Mac Defender attack was a successful proof of concept for the bad guys. The social engineering was excellent, and I am certain it brought in enough ill-gotten gains to bankroll the next phase of development.

Remember, this was done via a malware toolkit—the first one ever released for the Mac platform. The next version of this toolkit is being written with full knowledge of how Security Update 2011-003 works. The bad guys are counting on Apple taking weeks to work up its response. That could make Mac Defender version 2.0 very nasty indeed.

Where did all the Mac malware go?

August 1, 2011, 3:00am PDT

Based on my observations, I think this malware campaign simply ran its course. Apple’s response made a small dent in its impact. More importantly, Google got much better at detecting the poisoned search results and blocking them, which lowered the rate of return on Mac Defender installation attempts. In my June 19 analysis of Apple’s response, I referred to the attack in the past tense and speculated that it was about to end.

[…]

And indeed, there is now some sketchy evidence to suggest what the next wave of Mac malware will look like.

On June 16, someone uploaded a compressed file to VirusTotal.com for analysis. It was detected by 4 of 42 antivirus engines as a generic Windows Trojan that steals passwords and performs keystroke logging. But the interesting detail didn’t emerge until a few weeks later, when security researchers at the Microsoft Malware Protection Center (MMPC) took a closer look at the file and determined that it actually included two packages—one for Windows, and one for OS X.

Topics: Malware, Apple, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • RE: Anatomy of a malware attack: the complete Mac Defender timeline

    -->Anyone who tries to argue that this was no big deal has simply not been paying attention.

    C'mon Ed, surely you jest. Mac users are OK. They've not had the inconvenience or expense of installing anti-malware software. They're fine. You've raised a false alarm and now you're in denial. Please do the decent thing and admit it.
    davesmall
    • But Ed wrote so many articles about Mac malware.

      @davesmall

      Surely, where there's smoke there's fire.


      Either that, or Ed was repeatedly wrong and can't admit it, so in order to save face he pumps out even more nonsense.
      RationalGuy
      • RE: Anatomy of a malware attack: the complete Mac Defender timeline

        @RationalGuy That's not true. OS X has historically been considerably more secure than Windows. It wasn't until Windows 7 where Windows pulled ahead in some areas such as full ASLR implementation. Apple had a weaker implemen<a href="http://www.tran33m.com/vb/">t</a>ation until Lion. Lion is universally considered more secure than Windows 7 due to the deeper sand boxing implementation, not to mention things like process separation (PDF rendering, Web Rendering, etc.) from their host progra<a href="http://vb.maas1.com/">m</a>s. Add to that, digital signatures on programs installed from the app store, etc. and the security pendulum has swung decidedly back in Apple's favor. If you care to challenge these facts, I welcome your response.
        alasiri5
  • Article 11 ...

    The malware invasion on Mac OS X must be devastating. Good luck;-)
    Richard Flude
  • RE: Anatomy of a malware attack: the complete Mac Defender timeline

    Gone are the days you could bite into an Apple and not fear about finding half a worm.
    Greycoat
  • Ed, you are shameless

    You wrote 13 articles on this subject finally opining that the malware had "run it's course". How convenient. Despite the fact that there is absolutely nothing more to write on the subject, you squeeze out a 14th article by reviewing the previous 13.

    Shameless.
    Falkirk
  • It's all a ploy

    Ed is really a plant by Steve Jobs. He's succeeding in making the Microsmurfs seem even more ridiculous and thus boosting sales of Apple's wares.
    ego.sum.stig
    • RE: Anatomy of a malware attack: the complete Mac Defender timeline

      @ego.sum.stig@... I don;t understand how after all the problems people are still defending the mac OS X lion. I mean look at all the hype it is getting: http://radiomobiletech.com/news/news-news/mac-os-x-lion-ready-for-download-at-mac-app-store.html
      Bonchucin
      • What problems?

        Lion isn't perfect but what issues do you believe your link is apologizing for?

        Personally on not a fan of the appearance of address book and calendar, nor the no save document model (getting old). But over all the upgraded systems are all performing well.
        Richard Flude
      • I'm not defending

        I'm mocking Bott's Apple vendetta, which has been going on for a very long time.
        ego.sum.stig
  • The Malware Record

    Ed needs to acknowledge what all his articles say in aggregate, not just the Mac malware.

    The litany of PC malware is pretty well documented. There have been billions in lost revenue. The first 10 years of OSX, by contrast, has been essentially free from the effects and consequences of malware. The user experience has had it's differences as a result. I don't say this to be inflammatory, but these are issues of record. Tell the Mac user that their good experience wasn't actually good. Explain that this is true because it stems from the unpopularity of the platform and therefore is "the wrong reason". See where that gets you in a market driven by consumers.

    So what? it's payback time now? We are to believe that guileless Mac users have shown their complacency by having had 10+ years of trouble and paranoia free computing. What rubes eh? These are the folks who have not been "hardened" sufficiently, and are due for a rude awakening.

    Don't doubt it. But it will be a "rude awakening" that is divided by 2, reduced by 10 years, and further diminished by the vigilance of users and vendors. Ed seems to forget that all too many Mac users were Windows users themselves. Those same hardened soldiers he's trained so well. Substantially less rude I'd say.

    The fact is that Ed's other recent article regarding the ascendency of OSX and iOS relative to Windows, points to a bit of a sea change. The Microsoft monopoly is over. Malware authors now have to do ports. 2 Vendors now help defend against threats. Malware profitability is diluted by competition and OS diversity. Attack vectors have been closed over the years. Closed architecture has a bigger legal stick, and in this case, more cash than the US treasury to pursue violators.

    The simple fact of the matter, is that a Microsoft monopoly and monoculture made the virus plague untenable for years. Law breakers can't call the cops. Advocacy on behalf of Microsoft and by extension, their borderline crimes, and years of sloppy, second rate code, exacerbated the problem. Ed's singular focus on the virtues of Windows, stemmed from a glassy-eyed admiration of the Windows economy. He deliberately ignored viable and technically capable alternatives. They were not part of the gravy train. This "discovery" of Apple and some malware issues in 2011, is cynical and opportunistic. It speaks to a focus on market share and false economies, not on technology in the abstract.

    Ed shows tremendous vigilance in sourcing problems. He's a valuable asset the minute he removes his head. However, some recognition of past imbalance is in order. Real criticism of any platform comes from peered comparison. Ed's criticism of Apple will benefit from his Windows experience. Too bad it had not worked both ways.
    norgate
    • RE: Anatomy of a malware attack: the complete Mac Defender timeline

      @norgate
      there is reason why programs are called software. they are malleable and easy to change for good or bad, to believe that any o/s is immune to attack is inviting disaster. remember oracle when for hubris or marketing gimmick announced to the world that oracle product is unbreakable. guess what, ever since, they had a handful of patches to mitigate attacks against their unbreakable product. you can proselytize forever about the merits of apple o/s but the sad truth is that your beloved o/s is as vulnerable as any SOTWARE can be in the wild.
      kc63092@...
      • No Argument

        @kc63092@...

        I don't disagree. I do think all software is vulnerable. My point is, that for 10 years Apple was not attacked. To the consumer, it doesn't matter why this was the case. It is simply a matter of record that the Apple user experience was free of paranoia for a good long time. Apple users are complacent? Yet they were trouble free. PC users were virtuous battle hardened soldiers. Yet they suffered literally all of the 10 years worth of malware. 3 years into this adventure people like Ed could have acknowledged it. They did not.

        People like you on the other hand, can counter forever with the vulnerability of software. As if this is a revelation to any computer user. Your focus is on threats. It's noble I suppose. Yet you all seem to be oblivious to the record of consequences. You are clearly and wantonly ignoring the real issues that contribute to and detract from malware proliferation.

        I extend my logic and posit that the Mac malware market will be diluted greatly by open platform competition and that a more diverse set of targets is tougher to hit. Yes Macs will be targeted. Will they suffer a 10 year spate of consequence measured in billions. My guess is no. It simply stands to reason.

        You extend your logic and continue to focus on threats to the exclusion of consequence. A massive and obvious record of consequence is ignored because it doesn't match your world view. It's simply cognitive dissonance.
        norgate
  • Deny, Deny, Deny

    Consider this article a prognostication of events to come with Apple OSes. It truly is astonishing how the Apple fan base continues to live in this fantasy world where Apple computers are immune to malware, and think any talk of such is pure rubbish. The day will come as Ed says. So Apple fans, climb down from your ivory towers and start looking at how to protect yourselves.
    jpr75_z
    • RE: Anatomy of a malware attack: the complete Mac Defender timeline

      @jpr75_z You're right and when (if) OS X gets a relatively large installed base Apple will become the new target for malware of every kind. Windows has been shown repeatedly to be more secure than mac but who will listen to facts when confronted with Apple's might marketing campaigns?
      xplorer1959
    • Just an observation

      But I rather suspect your average rabid, polo-knecked, smug (and dare I say it) arrogant Apple fans are busy choking on their beer (or light zinfandel whatever that is) laughing at all the sad little people who somehow think that they know it all ofr worse, know better.

      Mind you, it is possible that all their Macs will be taken over while they incapacitated while in and recovering from their fits of laughing and choking. Or more likely the universe will keep on and Bott will write more and more vociferously against Apple regardless.
      ego.sum.stig
    • RE: Anatomy of a malware attack: the complete Mac Defender timeline

      @jpr75_z

      I have Macs and PCs. I have antivirus software running on my PCs, but not on my Macs. Why? Because I NEED to on my Windows machines and I don't NEED to on my Macs. There is no "fantasy world" about this, it's simply a matter of statistical and empirical evidence which dictates what I need to do. No Mac user that I'm aware of believes their machine is absolutely invulnerable. They simply know it's not something they need to care about right now. If at some point it becomes an issue, they will adapt as needed. It should also be noted that key security researchers have acknowledged that Mac users don't need to install anti-malware software at this point.

      @xplorer1959:

      <i>"Windows has been shown repeatedly to be more secure than mac but who will listen to facts when confronted with Apple's might marketing campaigns?"</i>

      That's not true. OS X has historically been considerably more secure than Windows. It wasn't until Windows 7 where Windows pulled ahead in some areas such as full ASLR implementation. Apple had a weaker implementation until Lion. Lion is universally considered more secure than Windows 7 due to the deeper sand boxing implementation, not to mention things like process separation (PDF rendering, Web Rendering, etc.) from their host programs. Add to that, digital signatures on programs installed from the app store, etc. and the security pendulum has swung decidedly back in Apple's favor. If you care to challenge these facts, I welcome your response.

      @ego.sum.stig@...:

      Yes, you and Ed Bott should have some fun hoping for that day when Macs are attacked from the impending avalanche of malware. Considering that's been the "any day now" prediction for the past 10 years, I wouldn't hold my breath waiting to long. Ed just looks more foolish with each post he makes on this topic. He's been the laughing stock amongst the technical blogosphere for constantly crying Wolf. Maybe that Wolf will come someday, but I can assure you, until that happens, nobody is listening to advice from Ed.
      techconc