Coming soon to a Mac near you: serious malware

Coming soon to a Mac near you: serious malware

Summary: Last week I showed you how malware authors are targeting Google Chrome. Now there's evidence that the next target is Apple. According to a Danish IT security company, an underground group has completed work on a fully operational kit specifically designed to build malware aimed at the Mac. And all the pieces are in place for a devastating attack. I've got the details.

SHARE:
404

Welcome, Daring Fireball visitors! You really should read the much longer and more detailed follow-up post here: Why Mac malware is on its way.

Follow-up: Malware attempts that use Apple-focused social engineering are now in the wild. I just found one via Google Image search. See for yourself: What a Mac malware attack looks like.

Last week I showed you how malware authors have begun using social engineering to target Google Chrome, with convincing replicas of Chrome’s bright-red security screens to trick victims into installing a package of malware.

Now I am seeing evidence that the next target is OS X. That’s potentially very bad news for Mac owners who have abandoned their PCs in the belief that switching to a Mac somehow immunizes them from malware.

Security experts know, of course, that there’s nothing magical about Macs when it comes to security. They just haven’t been targeted because Windows has been such a big juicy target for so long.

But now that Macs have achieved a critical mass of success in the marketplace, they’ve attracted the attention of malware authors. According to a report from a Danish IT security company, an underground group has completed work on a fully operational kit specifically designed to build malware aimed at the Mac OS platform:

The first advanced DIY (Do-It-Yourself) crimeware kit aimed at the Mac OS X platform has just been announced on a few closed underground forums. … The kit is being sold under the name Weyland-Yutani BOT and it is the first of its kind to hit the Mac OS platform. Apparently, a dedicated iPad and Linux release are under preparation as well.

[…]

The Weyland-Yutani BOT supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and Spyeye.

CSIS eCrime Unit is in possession of videos documenting both the admin panel and its functionality as well as the builder itself. Both video clips prove this kit to be fully operational already.

This is not a proof-of-concept attack written by a researcher or someone trying to score a prize in a security contest like Pwn2Own. This is the real deal.

Photo credit: CSIS

CSIS partner Peter Kruse told me that the builder runs on Windows, “and based upon the configuration added by the user it will create a Mac binary which obviously can be used to steal data from infected Mac hosts.” I’ve had an opportunity to observe the videos of this program in operation, and it works as advertised. Building the malware package took literally a couple of clicks and less than five seconds. With the Trojan installed on a Mac, a remote host was able to log keystrokes in Safari and capture passwords for a Gmail account—it was even able to detect and log the victim’s attempt to change the compromised password.

The widespread attack that I watched unfold in late April already has all the ingredients in place to make an attack like this possible. Here, for example, is a snippet of the script that I saved from one of the Google-targeted sites:

This particular attack, which I saw over and over again in Google search results, customizes its results based on the victim’s browser and operating system. When I used Chrome, I saw an attack that duplicated the security screens from Chrome. When I used Internet Explorer, I saw screens that mimicked Windows Explorer in Windows 7. When I used Firefox, the attack looked like a series of Windows XP screens.

And when I visited a poisoned site using a Mac, the script detected my OS, skipped the fake malware screens, and redirected me instead to a phishing site.

So why didn’t the authors of this malware deliver a booby-trapped OS X installer package? Maybe it’s on their to-do list.

If a malware author can detect that you’re visiting a “poisoned” site using OS X, it could easily serve up an executable file tailor-made to run on a Mac and steal passwords, log keystrokes, send spam, or deliver pop-ups. The malware author can code in exploits to take advantage of unpatched vulnerabilities in OS X or in programs like iTunes or Adobe Flash to install the software as a drive-by download. They can also use the same tactics that have worked so well against Windows users. That’s where the social engineering comes in. If a Mac owner is told that there’s an important update for Flash or iTunes and they need to install it immediately, will they do so? Some significant percentage certainly will.

An even more sobering thought for Mac owners is the possibility that attackers will create targeted packages aimed at businesses that have switched to Macs. If you can send a booby-trapped PDF file that appears to come from your HR department, the chances that it will be opened go sky-high.

If a group decides to deploy an attack like this on a wide scale, the impact on Mac users could be devastating. Only a tiny percentage of Macs run antivirus software, and Mac users have been conditioned to believe they’re immune from Internet threats. That’s a deadly combination.

Update: H/T Rob VandenBrink at SANS, who mentioned this in a post this morning that sent me to the original source.

Topics: Apple, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

404 comments
Log in or register to join the discussion
  • RE: Coming soon to a Mac near you: serious malware

    Pause this for just a moment. I need to go grab some popcorn. I'll BRB.
    The one and only, Cylon Centurion
    • RE: Coming soon to a Mac near you: serious malware

      @Cylon Centurion 0005 Same.
      Z3R0D4Y
    • RE: Coming soon to a Mac near you: serious malware

      @Cylon Centurion 0005, Slow reader? You may be dyslexic. If you're in full time education, which I presume you are, you may qualify for a free Mac. Worth checking out. Good luck little fellow.
      Graham Ellison
      • RE: Coming soon to a Mac near you: serious malware

        @Graham Ellison Don't shoot the messenger. :-)
        statuskwo5
      • Message has been deleted.

        Narg
    • RE: Coming soon to a Mac near you: serious malware

      @Cylon Centurion 0005

      Absolutely, this should be an interesting year for malware and how secure various platforms really are (or aren't).
      CobraA1
      • RE: Coming soon to a Mac near you: serious malware

        @CobraA1
        Of course this very story is repeated here every few months or so. " Mac is finally popular enough for malware writers to care- here comes the flood of Malware" And then nothing happens. This cycle has been repeated for decades.
        Tigertank
      • RE: Coming soon to a Mac near you: serious malware

        @Tigertank,

        There are Mac bot nets out there.
        voska1
      • No, this isn't the same old story.

        @Tigertank Read it again. It's an actual, not hypothetical, product targeting OSX.
        Lester Young
      • You're a FUDster

        @CobraA1 No, there aren't any Mac bot nets.

        Links? Proof? You are making this up.
        Info-Dave
      • Actually, infoDave, there is one...

        ... consisting of about 60,000 machines compromised when their users downloaded cracked versions of legitimate, but expensive, software. Yup; people who wanted something for nothing got exactly what they paid for.

        By the way, that 60,000 machines totaled out to 0.02% of the Macs in use at the time.
        Vulpinemac
      • Waiting...

        @vulpine Links? Identification of the expensive software? Proof? Anything?
        Info-Dave
      • An internet search is your friend.

        @Info-Dave

        If you want to find out, you will. If you don't you won't.
        Lester Young
      • RE: Coming soon to a Mac near you: serious malware

        @CobraA1 Yes. Malware will be adapted to go after other platforms. Most likely mobile OSs. All you need is a user less than knowledgeable.
        The one and only, Cylon Centurion
      • @Info-Dave

        [i]Links? Proof? You are making this up.[/i]

        That's true and they are.
        ScorpioBlue
      • RE: Coming soon to a Mac near you: serious malware

        @info-Dave
        http://lmgtfy.com/?q=mac+botnet

        Note there is an article which places Mac Botnets as far back as 2006, but 2009 was the first one real media types reported on.

        Why don't you search for/against proof instead of throwing a tantrum?
        pk 7
      • RE: Coming soon to a Mac near you: serious malware

        @Tigertank <i>" Mac is finally popular enough for malware writers to care- here comes the flood of Malware" And then nothing happens.....</i>to you in particular, you're not as important as businesses are to a malware author <b>just yet</b>.

        So long as you remain non-self-aware of your online security, in one way or another, you will be out of noob luck and indeed get infected; so, <b>suggest you take this post as a warning and quit being a hard headed noobish Apple fanboy</b> :p

        Pss, <i>being a fanboy is no problem, but being a noobish fanboy is a big issue</i>
        MrElectrifyer
      • RE: Coming soon to a Mac near you: serious malware

        A 1000 mac bot net was shown to exist in the new about year ago. I think the article on it was even on this site.

        Not that it's hard to compromise a Mac. All you need to do it target the users desires. Get them to download the malware and run it for you. Offer porn, software and movie with special codec. It happens. 1000 Mac world wide isn't large number though compared to Windows Bot Nets.
        voska1
      • Malware, Trojans, Viruses

        @All: There's nothing magical about Mac OS that prevents Trojans. If the user decides to download something and PROVIDE a password to install it at the admin level (or root level) or NOT PROVIDE one to install at the user level, there's nothing in the OS that protects from such a Trojan. However, that's not a virus in the true sense but is malware.<br><br>If you give the keys to the house by downloading something that could be evil, you are asking for criminals to walk/sneak into your house and set up shop! The ONLY thing that protects against social engineering (or downloading "free" software) is education.

        As for social engineering, I think it is MUCH easier to determine where a window came from on a Mac vs on Windows. All you have to do is hide the browser and anything suspect goes away. If it's coming from the browser, don't believe it. Windows doesn't have the same layering of applications.
        pecosbill
      • RE: Coming soon to a Mac near you: serious malware

        @voska1, Lester Young, Cylon, etc.

        There is a reason Ed Bott has a "Welcome Daringfireball visitors" at the top of this web page. Ed is trolling and he's been caught. Plain and simple.

        Ed was careful to use generic terms like malware instead of viruses, etc. because malware also includes Trojans. There is no protection on any system against Trojans. If you're dumb enough to download software illegally from bit torrent sites and you are dumb enough to supply these programs with your administrative password, then you get what you deserve. This is not a security issue, this is a social issue and certainly nothing an ounce of common sense couldn't help you avoid.

        I have both PCs and Macs. Since the initial Mac OS X release, the only piece of malware I've ever had on that system were Windows Office macro viruses. Nothing that affected the Mac, only something that could be passed on. On the other hand, I've had PCs infected, even with anti-virus software running. It happens. Sure, the Mac is becoming more of a target. However, as Gruber points out, this is the same old rhetoric that we've been hearing about for years. Sorry Ed, you were caught..
        http://daringfireball.net/2011/05/wolf
        techconc