The slow and steady evolution of cross-platform malware

The slow and steady evolution of cross-platform malware

Summary: Malware isn't just for Windows anymore. As the number of Macs rise, the economic incentive for criminals to build cross-platform attacks rises. And so do the stakes.


The rise of the global Internet in the early to mid-2000s made online crime possible and profitable. The sheer size of Microsoft’s monopoly made Windows the only target that mattered for malware authors. And so for years all malware was Windows malware, which led some people to conclude that it would always be so.

But a funny thing happened over the past decade, as Microsoft was smacked down hard in antitrust suits in the United States and the European Union: Its monopoly began to erode, and alternative platforms began to succeed. At the same time, Microsoft became much more effective at responding to security threats.

See also: Oxford University IT staff 'somewhat overwhelmed by Mac malware'

One year ago this week, I wrote a post titled Why malware for Macs is on its way. In it, I laid out the economic reasons why Mac malware was almost certain to begin appearing in greater numbers. In that post, I quoted a 2008 paper by security researcher Adam J. O’Donnell, who said:

I expect relatively wide-spread, monetized Mac malware when we see around 5-10% of the Internet population using Macs.

We reached that tipping point more than a year ago. In April 2011, NetMarketShare stats showed Mac usage at 5.67%. A year later, in April 2012, those numbers have risen sharply, with Mac usage now up to 6.53% worldwide.

And now, with Flashback, we have the first example of widespread, monetized malware aimed exclusively at Macs. According to a report by Symantec researchers, the Flashback business model involved redirecting clicks from infected Macs and stealing the ad revenue:

Ad-clicking Trojans are nothing new and in an analysis of W32.Xpaj.B last August a botnet measuring in the region of 25,000 infections could generate the author up to $450 per day. Considering the Flashback Trojan measures in the hundreds of thousands, this figure could sharply rise to the order of $10000 per day.

(My ZDNet colleague Ryan Naraine has more details.)

In that same post a year ago, I made this prediction:

Upcoming versions of crimeware kits will probably be cross-platform, with the capability to build and deliver Windows and OS X packages using as many vulnerabilities and social engineering tricks as possible. On every poisoned web page, visitors get sorted by OS: Windows users this way, OS X users over there. Each group gets its own custom, toxic blend. If all it takes is a tick of a check box, the gangs using these kits can jump into the Mac market literally overnight.

Many of the poisoned web sites that delivered the Mac Defender rogue antivirus product last year were set up to handle both Windows and Mac-based victims. And now, in the wake of Flashback, guess what showed up in the news today?

Cross-platform malware exploits Java to attack PCs and Macs

Security vendors have discovered a new piece of malware that attacks both PCs and Macs. It uses the same Java security vulnerability exploited by the Flashback malware that infected hundreds of thousands of Macs. While the attack vector is the same as in Flashback, this Java Applet checks which OS it is running on and downloads suitable malware for it.


Both droppers result in a Trojan that opens a back door on the compromised computer, allowing remote hackers to secretly send commands, upload code to the victim’s computer, steal files, and run commands without the user’s knowledge. The two Trojans are downloaded from the same server.

The Trojan only checks whether it is running on Windows once, but the downloaded Python dropper checks again whether it is running on a Mac or not. If it is running on Linux or some other operating system, the threat does nothing. Python is not often used to write malware, but in this case it works fine on Macs since Python is installed by default.

This diagram, which documents the workings of the newly discovered threat, is almost a perfect representation of what I predicted last year:

It would be trivially easy to make that exploit available for the widely used Blackhole exploit kit, which already contains one malicious Java applet that targets the same vulnerability.

Economic conditions are ripe for malicious activity to increase, slowly and steadily. Malware is a numbers game. As Mac sales continue to grow faster than Windows PC sales, especially in wealthy countries, the target gets more and more attractive to criminals.

Here’s what I wrote last year:

A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.

In the calendar year that ended March 30, 2012, Apple sold more than 17 million Macs. Mac sales continue to rise every quarter. By the end of this year there will be more than 80 million Macs, with probably half of them running versions of OS X for which Apple no longer supplies security updates. Among those running supported OS X versions, recent data shows that 20% or more are at least one update behind.

As the share of Macs online rises, so does interest from criminals. They will do to the Mac platform (albeit on a smaller scale) what they’ve been doing to the Windows platform for years: pick away at vulnerabilities in the OS, in related code, and in third-party apps, change their tactics regularly, and step up their social engineering efforts. Malware on Macs is likely to continue as a persistent low-level threat.

As part of that slow, steady evolution, you’re likely to see the stakes and the intensity level rise.

Windows users in commercial establishments have been targeted for the last six years by Trojans that steal banking information. Brian Krebs has documented case after case of small businesses that were attacked by gangs that then drained their bank accounts. Like this one from just a few weeks ago:

[C]yber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.

This attack was not random. It was planned like a bank job:

Sometime on March 13, four different employees of Alta East received emails that appeared to have been sent from a current client. The messages inquired about a recent transaction, and cited an invoice number. According to Weeden, all four Alta East employees opened the attached Adobe PDF file, which contained a hidden Javascript element that infected their Windows XP systems with a variant of the ZeuS Trojan.

Six days later, the thieves set up a batch of fraudulent payroll payments....

“The emails came from a legitimate customer, and we thought he was questioning an invoice,” Weeden said. “There were four of us who hit that attachment. Afterwards, we asked the customer about the email, but he said he hadn’t sent it.”

A mere two years ago, Krebs advised readers to use a Mac instead of a Windows PC for any online banking, citing the example of a similar near-six-figure ripoff. That doesn't seem like such a bulletproof option now.

How long until a banking/keylogger Trojan is available in a cross-platform package? I know a lot of successful high-end art dealers and antique shops that run on Macs. Think they'd be good targets?

How long before exploits take aim at vulnerabilities disclosed and patched in recent OS X updates? Knowing that so many Mac users update slowly, that's a tremendous untapped opportunity.

How long until web-based Mac malware adds packers and server-side polymorphism (PDF) like their Windows counterparts? With those technologies, malicious code can mutate rapidly and obfuscate itself with each new delivery so that it can’t be detected by Apple’s XProtect signatures.

I don’t know the answers to any of those specific questions. But the smart money is betting on “sooner, not later.”

See also:

Topics: Apple, Hardware, Malware, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Krebs advice was good for about 2 years

    Not bad in the security market:-)

    The rise of mac malware is a real problem, its effects devastating on windows.

    Apple needs to improve it's relatively poor security infrastructure, but that the latest cross platform attack shows it isn't alone.

    Apple users certainly need education about applying patches (the easiest attack vector).

    Kudos Ed for his accurate prediction.
    Richard Flude
    • Apple needs to address their security issues on a number of fronts

      Apple needs to get more involved in the security industry as a whole. Apple needs a dedicated CISO. Apple needs to acknowledge that any popular operating system will be a target for malfeasance and educate their customers accordingly. Apple is not BeOS or some other fringe OS. Their footprint is too large and a tempting target for organized criminals.
      Your Non Advocate
    • That leaves using a Linux Live CD for online banking

      Although, one would think that an OS X system dedicated to online banking would be as good as a Windows PC dedicated to online banking (that's what many security experts have been recommending). However, an OS X system dedicated to online banking would cost a lot more money than a basic Windows PC used for the same purpose. And by 'dedicated', I mean that these systems are used for one purpose and only one purpose: online banking. No email, web surfing, media streaming, etc.
      Rabid Howler Monkey
      • RE:Linux Live CD for Online Banking


        It's quite hard for malware to infect your Hard Drive, when the system doesn't think it even has a hard drive. The CD also has the advantage of not allowing any write activity.

        On the minus side, i find that Linux Live CD's are quite slow at starting applications. That might not be a problem if it's just for some dedicated uses.
      • You can also mount it on a USB stick

        Or use a VM. Both methods are a lot faster.

        Live CDs are really for demonstration purposes.
        Cylon Centurion
  • One thing is for sure

    As new platforms emerge, their more tightly-closed (and tightly-controlled) nature will become a more secure model for software distribution over legacy open systems like Java and allowing software to launch from a browser. Windows 8 is starting to go this route, but Windows RT and Mountain Lion are going the whole way. iOS is already mostly there, but Apple needs to update it (and OS X) in a more timely manner. You can literally tell how quickly security flaws are found in iOS by watching how fast jailbreak patches get released since they all take advantage of security flaws in the OS. Will Windows RT notice the same level of jailbreaking? We may not know for a while, although there is a lot of hardware security required for Windows RT that will likely just be plain incompatible with other OS's.
    • re:One Thing

      by nature, any system that can start up a program without the operator is vulnerable. That means that Java, Visual anything, or others are all easily compromised. Even JavaScript can be the basis of attacks. If the browser can run a program without your input, then you can be attacked.

      In Linux, I can turn off any Auto run capability, and usually do. I can only run updates when I chose, and from where i chose. But, the Browser is still one rout for infection. My answer for that is to turn off JavaScript in Firefox, Disable updating, and then go. If a site requires JS, I will turn it on for that visit. It does leave a vulnerability. But it's a very short window.

      I've already had a family members W7 computer hosed. I had to reinstall from backup disks to factory settings. They were using Microsoft's antivirus.

      On the modern Internet, only the paranoid survive.
      • Windows 7 Security Essentials?

        I have tried Security Essentials with Windows Defender and the Windows Firewall setup. The amount of protection is laughable. Just take such a computer to a website that audits your pc over the internet and you will see. I finally just reformatted my hard drive and installed KUBUNTU. Been using without a problem for 2 years now (and it looks far cooler). I think I reinstalled W7 4 or 5 times before I just gave up on it.
  • Please try to be just a little bit impartial...

    "[i]Knowing that so many Mac users update slowly, thats a tremendous untapped opportunity.[/i]"

    For cryin' out loud, Ed! How many Windows XP systems are still in use today. Talk about slow to update or upgrade and the Windows community come to the forefront of my mind. We all agree that both the Mac and Windows camps have a huge fraction of clueless users but you seem to focus all you attention on just one.

    Way to dodge the fact that the very phenomena that you rant about in the Mac world [b] still happens[/b] in the Windows world. Good job trying to make the PC version of Flashback into another diatribe about Macs.

    Oh, and how many times do we have to hear you say "[i]I told you so[/i]?" Almost half of you words are self congratulatory. What hubris you have.
    • Rating system or censorship?

      My points are quite valid. Windows users don't all (as in 100%) keep their machines patched and up to date. Even if Oracle updated Java (three times by my count on my XP installs) before Apple applied their customized patch, Windows PCs will be infected by Flashback. It's a fact. But one Ed goes to great lengths to to minimize this bit while still ranting about how Apple let its customers down.

      Where's the outrage at Oracle?

      Where's the discussion that this is a platform agnostic problem and we all should learn from it?

      I see that all the Ed Bott groupies don't like my request that Ed try to be impartial or even a little bit humble. Too bad folks. If you don't like what I post, then man up and reply as to why. Otherwise, you're just lurking cowards with a clear agenda.
      • Both

        And I replied as to why I personally voted your post down. It's easy to attack the messenger as it appears you are doing. It's harder to admit there may be an issue and take corrective steps to ensure that you are not affected by it. If you've already taken those steps then good for you.

        It is an unfortunate fact that people here will vote down and flag a post due to who wrote it rather than the content of that post.
      • "...users don't all (as in 100%) keep ..." Huh>?

        what are you smoking today 100% - pinch your self dude
    • You are doing the same.

      Changing a report about the Mac into a Windows bashing opportunity - and compounding the error by being off topic too!
    • It's not the clueless ones

      but the ones who still claims their Macs are invulnerable that are the problem. The clueless ones can be taught, the one's who are unwilling to admit that their Mac can possibly be vulnerable to malware will gripe about how everyone is attacking Macs and Mac users. Personally I have no issue with what tech you use - I use Windows because I'm into online gaming... otherwise I'd be using a Mac. But I would take issues like malware seriously rather than the joke some Mac users see the issue as.
    • XP Systems

      There are a lot of XP systems that have not been updated, a lot of them are pirated copies of windows or have a problem that keeps those computers from being updated.

      What the author is trying to explain is that the state of the art malware is being adapted to attack both windows and mac computers. This is no longer a theoretical attack but a series of attacks. The author is also trying to get information to everyone to at least be alerted that there may be a problem; the idea is that being forewarned is the first step.
      • XP Can be Protected

        XP systems can be protected. Doing so does result in being unable to use automatic updates. That will only be a problem for a short time, though, as Microsoft is set to discontinue XP support.

        Mac's also can be protected. But it similarly impacts some of the system functions.

        Both Mac OX and Windows 8 have already been broken.

        Security is still more an attitude than a product. You protect your system, not Microsoft or Apple or Mcaffee or ...
      • @anotherbob

        XP can be protected and use automatic updates. The XP computers I am referring to are those that Microsoft will not allow to be updated because they are not legitimate copies of XP. There are other XP computers that do not update for other problems. XP is getting near the end of support by Microsoft which has lasted more than a decade.

        The information people need to know is that they should keep their OS updated as well as the applications, use malware protection and practice safe computing. It also helps to stay informed about ongoing issues and be prepared.
    • Agreed

      I should just stop reading Ed's crap. Much better to go on a real security forum with real security experts.
      beau parisi
    • To all...

      In Ed's piece I find the word "Mac" occurs 32 times.

      "Windows" occurs 13 times. PC(s) occurs 7 times.

      So Ed's focus was obviously set on the Mac platform when this article was written because Flashback now targets Windows as well. I guess you all find that the be impartial. And yes, Ed did spend many words regarding the accuracy of his ability to foretell the future. I guess you all could grasp that either. Idiots - all of you that censor anyone. Don't like it? Too bad.

      So Flashback is now cross platform and malware is platform agnostic. These facts were in both my posts. No where in either of those posts did I once "bash" or disparage Windows. I guess most of you have no reading comprehension either.

      What Ed should have been writing about is that malware is platform agnostic and what should be done about it. Instead we got another of his continuing diatribes about how Macs and their users are a blight on the planet. But that puts the bread in Ed's pocket and you people pile on like clowns in a clown car.

      Now you can flag me too. Idiots....
      • What you fail to see - again - is the point.

        Windows malware by itself is not the point. Nor is Mac malware by itself. It's a sad thing that you actually counted how many times Ed used "Mac", "Windows", and "PC" in his article.

        The POINT is that malware is being written for Macs and now there are cross platform variants and both Mac and Windows users need to protect themselves. Any issues you have with Ed attacking your precious are just that - YOUR issues.