Where did all the Mac malware go?

The last time I saw Mac Defender in the wild was on June 23rd. This nasty bit of Mac malware made life miserable for Apple and its support technicians for the entire month of May, before fading away in mid-June.

The Mac Defender gang is laying low, but I’m convinced they’ll be back. And I’ve seen evidence that suggests the next round of Mac malware could be significantly worse.

I monitored the progress of Mac Defender and its variants from the beginning of May, shortly after it first appeared in the wild, until the end of June. The gang distributing this malware had virtually no obstacles on OS X for its first month of operation, and they made a tremendous impact. Leaked documents confirmed that Apple was conducting an internal investigation as of May 16, but the company didn’t publicly acknowledge the problem until May 24. On May 31, Apple released its first-ever security update specifically aimed at malware.

That led to a lengthy cat-and-mouse game between Apple and the Mac Defender crew, with Apple releasing updated signatures every day and the bad guys tweaking their code within hours to evade detection.

Confused about what Mac Defender and its variants are all about? See Anatomy of a malware attack: the complete Mac Defender timeline for a full chronology.

On June 23, all of the servers that had been dispensing this threat simply disappeared. In a series of Google searches today I found dozens of poisoned results. I confirmed that the compromised web sites they lead to are still running. But the scripts on those hijacked sites that had been so effective in redirecting ordinary Mac users and making their lives miserable now lead to a dead end.

The sudden drop in activity convinced Nick Clayton of the Wall Street Journal to declare: “Apple Users Still Entitled to Be Smug.” Richard Gaywood of TUAW, after looking at Apple’s malware-detection scripts, was more cautious, sprinkling his conclusion with qualifiers: “Still, for now, I think Mac users who were worried about MacDefender can partly relax. The wolf is still not at our door.” [emphasis added]

So, what happened? And what’s next?

I don’t think the Mac Defender gang quit primarily because of Apple’s efforts. Their campaign targeted both Macs and PCs. If you visited a poisoned search result using a PC, you were redirected to a site that served up fake antivirus software for Windows; if you were using a Mac, the script sent you to a site that tried to install Mac Defender or one of its variants. The Windows attacks stopped on June 23, the same time as the Mac Defender servers went offline.

Based on my observations, I think this malware campaign simply ran its course. Apple’s response made a small dent in its impact. More importantly, Google got much better at detecting the poisoned search results and blocking them, which lowered the rate of return on Mac Defender installation attempts. In my June 19 analysis of Apple’s response, I referred to the attack in the past tense and speculated that it was about to end:

I still believe the Mac Defender attack was a successful proof of concept for the bad guys. The social engineering was excellent, and I am certain it brought in enough ill-gotten gains to bankroll the next phase of development.

Remember, this was done via a malware toolkit—the first one ever released for the Mac platform. The next version of this toolkit is being written with full knowledge of how Security Update 2011-003 works. The bad guys are counting on Apple taking weeks to work up its response. That could make Mac Defender version 2.0 very nasty indeed.

And indeed, there is now some sketchy evidence to suggest what the next wave of Mac malware will look like.

On June 16, someone uploaded a compressed file to VirusTotal.com for analysis. It was detected by 4 of 42 antivirus engines as a generic Windows Trojan that steals passwords and performs keystroke logging. But the interesting detail didn’t emerge until a few weeks later, when security researchers at the Microsoft Malware Protection Center (MMPC) took a closer look at the file and determined that it actually included two packages—one for Windows, and one for OS X:

The content folder includes photos from events on June 15th 2011. Alongside are two malicious binary executable files:

• Video-Current events 2009 July 5.exe (205,480 bytes) PE EXE
• Current events 2009 July 5 (50,956 bytes) Mach-O I386

A July 27 post from noted security researcher Mila Parkour confirms the contents of the compressed package. She suggests that it was used for “targeted attacks” that would be effective against victims regardless of whether they’re using using PCs or Macs.

Interestingly, the two files are variants of the same backdoor malware: the Windows version is called Wolyx, the Mac version is dubbed Olyx. Here’s a description of how Olyx works:

The Mach-O binary file targets Mac OS X users. It installs and runs in the background without root or administrator privileges. It disguises itself as a Google application support file by creating a folder named “google” in the /Library/Application Support directory, where the backdoor installs as “startp”. It also keeps a copy in the temporary folder as "google.tmp".  It creates “www.google.com.tstart.plist” in the/Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in - this applies to all accounts on the system.

[…]

Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory.

It’s entirely possible that a package like this is being distributed right now in very small numbers, under the radar. The most recent XProtect.plist definitions file for OS X does not include a definition for this piece of malware, although third-party Mac antivirus programs do.

And even if Apple does add a definition for that piece of malware, I suspect that the next iteration of the Mac malware authoring kit will include a feature to bring it up to parity with its Windows counterparts. These days, malware attacks on the Windows side typically use polymorphic code that makes every sample unique. The technique makes signature-based malware detection systems, like Apple’s XProtect, essentially useless.

The bad guys have lots of ways to distribute malware: booby-trapped porn sites, bogus audio and video codecs, pirated copies of software that come with “a little something extra,” even fake security updates. The increasing success of the Mac platform and its relatively weak security ecosystem means easy pickings for enterprising crooks.