Where did all the Mac malware go?

Where did all the Mac malware go?

Summary: Mac Defender made life miserable for Apple and its support technicians for the entire month of May, before fading away in mid-June. The Mac Defender gang is laying low, but I'm convinced they'll be back. And I've seen evidence that suggests the next round of Mac malware could be significantly worse.


The last time I saw Mac Defender in the wild was on June 23rd. This nasty bit of Mac malware made life miserable for Apple and its support technicians for the entire month of May, before fading away in mid-June.

The Mac Defender gang is laying low, but I’m convinced they’ll be back. And I’ve seen evidence that suggests the next round of Mac malware could be significantly worse.

I monitored the progress of Mac Defender and its variants from the beginning of May, shortly after it first appeared in the wild, until the end of June. The gang distributing this malware had virtually no obstacles on OS X for its first month of operation, and they made a tremendous impact. Leaked documents confirmed that Apple was conducting an internal investigation as of May 16, but the company didn’t publicly acknowledge the problem until May 24. On May 31, Apple released its first-ever security update specifically aimed at malware.

That led to a lengthy cat-and-mouse game between Apple and the Mac Defender crew, with Apple releasing updated signatures every day and the bad guys tweaking their code within hours to evade detection.

Confused about what Mac Defender and its variants are all about? See Anatomy of a malware attack: the complete Mac Defender timeline for a full chronology.

On June 23, all of the servers that had been dispensing this threat simply disappeared. In a series of Google searches today I found dozens of poisoned results. I confirmed that the compromised web sites they lead to are still running. But the scripts on those hijacked sites that had been so effective in redirecting ordinary Mac users and making their lives miserable now lead to a dead end.

The sudden drop in activity convinced Nick Clayton of the Wall Street Journal to declare: “Apple Users Still Entitled to Be Smug.” Richard Gaywood of TUAW, after looking at Apple’s malware-detection scripts, was more cautious, sprinkling his conclusion with qualifiers: “Still, for now, I think Mac users who were worried about MacDefender can partly relax. The wolf is still not at our door.” [emphasis added]

So, what happened? And what’s next?

I don’t think the Mac Defender gang quit primarily because of Apple’s efforts. Their campaign targeted both Macs and PCs. If you visited a poisoned search result using a PC, you were redirected to a site that served up fake antivirus software for Windows; if you were using a Mac, the script sent you to a site that tried to install Mac Defender or one of its variants. The Windows attacks stopped on June 23, the same time as the Mac Defender servers went offline.

Based on my observations, I think this malware campaign simply ran its course. Apple’s response made a small dent in its impact. More importantly, Google got much better at detecting the poisoned search results and blocking them, which lowered the rate of return on Mac Defender installation attempts. In my June 19 analysis of Apple’s response, I referred to the attack in the past tense and speculated that it was about to end:

I still believe the Mac Defender attack was a successful proof of concept for the bad guys. The social engineering was excellent, and I am certain it brought in enough ill-gotten gains to bankroll the next phase of development.

Remember, this was done via a malware toolkit—the first one ever released for the Mac platform. The next version of this toolkit is being written with full knowledge of how Security Update 2011-003 works. The bad guys are counting on Apple taking weeks to work up its response. That could make Mac Defender version 2.0 very nasty indeed.

And indeed, there is now some sketchy evidence to suggest what the next wave of Mac malware will look like.

On June 16, someone uploaded a compressed file to VirusTotal.com for analysis. It was detected by 4 of 42 antivirus engines as a generic Windows Trojan that steals passwords and performs keystroke logging. But the interesting detail didn’t emerge until a few weeks later, when security researchers at the Microsoft Malware Protection Center (MMPC) took a closer look at the file and determined that it actually included two packages—one for Windows, and one for OS X:

The content folder includes photos from events on June 15th 2011. Alongside are two malicious binary executable files:

  • Video-Current events 2009 July 5.exe (205,480 bytes) PE EXE
  • Current events 2009 July 5 (50,956 bytes) Mach-O I386

A July 27 post from noted security researcher Mila Parkour confirms the contents of the compressed package. She suggests that it was used for “targeted attacks” that would be effective against victims regardless of whether they’re using using PCs or Macs.

Interestingly, the two files are variants of the same backdoor malware: the Windows version is called Wolyx, the Mac version is dubbed Olyx. Here’s a description of how Olyx works:

The Mach-O binary file targets Mac OS X users. It installs and runs in the background without root or administrator privileges. It disguises itself as a Google application support file by creating a folder named “google” in the /Library/Application Support directory, where the backdoor installs as “startp”. It also keeps a copy in the temporary folder as "google.tmp".  It creates “www.google.com.tstart.plist” in the/Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in - this applies to all accounts on the system.


Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory.

It’s entirely possible that a package like this is being distributed right now in very small numbers, under the radar. The most recent XProtect.plist definitions file for OS X does not include a definition for this piece of malware, although third-party Mac antivirus programs do.

And even if Apple does add a definition for that piece of malware, I suspect that the next iteration of the Mac malware authoring kit will include a feature to bring it up to parity with its Windows counterparts. These days, malware attacks on the Windows side typically use polymorphic code that makes every sample unique. The technique makes signature-based malware detection systems, like Apple’s XProtect, essentially useless.

The bad guys have lots of ways to distribute malware: booby-trapped porn sites, bogus audio and video codecs, pirated copies of software that come with “a little something extra,” even fake security updates. The increasing success of the Mac platform and its relatively weak security ecosystem means easy pickings for enterprising crooks.

Topics: Security, Apple, Hardware, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Article what 10 for the one piece of Mac malware

    Lucky Ed doesn't have to do the same for windows;-)
    Richard Flude
    • Message has been deleted.

      • In defense of Ed

        @bannedfromzdnetagainandagain ... (did I just say that?) - the column formerly known as 'Ed Bott's Microsoft Report' (now 'Ed's Report About What's Wrong With Apple') certainly delights in emphasizing Apple's problems.<br><br>However, it does present factual information without a lot of opinion and hype. I will confess to its being my primary source of information about Mac malware issues and what Apple support is or isn't doing about them.<br><br>His reporting has been thorough and accurate and has put pressure on weak points at Apple support.<br><br>Ok, now I need to go wash my hands.
      • RE: Where did all the Mac malware go?


        Haven't you been reading the articles on the Mac malware? One at least one of the articles it clearly stated that some versions of the Mac Defender malware were able to install themselves and get root access without you having to type in your admin password. It did not have to be manually downloaded in these versions. It did not have to be installed by typing in your admin password. This version was not dependent on all that. This is why it's looking like such a threat for the future. This nastier version could be coming soon en masse.
      • RE: Where did all the Mac malware go?

        Correction: The 2nd iteration bypassed the need to enter an administrative password.
      • no, josh

        ed is either a liar or doesn't know what he is talking about. (both, i guess) he is even admitting it in another post. here is what he was writing a few weeks ago:
        "The Mac Defender gang already proved they can sidestep the requirement to enter an Administrator password. They already convinced tens of thousands of victims to install a small program that then downloads and installs additional malware without any user interaction."


        1. this "small program" has to be installed first. and that"small programm" is the mac defender by the way. that is only possible if a user types in his administrator password. after that of course the software "downloads and installs additional malware without any user interaction", it can do whatever it wants. that's why it is called a trojan.

        so even ed unvoluntarily admits that this mac defender works exactly as any other trojan before it: a user has to manually download it to his computer and manually install it by giving his password.

        2. the "tens of thousands" of affected user exist only in ed's twisted and apple-hating imagination.
      • RE: Where did all the Mac malware go?


        It seems that you're also the one who hasn't been reading carefully. While it is true that some versions of MacDefender could install without a password, it is not true that it could succeed in doing this without user interaction. Nor is it true that it gained root access. So, it still fell into the category of a malware attack that can be defended against through simple education.
      • RE: Where did all the Mac malware go?


        I don't think the 10s of thousands are made up because a few people I know (who are morons, but that's besides the point) managed to get it. I used Ed's original advice to clean it up. YOU may not get it, but other people do.
      • RE: Where did all the Mac malware go?

        @bannedfromzdnetagainandagain you got the quote of the day, ...microsoft shill and spin doctor ed comes out of the woodwork hoping and praying for a next wave of malware for mac users... Ed is shamelessly transparent.
      • RE: Where did all the Mac malware go?

        @bannedfromzdnetagainandagain Ah yes, yet another mac user with a case of headinthesanditis... come one dude, if this was not an issue that could potentially affect all mac users, if this was a made up issue as you claim then WHY would Apple go to the trouble of creating and maintaining a mac antimalware program?

        It's already been proven that the trojan does NOT have to be manually downloaded - do your research! And Also Ed is not claiming that the quantity of the malware issues with windows is the same as any other platform - that is FUD you and other haters have come up with as some sort of strawman to make yourself feel better.

        But by all means go and do whatever it is you want to do, believe whatever you want to believe... just take one thing away from this: When your mac becomes infected - and it will, it's just a matter of time now - Ed will be here to help you get it right again. And me - I'll be laughing my ass off at you for not accepting the simple truth that macs are not invulnerable.
      • save

        no one ever said the mac is 100% safe from malware. there is the occasional trojan (mac defender is nothing new or doesn't behave in another way as any mac trojan before it) and the occasional exploit through software security holes (safari for instance). yes, even a mac user shouldn't download and install software from a source he or she doesn't trust. social scams do occur.

        it is just a 1000 times safer than the windows platform with hundreds of thousands of viruses, worms, trojans and the exploit of the month. ed is desperately trying to paint the picture that the mac has the same security nightmare as windows or at least will have soon, now that worldwide market share has increased form 4.5% to 5.2% (really, i am not kidding, this is his argument: the mac is now sooooo much more popular than three years ago). which of course is total bs.
      • mac defender or macguard does not auto-install without interaction

        @josh92 wrote "downloads and installs additional malware without any user interaction."

        Have to agree with the consensus, this is completely false.

        @josh92 wrote "some versions of the Mac Defender malware were able to install themselves and get root access without you having to type in your admin password"

        That is "macguard" - it will not "auto-install" but it does "auto-run", and it is still interactive where you will have a installer program that has to be run. If the account is an admin account (which is default user type) yes you will not need the admin PW.

        For non-security-conscience people, I am not sure if needing the admin PW is even an issue since they would have just clicked through the install windows-style, no matter what program it was.

        Preventative efforts:

        - install "Security Update 2011-003" from apple (already pushed out to users via auto-update)
        - run as non-admin user
        - disable Safari's "auto-open safe files" (or use Firefox, which will force manual download/install for all applications)
      • RE: Where did all the Mac malware go?

        All of this malware has just started it's installation routine, and only fools click through and install it.

        If you are using your computer and suddenly an installer appears, do you click through several steps and install a program that you didn't download or look for or want? If so, you will never be safe no matter what platform you use. That's what we are talking about here.

        THERE IS NO mac malware in the wild that just suddenly infects your machine without any interaction. There are no viruses, no payloads. Please, never use a Mac.

        Ed Bott, I don't think you are qualified to make the statement that the Mac's "relatively weak security ecosystem means easy pickings for enterprising crooks."

        And judging by the comments here, you haven't enlightened many people, you just made them woefully misinformed.
      • RE: Where did all the Mac malware go?

        @bannedfromzdnetagainandagain I'm afraid that the jury is still out...way out...on that one. While it may be true that Android activa<a href="http://www.tran33m.com/vb/">t</a>ion numbers seem to dwarf iPhone activation numbers (something we're not seeing in the tablet market yet, and may never see), there are a nu<a href="http://vb.maas1.com/">m</a>ber of other sources that point to the fact that it seems that the majority of Android users are significantly not using their phones for data purposes. When Android phones seem to be significantly dominating the market, but web statistics show a dominance from the iPhone, it has to bring up some significant questions...
      • RE: Where did all the Mac malware go?

        @bannedfromzdnetagainandagain <a href="http://www.facebook.com/notes/black-friday-deals/nikon-lens-black-friday-sale-2011-black-friday-nikon-lens-deals-2011/253684421351007">black friday nikon lens</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-camcorder-sale-camcorder-black-friday-deals-black-friday-camcorder-/250683621650695">black friday canon lens</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-canon-lens-sale-canon-lens-black-friday-deals-black-friday-canon-le/250682674984123">black friday camcorder</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-camcorder-sale-camcorder-black-friday-deals-black-friday-camcorder-/250683621650695">camcorder black friday</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-canon-lens-sale-canon-lens-black-friday-deals-black-friday-canon-le/250682674984123">canon lens black friday</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/nikon-d5100-black-friday-sale-black-friday-nikon-d5100-2011-nikon-d5100-black-fr/250710044981386">Nikon D5100 Black Friday</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-nikon-d7000-sale-nikon-d7000-black-friday-2011-black-friday-nikon-d/250717538313970">Black Friday Nikon D7000</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-nikon-d3100-sale-nikon-d3100-black-friday-deals-black-friday-nikon-/250723248313399">Black Friday Nikon D3100</a>
    • RE: Where did all the Mac malware go?

      @josh92: "Haven't you been reading the articles on the Mac malware? One at least one of the articles it clearly stated that some versions of the Mac Defender malware were able to install themselves and get root access without you having to type in your admin password."

      There has NEVER been any such version of Mac Defender!!!

      Mac Defender is a Trojan, plain and simple. It is an application that must be downloaded and then purposely installed by the duped user onto his/her own computer.

      What you are describing is known as a "virus". Although there have been literally THOUSANDS of Windows viruses... there has NEVER been a single virus for Mac OS X!

      It's telling that the only way that some Windows users can feel a bit better about being stuck with Windows' "Swiss Cheese" security, is to make up ridiculous false claims about Mac OS X.

      If you are feeling that insecure about the operating system that you use, perhaps it's time to try another one. ;-)
      Harvey Lubin
      • Message has been deleted.

      • RE: Where did all the Mac malware go?

        @Harvey Lubin [b]It's telling that the only way that some Windows users can feel a bit better about being stuck with Windows' "Swiss Cheese" security, is to make up ridiculous false claims about Mac OS X.[/b]

        Careful your bias is showing. This "swiss cheese" security may have been present in XP and definitely in ME and below but - much like any other platform - Windows is secure as long as the user takes a few simple common sense precautions. I've run Windows from 98 up to 7 and I've had 2 viruses - one with ME, 1 with XP... I've never had one with Vista (perhaps I didn't use it long enough as IMHO it sucked out loud) nor with 7 (which I use on a daily basis).

        No OS insecurities here.

        [b]There has NEVER been any such version of Mac Defender!!![/b]

        Oh and BTW there HAS been a version of the Mac Defender that does not require the use of an administrator password - it basically piggybacks onto another benign program and once THAT program is installed (using the administrator password BTW) the mac defender can get to work.
      • RE: Where did all the Mac malware go?

        @sinephase: Would you please list--with references--all the true viruses that have attacked OS X successfully? I don't mean trojans, I mean worms and other viruses that don't require any form of user interaction whatsoever.
      • RE: Where did all the Mac malware go?


        So basically, you're going to deny there was ever a problem because Mac Defender/Guard wasn't a true virus?

        Are you really going to play that dumb definition game?

        Mac Defender/Guard might not have been a "virus" by definition, but it was still malware. And as far as Joe User is concerned, it was a virus.
        The one and only, Cylon Centurion