Old Mac malware uncovered

Old Mac malware uncovered

Summary: Icefog, a Mac version of Windows malware, is a year old but only recently discovered by Kaspersky. It was used experimentally in the far east, bundled with the legitimate program Img2icns.

TOPICS: Security, Apple

In a report on the Icefog APT (Advanced Persistent Threat) Kaspersky Lab reveals that the authors created a Mac program to connect to their botnet. It was used in limited, experimental attacks in the far east, primarily in South Korea and Japan.

The Windows versions of the threat date back at least to 2011. The Mac version presents very differently: It is hidden in a bundle with the legitimate graphics program Img2icns, which converts images to icons and vice-versa. When the user installs and then loads Img2icns, they also load the Icefog trojan.

The poisoned Img2icns appeared in Chinese BBS forums in late 2012. Kaspersky believes the program was an experiment as parts of it are incomplete.

A BBS posting of the Mac Icefog trojan, bundled with the graphics program Img2icns

The backdoor portions of the program are similar to their Windows counterparts: they collect information about the host system, report it back to the command and control server and then request commands to execute.

The program is a 64-bit binary and compatible only with OS X 10.7 and 10.8. Since it is not code-signed, OS X 10.8 systems on which the Gatekeeper feature is set to block unsigned programs will not be vulnerable.

Mac antimalware company Intego notes that this threat is similar to OSX/Leverage in that it "...inhibits the Dock icon and Command-Tab application switching when the backdoor is launched, making it more difficult for a user to spot."

Kaspersky says that a few hundred users were infected with the Mac Icefog, although they haven't identified any specific infected systems. They speculate that this version was a trial (beta) run for a program to be used later in targeted attacks.

Antimalware companies are slowly catching up to Icefog. According to Virustotal's most recent analysis of the components (performed at 16:21:39 UTC on 9-29-2013) it was detected by 10 of the 44 products they tested. There's no real hurry, as the threat does not seem to be active in the wild.

As detection spreads we may find out if derivative attacks were in fact committed more recently.

Hat tip: The Safe Mac

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This seems to be the bigger issue with malware

    The undetected malware may be present and minimally active allowing untold actions and harm. How many unknown vulnerabilities are being exploited but not noticed by anyone.
  • Repeat the Apple Creed...

    There are no viruses, worms or other malware that can afflict Apple software, because the holy spirit of Steve Jobs is infallible.

    Seriously, as long as Apple held a distant second place in market share, especially in computers used frequently for financially significant internet applications, malware writers focused on Windows. In the last few years they have ALSO focused on Apple systems. It is no more rational to believe Apple is immune to viruses than to believe Microsoft is. They are both "good" products in their own ways, but hopefully everyone today understands the first paragraph of this post as humor.

    Incidentally, I see a parallel with education. Apple systems have, at least until recently, been like the private schools that could SELECT their students, and EJECT them easily for bad grades or bad behavior, while Microsoft, running on many hardware platforms made by many manufacturers, with open access to devices and drivers from many sources, is like the public schools who have to take ALL students (except those who are bad enough to go into juvenile detention) and try to educate them all the best they can. Thus, public schools, like computers on Windows, have more frequent "failures" (bad test scores; OS crashes or malware), and private schools, like Mac computers, have very few, and cost quite a bit more to the end user.
  • Re: Repeat the Apple Creed...

    HA! I think that's a pretty good analogy, though I'd always prefer public school in this example. As an IT Pro it can do so much more for me.