Why malware for Macs is on its way

This isn't about Mac-versus-Windows. It's about engineering and (shady) economics. I see convincing evidence that the tipping point is here, or will be soon. Read on and make up your own mind.
Written by Ed Bott, Senior Contributing Editor

Follow-up: Malware attempts that use Apple-focused social engineering are now in the wild. I just found one via Google Image search. See for yourself: What a Mac malware attack looks like.

Oh, the rationalizations people come up with to explain away what they don’t want to hear.

Last week, when I wrote Coming soon to a Mac near you: serious malware, I expected to get an earful from Mac partisans telling me how wrong I was. They didn’t disappoint.

In this post, I want to respond, in detail, to the arguments that I heard in response to that post. They’re the same ones that come up over and over again when the topic turns to Macs and malware.

First, there’s the contention that OS X is architecturally superior to other operating systems, that its very design confers immunity from infection. Second, there’s the perfectly reasonable question of numbers: if Macs and Windows PCs are equally vulnerable to attack, how come there are hundreds of thousands of Windows viruses and only a handful of specimens of Mac malware?

Those are reasonable arguments, and I want to address them fully, with enough evidence to help you make your own conclusions. This isn’t about Mac-versus-Windows religion. It’s about engineering and economics.

I’ve got my flak jacket fastened, so let’s dive in.

Is OS X architecturally superior to Windows?

That’s the argument several commenters made in response to my post. Here’s one example, complete with obligatory homage to Steve Jobs:

The architecture and methodology is different at Apple, which is why so many developers (and hackers) hate Macs and iPhones, they can't get in to do anything really serious. Not to deny anything is possible, but I still feel left out when I use PCs that get infected regularly. And thank Steve for that feeling!

Sorry, but that’s not true. Sensible third parties have acknowledged this for years. In a 2008 post at the Mac-centric Tidbits.com, Security Editor Rich Mogull wrote:

It's not that Mac OS X is inherently more secure against viruses than current versions of Windows (although it was clearly more secure than Windows prior to XP SP2); the numerous vulnerabilities reported and patched in recent years are just as exploitable as their Windows equivalents. But most security experts agree that malicious software these days is driven by financial incentives, and it's far more profitable to target the dominant platform. […] At some point, assuming Apple continues to make appealing products, we Mac users will become bigger targets and face a higher level of risk. [emphasis added]

As I’ve documented in a series of recent posts, social engineering has become the dominant technique that malware authors use to spread their poison. If you can convince someone that your hostile program is useful or necessary, they will happily (or fearfully) click through all necessary prompts and enter their administrative credentials where required.

This is true in Windows, where User Account Control has been a default since 2006. It is equally true in OS X.

But, the argument goes, Windows users are victimized by drive-by downloads, and Macs are immune from those!

Sorry, but that’s not true either. Like any modern operating system, OS X contains flaws that can be attacked fairly easily. That is why Apple updates it so regularly. Let's take just one recent example…

In Apple’s security bulletin for the April 22, 2011 release of OS X 10.6.7, I counted 23 separate fixes for vulnerabilities that allow “arbitrary code execution” in the current shipping version of OS X. At least three of those vulnerabilities are new in Snow Leopard and did not exist in previous versions of OS X.

For those who aren’t familiar with security terminology, “arbitrary code execution” means “no user interaction required.” It is the nightmare scenario of online security: The attacker sets up a web page containing hostile code or creates an ordinary looking document, image, or movie file. When you visit that web page or open that document or look at that picture or play that video clip—or even if you just download a file—the attacker’s code runs, potentially giving him complete control over your machine.

No permission dialog boxes pop up, and no password prompts are required.

But don’t just take my word for it. I’ve gone through that April document, line by line, and pulled out the details.

Page 2: 23 flaws, no user interaction required -->

<-- Previous page

Here’s a breakdown of what was in that single April 2011 OS X 10.6.7 update package. The text is taken directly from Apple’s security bulletin:

  • Nine separate flaws (buffer overflows, integer overflows, and memory corruption) in QuickTime, Image RAW, libTIFF, and ImageIO could allow arbitrary execution of code when viewing a maliciously crafted image or movie file.
  • Five buffer overflow and memory corruption issues in font-handling components could allow execution of arbitrary code when viewing or downloading a document containing a maliciously crafted embedded font.
  • Three issues (memory corruption, double free issue, and heap buffer overflow) could result in arbitrary execution of code whenvisiting a maliciously crafted website.
  • Two memory corruption issues in QuickLook allow arbitrary code execution whendownloading a maliciously crafted Excel or Office file. (Note that this flaw is in Apple’s QuickLook viewer, and doesn’t require that the user have Office installed or even open the document using QuickLook.)
  • Multiple vulnerabilities in PHP and FreeType are patched, the most serious of which may lead to arbitrary code execution when running script or processing a font.
  • "A privilege checking issue in the i386_set_ldt system can result in a local user being allowed to execute arbitrary code with system privileges." The bad guys love privilege-escalation exploits, which even non-admins can execute.
  • And the one I found most interesting of all: “URL processing issue in Install Helper may lead to the installation of an agent that contacts an arbitrary server when the user logs in. The dialog resulting from a connection failure may lead the user to believe that the connection was attempted with Apple.” That certainly would make social engineering easier.

Keep in mind that this giant bundle of patches was a single update. Other, equally serious vulnerabilities had been patched in earlier major updates to Snow Leopard. (The 10.6.5 update in November 2010, for example, contained more than 30 patches for issues that involved a risk of arbitrary code execution.) And that doesn’t include the security fixes in new releases of Safari, QuickTime, and commonly used third-party browsers and apps.

Every one of the vulnerabilities in the April update had existed in OS X for a minimum of 18 months before being patched. Every entry on that list was capable of executing hostile code on an unpatched system with little or no user interaction. If an attacker develops a successful exploit of one of those vulnerabilities, your system can be compromised, silently and with deadly effect, if you simply download a document, view a movie or image, or visit a website.

This isn’t just a theoretical issue, either. At this year’s Pwn2Own contest, the first successful attack was against a MacBook running a fully patched copy of OS X:

A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple’s Safari browser to win this year’s Pwn2Own hacker challenge.

[The] winning exploit … bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X.

“The victim visits a web page, he gets owned. No other interaction is needed.”

A few days before the contest, Apple had delivered a massive security update to Safari, fixing “a total of 62 documented vulnerabilities, most serious enough to allow code execution attacks if a user simply surfs to a booby-trapped web site.” It wasn’t enough to prevent this attack from succeeding.

The same thing happened in 2009 and 2010. Charlie Miller summarized his Pwn2Own-winning performance in 2009 as follows: “It took a couple of seconds. They clicked on the link and I took control of the machine.”

Update: Apps can be a vector for this type of attack as well. An Australian researcher, Gordon Maddern, disclosed today that he has found a zero-day vulnerability in the Skype Mac client (not in the Windows or Linux clients) that allows an attacker to get root access to a Mac by sending a text message over Skype. Maddern calls it "extremely wormable and dangerous." A Skype spokesperson confirmed the vulnerability to Dan Goodin of the Register and said a fix will be available next week.

If you think Macs are immune from drive-by attacks or social engineering, you need to think different. A sufficiently motivated attacker who is aware of an unpatched vulnerability can take over any system, including a Mac. But that raises a much more interesting question.

Page 3: Why are things different now? -->

<-- Previous page

It hasn’t happened before, so why are things different now?

The thrust of this argument is simple. If today’s Macs and PCs are equally vulnerable, how come there are so few Mac-oriented Trojans and viruses in the wild? This question is usually accompanied by figures: an insanely high number of Windows viruses contrasted with some very low number of Mac viruses.

That’s a reasonable point. Why is there such a big difference between Mac and Windows malware counts? And why would that balance suddenly change?

For the answer, you have to summon your inner Woodward and Bernstein and follow the money.

When Windows went through its big malware crisis in the early 2000s, viruses and worms were frequently exercises in pure vandalism. Today, they are exercises in pure capitalism. Widespread attacks on Windows machines like the one I documented last month are typically run by gangs of organized criminals in loosely policed countries like those in the former Soviet Bloc.

The guys who run these operations are not master hackers—they are thugs who use point-and-click malware construction kits that they buy from rogue programmers. It’s a thriving business. And so far that software category, like so many legitimate software businesses, has been built on Windows. Its overwhelming market share meant that's where the money was.

In an interview, John Harrison, Symantec's Group Product Manager, Security Technology and Response, called these crimeware organizations "financially motivated." They're like the evil twins of legitimate software companies: "They have developers, QA people, pyramid sales structures, and pay-per-install models. The web attack toolkits might include 20 vulnerabilities, but if you buy the support plan you get new vulnerabilities as they become available."

Gunter Ollmann, vice president of research for security consulting firm Damballa, described the most popular crime kit of last year:

Zeus is an interesting DIY malware construction kit. Over the years it has added to its versatility and developed in to an open platform for third-party tool integration – depending upon the type of fraud or cybercrime the botnet master is most interested in. Along the way, many malware developers have tweaked the Zeus kit and offer specialized (and competing) major versions of the DIY suite (for sale).

Jerome Segura at Pareto Logic offered an excellent behind-the-scenes look at the Spy Eye crime kit last year. Here, for example, is the point-and-click main screen:

Main screen for Spy Eye point-and-click malware generator

Spy Eye point-and-click malware generator

And here’s the console that the bot herder uses to manage his network of compromised PCs. Looks pretty easy to use, doesn't it?

Admin console for kit-generated malware

Admin console for kit-generated malware

Zeus and Spy Eye… Hmmm, where have I heard those names before? Oh yes, just last week:

The first advanced DIY (Do-It-Yourself) crimeware kit aimed at the Mac OS X platform has just been announced on a few closed underground forums. … The webinjects templates are identical to the ones used in Zeus and Spyeye.

Independent security researcher Brian Krebs looked more closely at the business model for these kits and found a fairly sophisticated modular pricing structure, with kit authors charging $2,000 for a Firefox form grabber, another $1,500 for a Backconnect module the buyer can use to make bank transactions through a compromised PC, and so on. How much do you think an OS X compatibility module would go for?

Page 4: Is this the tipping point? -->

<-- Previous page

Seeing the first DIY malware kit for the OS X platform is a big deal. It marks a tipping point, one in which online criminals are embracing the slow decline of the Windows monopoly and the steady rise of alternative platforms.

Interestingly, a prominent security researcher predicted exactly this tipping point in a paper published in March 2008 in IEEE Security and Privacy. [Unfortunately, “When Malware Attacks (Anything but Windows)” is behind a paywall, but you might be able to locate it if you search in the right place.]

In that paper, Adam J. O’Donnell, PhD, presented “a new model based on game theory for predicting if, and when, Mac malware will arise based on a reasonable number of measurable parameters.”

In that three-year-old paper, O’Donnell described the assumptions behind his analysis as well as “factors outside our model that could hasten or postpone the arrival of Mac malware.” At the time, he concluded:

Malware authors will continually test the market conditions and look for the right time to begin exploiting the new platform. We must also be mindful of targeted attacks, as the value of the data contained on an individual system to an attacker might far exceed the value of the machine as a platform for sending spam.

In a keynote address to the MIT Spam Conference in March 2008 (PDF copy here), O’Donnell first makes the familiar comparison I described at the beginning of this section:

  • Windows malware: around 250k samples by the end of 2006, 500k by the end of 2007
  • Macintosh Malware: under 100, including pre-OSX

And so O’Donnell asks the perfectly reasonable question: If not now, when? His answer:

I expect relatively wide-spread, monetized Mac malware when we see around 5-10% of the Internet population using Macs.

Are we there yet? Macs have been wildly successful in the past three years. So successful, in fact, that their share of actual web traffic has nearly doubled during that time. At the end of 2008, a few months after O’Donnell’s paper was published, StatCounter measured OS X usage on the Web at roughly 3.8%. In the first half of 2011, those numbers have risen to 6.5% and show no sign of slowing that steady increase. [source: StatCounter global stats, 2008-2011] Net Market Share shows a similar trend, with OS X usage rising from 3.45% in April 2008 to 5.4% today.

Data provided by > Net Market Share

The other significant trend worth noting is the steady decline of Windows XP. The bad guys love XP, because it’s so much easier to attack than newer Windows versions. As XP’s share among Windows users drops (it’s now hovering just above 50%) the conversion rates for online attacks drop too. That means the bad guys need fresh blood.

A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.

Upcoming versions of crimeware kits will probably be cross-platform, with the capability to build and deliver Windows and OS X packages using as many vulnerabilities and social engineering tricks as possible. On every poisoned web page, visitors get sorted by OS: Windows users this way, OS X users over there. Each group gets its own custom, toxic blend. If all it takes is a tick of a check box, the gangs using these kits can jump into the Mac market literally overnight.

So now the question is when will that day come? This year? Next year?

Apple has shown signs lately that it's trying to prepare for the onset of hostilities. This year, for the first time ever, it has invited outside security experts to look at an upcoming release of OS X.

My prediction is that the bad guys are still “testing market conditions,” and waiting for the right time for their grand opening. I think we’ll see a few more of these tentative probes—beta tests, if you will—before anyone unleashes a truly widespread attack. The trouble is, in this market, Mac users aren’t the customers—they’re the product.

Editorial standards