At the SecTor conference in Toronto last week, security researcher Seth Hardy of the University of Toronto's Citizen Lab research center warned that 2012 has seen a significant increase in new variants of targeted, Mac-focused malware reported to the group by the human rights organizations it seeks to aid. Over the year so far, it's seen five new types of espionage malware for Apple's operating system appear, compared with just one in 2011 and none in prior years.
"This was a very rare anomaly in 2011. This year it’s part of the new normal," says Hardy. "[Attackers] have noticed that a lot of organizations are using Macs. If they want to target these organizations, they need a wider range of tools to get into these systems."
The most prominent example of Mac malware to appear in 2012 was Flashback, a cybercriminal botnet seemingly intent on hijacking machines for click fraud that used a Java vulnerability to infect more than 600,000 Macs at its peak. But that kind of fraud-focused mass malware doesn't concern Citizen Lab as much as the more targeted and less widely-known samples that activists find on their networks and anonymously pass on to Citizen Lab's researchers.
Here are the targeted Mac malware samples Hardy mentioned in his talk:
- Revir/IMuler: Citizen Lab first spotted Revir in May of 2011, but it's reappeared in infections throughout 2012, carried in spoofed emails with content crafted to appeal to specific recipients. The malware is capable of stealing files or sending screenshots of the target machine to a remote server. According to the antivirus firm F-Secure, the latest versions of Revier are also capable of evading detection by shutting off when it sees analysis tools running.
- Sabpab: Also known as Sabpub, Olyx, Lamadai, Lasyr, and other names, Sabpab was initially delivered using a vulnerability in Java to infect target machines. Like Revir/IMuler, it's capable of sending files or screenshots to its controllers, and Hardy says it's still being used in ongoing attacks.
- Maccontrol: The program, first spotted by antivirus firms Alienvault and Trend Micro, is often delivered in a .zip file and is capable of taking full control of an infected machine. Citizen Lab traced its command-and-control servers to match them with a Windows-based attack on the same group.
- Davinci: Also known as Morcut and Crisis, Davinci is a piece of commercially available spyware built by the Italian security firm Hacking Team. Despite Hacking Team's claims that it's only been used by law enforcement, it's also been found targeting Moroccan journalists.
- Netweird: A low grade commercially-sold spyware targeting Macs that was first discovered by the antivirus firm Intego when it was uploaded for testing to Virustotal, an antivirus firm. Hardy says that despite seeing advertisements for the program in hacking forums, it hasn't yet been seen on real-world networks.
Hardy says that Citizen Lab can't reveal the source of its malware samples due to agreements it's established with the human rights groups it deals with, although he will say that many of the groups are in the Tibetan activist community. And given the difficult nature of tracing cyberattacks, Citizen Lab hasn't tried to identify the malware variants' sources or whether they were used by government or private hacker groups, either. "The subtleties of saying whether something is state-supported is very difficult," he says. "And it’s something you really don’t want to get wrong, so we're not making any accusations."
Five examples of Mac malware still represents a tiny fraction of the many thousands of variants researchers at antivirus companies spot on a regular basis, most of which focus on profit rather than espionage. But even the shift from zero known Apple-focused targeted malware samples to a handful shows that determined attackers with a specific victim in mind are now capable of compromising Macs when it suits their purposes.
A year ago, Citizen Lab's Hardy says he would recommend to organizations with few IT staffers that they use Macs or Linux instead of Windows, as well as other security precautions. Today he still believes that Apple's code base is marginally more security than Windows, but the rising motivation of skilled attackers to target Macs means any sense of immunity has disappeared. "Rather than hit a wall if they see a number of Macs on the network, they’re hitting those targets, too," Hardy says.
Hardy believes that Mac-focused, targeted malware is just beginning to grow in volume and sophistication, and he suggests Apple users take the same precautions as other organizations, like teaching staffers to take a skeptical approach to attachments or external links in emails that might run a software exploit on their machine or route them to an infected web page, as well as running antivirus as a secondary layer of defense.
Though Mac-focused malware is a relatively new phenomenon, it's no surprise that Apple's software is exploitable by hackers. Despite the company's hints in its advertising that its machines have been immune to viruses, researchers have been demonstrating chinks in its defenses for years. In 2010, for instance, security researcher Charlie Miller demonstrated that by running a simple "fuzzing" program that throws random data at Apple's Safari browser to see which inputs cause it to crash, he was able to find 20 exploitable bugs in the program that would let him take over a user's machine.
Last spring, when I interviewed sources in the "exploit sales" industry--the underground marketplace for information used to hack certain software--I learned that working exploits for Apple's Safari or for the underlying Mac operating system can sell for tens of thousands of dollars. A single exploit that takes apart the defenses of an iPhone or iPad can cost as much as $250,000.
In June, even Apple itself tacitly admitted that its machines are being increasingly targeted by malware when it deleted a long-standing claim on its website stating that Macs "don't get PC viruses"--a clear a sign as any that the sense of security afforded by Windows' larger temptation to hackers no longer offers Mac users real protection.
"People ask me, 'Are Mac users no longer safe?'," Hardy says. "Despite that smug feeling of superiority and increased security, Mac users have never been safe. They just weren't as vulnerable as Windows users."
—
Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.
