Mac malware and missing the point

And so, with Flashback, Mac users finally have a significant piece of malware to worry about. From the tech news sites, you’d think that the sky is falling for users of Apple’s OS X. And, as usual, they’ve completely missed a more significant point - about how malware is changing.

I’ve seen one estimate that puts the number of Flashback infections at 1% of the Macs in use. That’s pretty paltry by PC standards where the proportion of infected machines is way up in double digits, even reaching 90%-plus in some parts of the world (largely due to the widespread use of pirated versions of Windows).

The most recent estimate I’ve read from Kaspersky, which has sinkholed a number of the Command & Control (C&C) server domains, is 660,000 machines. Again, that’s small beer compared to the Windows world. On the other hand, it’s a pretty impressive performance for a single trojan. After all, when it comes to malware, the Windows world has millions of samples to choose from, and new ones are appearing every few seconds.

Flashback is fairly trivial to detect and remove. F-Secure has instructions for detection and removal. Kaspersky has one too, and is also offering an online check at http://flashbackcheck.com to see if your Mac’s Universal Unique Identifier (UUID) has been communicating with the C&C servers and if you have a vulnerable version of Java. Apple has announced it is working both on a removal tool and with ISPs to disable the botnet’s C&C servers.

The people who’ve been shouting the loudest about Flashback are, predictably, the anti-malware vendors. Of course, they’re not entirely disinterested parties. Sophos has been banging on about Mac malware for some time now, even though, when it talked about the subject last year, it was able to enumerate every piece of Mac malware ever known, in detail, in a single blog post. It also goes to great pains to point out that its Mac anti-malware package is free to individual users. Of course, it’s not free to corporate and organisational users, and we all know what inroads Apple is making there.

According to a story from Computerworld, sales/downloads of Mac anti-malware packages have really taken off since the Flashback story broke.

But let’s not be too cynical. Does Flashback herald a new era for Mac users? Probably. Some would say that Apple is now so successful that it’s worthwhile for malware writers to target the platform. But that’s where the whole ‘missing the point’ thing comes in.

Flashback doesn’t target OS X, per se. It targets Java.

What is significant about this outbreak is that it’s the best example we’ve had so far about how malware has moved up the software stack. By targeting third-party frameworks or applications, the malware writers get the best bang for their buck (which is why Linux users should also stop looking so smug).

The take-away here isn’t that complacent Mac users are finally getting their come-uppance. It’s that we all need to pay more attention to what software is on our machines. Apple’s advice to ditch Java if you don’t need it looks sensible to me. But it doesn’t go far enough. Even those end users who’ve got the message about regular and timely patching often think it just refers to the OS.

We need to get into the habit of regularly reviewing what’s on our computers. Delete what you don’t use, and make sure the rest is fully patched.

Personally, I don’t think I’ll be bothering with anti-malware software on this MacBook Pro for the foreseeable future. (I’m even a little dubious about its value on my Win7 laptop, frankly.) But then I’m obsessive about patching…

Apple: not so obscure any more

It’s long been claimed that Apple platforms have been free of malware mainly because they represent such a small niche of the market that it wasn’t worth the effort creating viruses and trojans for them.

Not any more.

In fact, Apple has had such a significant share of the market for so long that it’s a wonder we haven’t seen more malware. What’s more, given the high price of Apple kit, and therefore the high income levels of Mac owners, there’s a case for arguing that they represent a strong target for ID thieves and banking trojans. ;)

Now that Apple has surpassed Microsoft in market cap, revenue and earnings, that ‘not worth bothering’ argument is looking weaker by the second. What’s more, Apple platforms tend to be somewhat more homogenised than Windows (or even Android) ones, as Apple sells both the hardware and software and systems have a greater tendency to be updated to recent versions.

And there’s another stat, rather less well known, that makes me think that Apple has now come out of obscurity and should be in the crosshairs of malware writers.

I was talking recently to Bradford Networks, a vendor of networking software that provides auto-discovery of attached devices. The firm is especially strong in the education market - mainly universities. And I was told that, particularly in the US, up to 95% of the devices being attached are Apple kit.

That’s not a misprint. And remember that the remaining 5% isn’t just Windows laptops - it’s Wiis, Playstations and Android devices.

I expect that proportion to change, with Android taking a rapidly larger share (which it probably has already - remember, the figure was up to 95%). Nonetheless, it means that the next generation of business people is one habituated to Apple.

Now, Apple fans will claim that the lack of malware on their platform of choice is down to greater inherent security, with none of that nonsense with autorun, ActiveX or {insert the 10 top malware-friendly Microsoft technologies of your choice}. *nix fans will say that Apple’s decision to base OS X on BSD is the reason it’s so sound.

Hmmm.

The fact is, OS X has its vulnerabilities. Apple keeps patching them, although rather slowly at times.

All the malware tools, from Sub7 and Zeus/SpyEye through cryptors to delivery mechanisms, are Windows-based and Windows-oriented, so one possible reason for Apple’s relative immunity is the effort needed for the bad guys to re-tool. And why would they when they can still make millions from Windows users?

And there’s another reason for Apple users to feel less smug. Exploits have wound their way up through the stack, less frequently targeting the OS and working increasingly at the application layer. Many attacks are browser-based or are mounted through services like Facebook. Add to that the prevalence of social engineering-based tactics - many of which are effectively platform independent - and you have a computing landscape rich in threats for Apple users.

This really is the time for Mac and iPhone users to wake up. Me? I’m heading over to Sophos to download its free AV package for Macs. It won’t make any difference but I’ll feel better.

The year ahead

At the turn of the year, it’s practically a tradition that security and anti-malware vendors make their prognostications for what lies ahead for us over the next 12 months. Most of the predictions are, as it were, predictable. More malware, more Stuxnet-like cyberwar disguised as malware, more targeted phishing and a greater focus on mobile and Apple platforms as they become increasingly pervasive.

Don’t ask anyone to put numbers against these predictions – that would be too hard. But it seems they are on fairly safe ground.

The Apple angle is interesting in light of the firm’s newly launched Mac App Store for OS X and the immediate backlash it seems to have provoked. More than one security researcher has warned that the Digital Rights Management (DRM) capabilities of the App Store are flawed, and a group calling itself Hackulous claims to have a tool – Kickback – that breaks the DRM protections.

In theory, when you obtain a program from the new App Store, it is registered to the machine you used to download it. You can run it on other machines, but only by registering those machines for use with the app with your App Store login details. But some apps haven’t properly implemented these ‘receipt’ protections, Apple seems to have forgotten to apply it to some and they can be subverted on others. This means apps can be pirated – which returns us to the situation existing before the advent of the App Store. I mean, pirated software isn’t exactly new, is it? One researcher warned that such pirated software might contain malware, which is true. In fact, this has happened in the past with software shared via Bittorrent. So that’s not exactly new, either.

At least Apple is making some effort to ensure that the software people buy is trustworthy. The new App Store is modelled on the one that Apple uses for distributing iPhone and iPad apps. All apps in that store must be digitally signed by the developer and Apple. On iOS platforms, the only simple way to be infected with a rogue app is to jailbreak your device.

Apple is often criticised for its tight (some say oppressive) control over what gets distributed through the iOS App Store. But compare this with what’s happening on Android. Even before it overtook iOS in the smartphone popularity stakes, it was being hit with more malware threats and vulnerabilities than ever plagued the iPhone. Part of the reason is lack of control over software distribution. There are devices out there from multiple vendors, with several versions of the OS in use at any one time and numerous sources of software. Amazon is just the latest entry into the Android app store market.

Android is becoming sophisticated, too. The Geinimi trojan – found in some Chinese games – not only steals personal data but is also capable of responding to command and control channels. This botnet-like behaviour could be used, for example, to download more malware on to the device.

It seems that 2011 will be the year of the tablet wars. The iPad has created a market that most pundits said didn’t exist. Now every electronic device vendor in the world, it seems, is pushing a tablet device on to the market. A minority will be Windows-based but the vast majority will be built around mobile platforms – iOS and Android. And with the smartphone market so huge now, it seems a given that malware writers will have these platforms in their sights over the coming year. You don’t need to be clairvoyant to see that.

[This is the editorial from the January 2011 issue of Computer Fraud & Security]