Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

For Malware Developers, Mac Moves From Safe Zone To Target Zone

Growth of mobile devices, shortage of strong defenses make Apple look appetizing to authors of malicious code

Security experts weren't all that surprised when they discovered Mac Defender, a fake antivirus package that actually carries malware, on the Macintosh platform last month. After all, the MacOS platform is becoming a lot more popular, particularly in the mobile world.

But when a new version of MacDefender appeared last week -- just a few weeks after the first version had appeared -- many experts turned their heads. The rapid evolution of new malicious code, long a mainstay of Windows malware, apparently is now becoming a reality in the Mac world as well.

Over the Memorial Day weekend, Apple issued a security update that promises to remove all versions of Mac Defender. But experts say the race between malware developers and Apple system defenders has only just begun.

"For a long time, Apple users have had a false sense of security that the Mac couldn't get malware," notes Andy Hayter, anti-malcode manager at ICSA Labs, which does security product testing and certification. "The antivirus vendors haven't been focused on it, because there wasn't much activity. But apparently, the Mac has now reached critical mass."

With the growing use of Apple devices such as the iPhone and the iPad in the mobile world -- and with the growing diversity of browsers and applications in the Windows world -- the Mac is beginning to look like just another fertile target for malware authors, experts say.

"We have certainly seen the exploit kit scripts become more complex as the Windows world has begun serious fragmentation on the browser side," says Chris Larsen, senior malware researcher at Blue Coat Systems, which makes network security and anti-malware tools.

Malware authors are finding that with the evolution of browsers such as Chrome, Opera, and Firefox, writing a new exploit is no longer a Windows-based, one-size-fits-all proposition, Larsen observes. "The bad guys are in a mode where they need to manage a wide variety of exploits anyway, so adding Mac and Linux attacks isn't as big a leap as it used to be."

In fact, from a malware writer's perspective, there might actually be more commonality among some Mac and mobile application environments than there is currently in Windows, notes Neil Daswani, CTO of Dasient Inc., an anti-malware service provider. The open source browser engine Webkit, which has become increasingly popular in the last year or two, provides a common point of attack on multiple environments, including the Mac.

"WebKit is the engine behind Safari, and it's used on the iPhone as well," Daswani observes. "It's also the engine for Chrome and Android, which makes it a great starting point [for writing malware]."

In a blog last week, McAfee researcher Craig Schmugar posted a chart that shows dozens of new and unique Mac OS X malicious binaries appearing during the month of May, outnumbering all of the Mac-based malware detected in the previous four months of the year.

"Is this merely a short-term blip on the radar or the beginnings of a trend for Mac threats? Time will tell," Schmugar writes. "However, rogue security programs in general are generating revenues of hundreds of millions of dollars a year for the bad guys, a powerful incentive. Furthermore, ZDNet estimates that 60,000-125,000 customers have called Apple support this month about such malware. Of course, only a fraction of those infected would actually pick up the phone, so the problem is likely much larger."

Phil Blank, a security analyst at Javelin Strategy & Research, says the growth of Mac-based malware is just one example of the multi-dimensional approach that attackers are adopting toward new exploits.

"We see cybercriminals gathering knowledge and then using it to create new and better attacks," Blank says. "The Sony attacks were a good example -- the bad guys got in and stole the login and password information, then they went back and used that data to launch more exploits. You can expect more attacks that are multidimensional, and the Mac will be one part of that."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...