In-Depth

Security Woes: Apple Hits the Big Time

Malware, as Microsoft could have told Apple, comes with the territory. Last year saw a surge in Mac-related malware; 2012 has sustained that trend in a big way.

In a recent report, Forrester Research projected that Apple would sell $19 billion worth of Macs and iPads to enterprise customers in 2012, a 58 percent jump over 2011. In a posting on its Threat Research blog, F-Secure indicated that the number of Mac-related security threats spiked in 2011 relative to prior years. It's a sobering reminder: as Apple's platforms enjoy increasing uptake among users, they'll likewise become ever more attractive targets for cybercriminals and hackers.

Last spring, users of Apple Inc.'s Mac OS X platform got a rude awakening in the form of Mac Defender, a Trojan malware variant that masqueraded as a legitimate Mac security offering. It took Apple several weeks to clean that mess up.

Now, a new Mac malware variant is making headlines. It's BackDoor.Flashback.32, a Trojan that targets several long-known vulnerabilities. Microsoft Corp. issued a patch for the vulnerability (CVE-2012-0507) targeted by BackDoor.Flashback.32 in mid-February. Apple issued its patch on April 4.

According to Russian anti-virus specialist Dr. Web, BackDoor.Flashback is actually tied to a functioning botnet of some 550,000 compromised Mac systems, more than three-quarters of which are located in the U.S. and Canada. These systems comprise just a portion of the overall BackDoor.Flashback botnet, but they're a testament to a technology truism: the higher a company's profile in terms of market share or penetration, the higher its attack profile, too. Apple's profile in both respects is set to explode.

"From April to December 2011, there have been several dozen new Mac threats," according to a member of the F-Secure Labs Threat Research team. "[T]hat's nothing when compared to Windows malware -- but it's definitely something when compared to the number of Mac threats seen prior to 2011."

All told, F-Secure Labs tallied 58 "new" Mac-related malware variants, including 18 backdoor programs, 7 Trojans, 26 Trojan downloads, and 7 "rogue" programs. F-Secure's list doesn't offer a raw count of all of the malware variants it tallied between April and December. Instead, F-Secure Labs counted only unique variants.

Malware Breakout

Malware-wise, 2011 was a break-out year for Mac users. First, back in May, Mac Defender -- a rogue Trojan downloader -- was billed as the first major malware attack on the Mac OS X platform. It didn't help that Apple bungled its response to the Mac Defender imbroglio. The rogue Trojan ravaged Mac users for nearly four weeks before Apple published a technical support note that instructed users how to remove it.

Then, one month later, security specialist AppRiver announced the discovery of a new malware variant, dubbed Weyland-Yutani, designed to target both PC and Mac platforms.

"Weyland is an equal opportunity bot that has built-in capabilities to infect both PC and Mac based platforms with more in the works," AppRiver researchers cautioned. "[It] has ... the ability to automatically create scripts designed to infect both PC and Mac machines. Mac malware has been around for a while, though it has [not] yet until now been available as a kit," they explained.

Kits make it easier for even "minimally technical" malware-makers to create custom malware, AppRiver observed. "The kit is selling for 1000 credits [in] WebMoney[,] which exchanges to about $1,065 US, and the authors have guaranteed the addition of iPad and Linux scripts in the very near future."

This isn't the first time Mac users have been rocked by a Flashback: late last year, a fake Flash Trojan – dubbed (you guessed it) "Flashback" – wrought havoc of its own. That Flackback actually came in two variants: the original sent information about a compromised system to a remote server; its successor -- which F-Secure dubbed Flashback.C -- disables the security definition updating scheme that Apple released last May (with Security Update 2011-003) to safeguard against Mac Defender-like malware.

Just prior to the appearance of Flashback, the Mac played host to a PDF-related Trojan, which F-Secure dubbed Revir.A (or "Trojan-Dropper:OSX/Revir.A). Revir.A opens a PDF file to distract a user while -- in the background -- it downloads a backdoor program onto a compromised system, according to F-Secure. Like Mac Defender, Revir.A exploits the Safari Web browser's "Open 'Safe' Files After Downloading" option, which is enabled by default. (The default behavior of other common Web browsers -- e.g., Internet Explorer 9, Mozilla Firefox 9.x, Google Inc.'s Chrome, and Opera -- is to save a file to disk without opening it.)

Must Read Articles