Expecting a Mac attack?

29 Nov 2007

Apple computer users, so long accustomed to lording it over their PC rivals, may now have cause to regret feeling so smug.

“When you get a Mac, only your enthusiasm is contagious,” trumpets the Apple website, touting the security features of the Mac and its lack of viruses compared to the PC.

But the discovery last month of a Mac-compatible Trojan horse program is cause for concern.

There have been attempts before to write viruses for Apple’s operating system, but this appears to have been the first piece of malware to have been written by professional criminals. In this, it echoes a trend that has been happening for some time on the PC.

Some observers believe this could be the start of more targeted attacks against the Mac, similar to those experienced by Windows users.

There is a school of thought in the technology security space that Apple’s security owes much to Windows PCs’ massive market share which makes them a more obvious target for attack. Apple did not respond to calls for comment for this article.

IT security expert Brian Honan of BH Consulting said this development represents good and bad news for the Apple community.

“It’s good because the market share has come to a point where criminals are paying attention to it and the bad news is that criminals think that it’s worth their while,” he said.

“This is not the first piece of Apple Mac malware, but these programs have traditionally been written by hackers to say ‘look at me’. Apple’s market share meant that historically it wasn’t a big target. This piece of malware appears to have been written by financially motivated people.”

Intego, a developer of security software for the Mac, originally discovered the Trojan, which is designed for Mac OS X. It’s important to put the threat into context: this piece of malware is not a self-replicating worm so its spread is limited by the number of people who actively download it.

It is most commonly found on sites hosting pornographic content. Anyone who visits an adult site that has been ‘seeded’ with the Trojan is told that in order to watch a particular video, they need to download and install a codec, which is a piece of software used to decode digital streams.

The codec is actually a disguise for the Trojan. If downloaded, it alters a computer’s domain name system (DNS) server, redirecting the machine to porn sites of the malware distributor’s choice. Its main purpose appears to be to make money when people click on ads served on the sites.

“It’s a pretty rudimentary Trojan,” observed Honan. The Trojan doesn’t exploit any vulnerability in the Mac as such – instead it uses social engineering techniques to trick users into installing it, similar to those techniques used to deploy malware, such as the Storm Trojan, onto Windows PCs.

“It’s a long-winded process to get the software onto the Mac but it’s not any more unusual or different to Trojans for Windows PCs,” added Honan.

Although the malware has been found only on porn sites so far – potentially limiting its reach – there is scope for it to be associated with other, more mainstream content like a viral video or movie trailer site, according to David Sancho, a senior anti-virus researcher with Trend Micro.

The Finnish security company F-Secure took up the pursuit and in the week following the discovery it unearthed 32 variants of the Trojan. Writing in his blog, Mikko Hypponen, chief research officer at F-Secure, said: “The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the Trojan for the Mac too.”

F-Secure said the payloads of all 32 variants are the same as the original discovered by Intego. But an interesting element that emerged was the Trojan’s additional purpose.

According to F-Secure technical manager Patrik Runald, the software is on a kind of reconnaissance mission – it reports the name of the computer and the operating system version back to another computer, believed to have been traced to an IP address within Ukraine.

Runald concluded that the existence of a version for Windows users points to the same group being behind both. That malware was released earlier this year and has been codenamed Zlob.

Mark Harris, director of SophosLabs in the UK and a Mac user, said the increase or otherwise of this malware family would be driven by how effective the attackers are at infecting people.

“They are in business to make money, so if they don’t see a return on their investment, they won’t invest more,” he said. Harris advised Mac users: “Ensure you use anti-virus products, take care where you are browsing and don’t become a vulnerability that can be exploited.”

To some extent Apple may be a victim of its success. Last month the company reported it sold more than two million copies of its (OS X) Leopard operating system in the first weekend of its launch. Apple CEO Steve Jobs said the features were making many PC users consider switching to the Mac platform.

But this could come at the expense of greater attention from undesirables. The standing jibe used to be that features familiar to Mac users everywhere would make their way – eventually – to the Windows PC. Now that less-desirable aspects of the PC experience are making their way to the Mac, the age-old trend has reversed but no one would say it was a case of returning the compliment.

By Gordon Smith