Apple malware evolved - No password required

Filed Under: Apple, Malware

Mac Security malwareFor the last month or so we have been carefully tracking the developments in the Mac OS X malware community. Our conclusion? It's advancing fast and taking many cues from the Windows malware scene.

Let's review the evolution of this threat briefly to see where we've been.

May 2, 2011: The first widely distributed fake security tool for OS X is being spread through poisoned Google Image search results, seemingly targeting random keywords and the death of Osama bin Laden. It displays a fake JavaScript popup pretending to be a Windows XP anti-virus scanner telling you that your computer is infected.

May 6, 2011: At this point, we're seeing new variants almost daily. Some of the new samples display random pornographic web pages to scare you and better convince you that your Mac is infected. We also sometimes see the name change from MacDefender to Mac Security.

Mothers day card courtesy of Mothers and Daughters Flickr photostreamMay 7, 2011: A massive uptick in the success of SEO poisoning related to Mother's Day Google searches results in a large increase in the infection rate. This version ditches the Windows XP fake JavaScript screen and substitutes a very professional looking fake Finder that "detects" malware on your Mac.

May 15, 2011: We begin seeing the first attempts to obfuscate the content inside the malware to disguise its functionality. Early versions had the registration codes embedded in plain text, but now the registration codes are encoded so they are more difficult to discover.

All of these original variants still prompted the user for their Administrator password to install the malware. As Apple advises in their knowledge base article on the topic, this is a warning sign and an excellent opportunity to abort the installation.

May 25, 2011: Just like in the Windows versions, the latest variants seen today (OSX/FakeAvDl-A) no longer require administrative credentials. They now install into areas of the system that only require standard user privilege. In other words, the attacks no longer ask for an admin password. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases.

Here's how the latest Mac malware attack works in pictures (click for a larger version of each image):

First, you visit a poisoned webpage using Apple's Safari web browser. Perhaps you stumbled across it by clicking on a dangerous thumbnail while doing a search using Google Images.

Click for larger version

Safari downloads the file, and automatically begins to run the installer for a program called "Mac Guard":

Click for larger version

It looks like a regular install process, but doesn't require you to enter your username and password:

Click for larger version

With the destination drive chosen, the install of the fake anti-virus software begins:

Click for larger version

Once installed, the software claims to have found lots of malware threats on your Mac, but advises that you need to register your copy to remove the infections:

Click for larger version

What's that? You don't have a registration number? Not to worry, the criminals have thought of that and urge you to enter your credit card details to buy the required serial number. Unfortunately, you can't tell what they plan to do with your credit card information - but you can be sure they're up to no good.

Click for larger version

Of course, if you were running an anti-virus product on your Mac (such as the free Sophos Anti-Virus for Mac home users) then you would have been protected and the bad guys wouldn't have been able to scare you into entering your credit card details.

Click for larger version

In this case, Sophos detects the threat as OSX/FakeAvDl-A.

Happy MacApple has stated:

"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants."

This is good news for OS X users who have been affected, but with new variants arriving daily, how will this work?

When Apple introduced XProtect with OS X 10.6 Snow Leopard, they added rudimentary detection of malware. In the nearly two years since its introduction, they have only updated it a few times.

Are they going to develop their own anti-virus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to.

SophosLabs continues to investigate and publish protection for Mac users. We invite you to download Sophos Anti-Virus for Mac Home Edition for free to help you keep your Mac safe and secure.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

Creative Commons image of a Mother's Day card courtesy of MothersandDaughters Flickr photostream.

, , , , , , , , , , ,

You might like

37 Responses to Apple malware evolved - No password required

  1. What I don't fully understand from your post: does the latest update of this malware install itself automatically when visiting certain webpages or performing certain image searches, or is it still essential for the user to perform an action like clicking an install button or agreeing on something before the installation of the malware takes place?

    • The user doesn't have to do anything. When you pass your mouse cursor over a google image result it automatically performs the JavaScript initiation without prompting the user at all or now (according to the publication above) no longer requires an admin password either.

      Using certain websites may still require a link to be clicked but these can be heavily disguised and in many cases just visiting a site with an infected image can result in the Malware auto installing itself.

      My wife was caught be a Google images hit while looking for a desktop wallpaper, as soon as the page loaded a Malware page was triggered almost immediately without any intervention.

      • jim · 1191 days ago

        This is not correct. This malware install is not silent. There is still user input required, just not the admin password.

        Just to be clear: the user DOES have to do something. This is not a drive by silent install.

        • spookie · 1190 days ago

          This is my understanding as well. There IS user interaction required for install. Passing the mouse over a window WILL NOT result in infection. A popup occurs without user interaction, but clicking several times is required for install. Even if you can't close the window any other way, command-option-esc for a force close still works. There really is NO REASON people should be getting infected.

      • Ah, I see you added a series of screenshots and extra info since my previous visit of this post. :-)

        As I see it, it still looks like the user has to consciously install the malware. I see a setup program in the screenshots that the user has to click through before the software installs.

        As a seasoned computer and Internet user, I don't think I would fall for this trick in the first place.

  2. Deborah · 1191 days ago

    So I've down loaded your free program a couple months ago. Does it automatically update itself? I am not too computer savvy.

  3. Chris Kranz · 1191 days ago

    The software only automatically installs itself if you are using Safari and you have it configured to automatically open "safe" downloads. This is considered pretty bad practice and I do hope that Apple change this default as it is the simplest way to prevent this sort of thing propogating automatically.

    • Paul Impola · 1190 days ago

      Incorrect. It does NOT automatically install itself. You STILL have to approve the installation, but now you do not need to enter an admin password to authorize the installation.

  4. It won't be soon before other Windows malware like rootkits make their way over to the Macs. It is time for Apple and Apple's fan to face the music that APPLES ARE NOT INVULNERABLE and CAN get viruses!

    Microsoft has long been warning users to install antivirus and antispyware programs from a trusted source and it seems the same advice applys to a Mac (see http://www.microsoft.com/security/pc-security/pro... for a list of Microsoft's advice which is all relevent to the Macs)

    • Paul Impola · 1190 days ago

      Sorry, but you are wrong.
      Macs are vulnerable to Trojans if users are not wary. There are still ZERO viruses that can infect any version of Mac OS X.

      • Nieve · 1190 days ago

        Oh such nievity, the fact is that it was just so much easier for crooks to target Windows, the user install base is much higher on Windows, same amount of work for many times the number of people. Now that Mac are becoming more popular, and that Mac users so relaxed about the possibility of Viruses, malware, trojan etc. Macs are an increasely better looking prospect for criminals.

        No computer system (even the iphone with it closed ecosystem) will ever be fully invulrable from hacks and viruses.

        • You are right. I think more and more crooks are targeting Apple system because it is harder to infect Windows due to the many antimalware around.

          Most Apple fanboys aren't even aware about viruses and look at Windows users in contempt while lying in ease fanning themselves. They believe they can't be infected and so they can install any software without worrying of infection!

  5. helix2301 · 1191 days ago

    It was only a matter of time till there started being viruses and malware for the MAC just like anything else the more market share something gets the more it gets picked apart. It's only a matter of time till we see desktop linux get virus and malware released. We have already seen some variation of it with the way they are pulling android apps off the market cause of security issues.

  6. Laird Popkin · 1191 days ago

    While there's some risk that this software can trick naive users into installing their malware, it's important to keep in mind that it's NOT A VIRUS, and that it can only install onto a computer when the user gives it permission to install. Mac OS X, like all operating systems, is vulnerable to this sort of software, since it relies on the user giving permission for the software to install, which no security software can prevent.

    And while I'm sure that the Sophos security software is perfectly nice, it does feel a bit sleazy for a Sophos employee to hype the risk of Mac malware as "advancing fast" and encouraging people to install Sophos' software.

    • Matt Armstrong · 1191 days ago

      You may not want to admit it, but it is true. As OSX gains in market share, it will be targeted more and more. OSX is this super impenetrable fortress that its made out to be. It has security holes just like every other OS out there. Its written by humans, and therefore it has flaws. Nothing is impenetrable.

      And the number of Mac users out there who buy in to the hype that their platform of choice is safe from everything is staggering. I bet you, dollars to donuts, that the majority of mac users don't run some sort of malware protection. Heck from your response, if you are a Mac user, I'd wager that you don't run any sort of protection.

      Sophos, Avast, AVG. Install a proper anti-virus to help keep your system clean. OSX, Windows or any distribution of Linux, you should have something installed.

      • spookie · 1190 days ago

        Does it count if I don't run AV on ANY platform? I don't run AV on Windows (or Linux for that matter) either, and I don't plan to start.

  7. Steve Bryan · 1191 days ago

    I can't believe that I'm the only one to see how thick with irony this whole dog and pony show is. The social engineering attack vector is precisely the "all systems are equally vulnerable so you must depend on anonymous vendors to manage your system software, just like Windows" meme.

    System software vendors like Apple and Microsoft cannot defend users from themselves if they fall prey to the chorus of calls that the sky is falling and "you can't wait for a solution from a trusted source". The system vendors can be charged with the responsibility to prevent silent "drive by" software installation assaults. My own experience is that any installed executable will cause a system warning whenever it is first launched together with a reference to the source (ie web site of the source of the executable).

    Nontechnical users should be strongly advised to only install and run software that arrives through curated and well known sources like Software Update and the Mac App Store. I don't find anything from Sophos there. The irony reference above is that by promoting the frenzy and not providing a Mac App Store solution the attack vector is reinforced rather than diminished. Just having a website and a dmg to download is not how security for nontechnical can be addressed. Please, be more responsible.

    • Unfortunately the software in the Mac App Store may not always be up-to-date (despite the promises) and may contain vulnerabilities.

      See http://nakedsecurity.sophos.com/2011/05/18/mac-ap...

      So, there's a justifiable reason for getting your software and updates from another route.

      And then there's some software, like security software for instance, which can't have a presence in the Mac App Store because we're not allowed to do the kind of stuff that's necessary to provide a proper level of protection to users.

      • velomac · 1185 days ago

        Graham,

        Your last sentence doesn't directly answer (for me at least) Steve Bryan's statement. Does Apple not allow Sophos to "sell" Anti-Virus for Mac Home Edition on the Mac App Store for $0? (Intego offers their less-than-adequate VirusBarrier Express there for free.)

        It would seem to boost the market value of your app if was offered on the Mac App Store.

        • Apple has placed restrictions on what programs distributed via the Mac App Store are allowed to do.

          Unfortunately, their rules mean that our anti-virus product would not be accepted - unless we severely crippled its functionality.

          So, yes, we could be in the App Store - but our software would not be as good at protecting your Mac. So, better to download it directly from our site if you want to defend your Macs.

  8. Ben · 1191 days ago

    Graham, I slightly agree with Laird- particularly concerning me is that you are promoting anti-virus software for Mac OS X.

    How many OS-level viruses are there in the field, which are currently active, and which affect an up-to-date (10.6.7) Mac OS on an Intel machine?

    The reason why you are getting excited about this malware is because there aren't any viruses in the field. There's very little indeed.

    As I am sure you are aware, most modern consumer attacks are through social engineering.

  9. I haven't seen any suggestion that switching from Safari to say, Firefox or Chrome would also be a reasonable way for users to protect themselves from this sort of exploit (and of course not to mindlessly click through installer dialogs which spontaneously appear when you haven't tried to install anything).

  10. Steve Jobs · 1191 days ago

    Article is WRONG MACs don't get viruses.

    This is a feature.

    • frgough · 1189 days ago

      The funny thing is, if you actually believe that, you won't fall for this particular malware phishing attack, since it relies on you believing that your Mac CAN get viruses.

  11. AppleFan · 1190 days ago

    That's right, you tell them Steve Jobs! Apple was the first to introduce this magical new feature!

  12. spookie · 1190 days ago

    Graham, are you telling me Sophos AV will prevent the install of a program I click through the installer for? I just don't believe AV can prevent infection through social engineering. I don't use AV on Windows, Mac or Linux. I have also NEVER had a malware infection on any OS. AV is nowhere near the protection an educated user is. That's why I follow Sophos, and Gibson Research Corporation. In 20 years of computing I haven'r needed an AV, I don't see why I'd need one now.

    • pitythefool · 1190 days ago

      if you don't run AV on Windows, then it's a bit presumptuous to think you've not had / got any kind of malware/viruses on your machine - I mean, you'd have to admit that you couldn't actually ever know this to be true /unless/ you run some kind of AV / malware removal software.

    • pitythefool · 1190 days ago

      ...and yes, most/all AV software will prevent something it thinks is harmful from executing - in which case you wouldn't even be able to click through the installer screens unless you dealt with the (real) AV popup/dailogs first.

      kinda clever really, isn't it? ;-)

  13. spookie · 1190 days ago

    Perhaps "Steve Jobs" should learn that a Mac is an Apple Macintosh. MAC is Media Access Control. While a Mac does have a MAC, it's not the same thing.

  14. Tracy · 1190 days ago

    Does this impact iPhones?

  15. T.Anne · 1190 days ago

    There's a great new article by Brian Krebs (http://krebsonsecurity.com/2011/05/chronopay-fueling-mac-scareware-scams/) on this scare ware... it talks about the domains for it and the email they're registered to.

    It's scarey to see that it can start without putting in your password now, but I suppose we all knew that day would come. As Macs became more popular and are generally less protected - it was only a matter of time until the focus came on them.

  16. zetster · 1189 days ago

    I was hijacked just last night and I wasn't on any shady sites! But I had too many open tabs (Firefox) that I didn't want to force quit, so I just hit the ESC button hoping it would stop the script then I'll be able to just close that one tab. That ESC button happened to act like an OK button. I was cussing like crazy the next second because I thought, well I'm a seasoned Internet user and I shouldn't fall for this trick ;) And I just submitted my term paper on malware on the Mac for my information security class (where I've referenced Graham and other security experts). I don't know why I don't have NoScript enabled either.

    Fortunately I have Sophos already installed and updated so it stopped the install in its tracks. That last screenshot you have up there looks very familiar. My quarantine manager flashed for a few seconds with 4 items in it then it was clean. I ran a full scan with Sophos right after the incident and it didn't find anything again. I looked at the log and it had 6 entries related to this fakeav variant the first of which looked like this:

    Threat: 'OSX/FakeAvDl-A' detected in /Users/.../Downloads/CEj8VO3b.html.part/avSetup.pkg/Contents/Resources/avSetup.pax.gz/Archive.pax/./avRunner.app/Contents/MacOS/avRunner Access to the file denied

    When those items flashed in the quarantine manager for a few seconds, I distinctly saw that I had to remove them manually. But they're all gone now and I don't think the whole package even downloaded fully in the first place. Should I trust the scan results when it said it was all clean or are there other things I should hunt for?

    Thanks for posting this...it's really timely!

  17. Black Country Bob · 1188 days ago

    I've had Symantec anti-virus ever since I first bought a Mac eight years ago and it is always up-to-date. Even I was greeted with the Apple Security Centre warning. At the time I couldn't remember what I'd done to have this reach my Mac. Initially it did make me panic and then I used a little common sense, paused to think and then realising that Apple doesn't have a security centre, figured it must be a scam.

    What must be made clear to everyone is that if there is a brand new virus, regardless of whether your definitions are up-to-date or not, you may not be protected against it so you must use some common sense to steer clear of them.

  18. osaka · 1187 days ago

    this also happened to me. sophos detected it. but it says that i should clean it up manually.. how can i do that?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.