Apple malware evolved – No password required


Mac Security malwareFor the last month or so we have been carefully tracking the developments in the Mac OS X malware community. Our conclusion? It’s advancing fast and taking many cues from the Windows malware scene.

Let’s review the evolution of this threat briefly to see where we’ve been.

May 2, 2011: The first widely distributed fake security tool for OS X is being spread through poisoned Google Image search results, seemingly targeting random keywords and the death of Osama bin Laden. It displays a fake JavaScript popup pretending to be a Windows XP anti-virus scanner telling you that your computer is infected.

May 6, 2011: At this point, we’re seeing new variants almost daily. Some of the new samples display random pornographic web pages to scare you and better convince you that your Mac is infected. We also sometimes see the name change from MacDefender to Mac Security.

Mothers day card courtesy of Mothers and Daughters Flickr photostreamMay 7, 2011: A massive uptick in the success of SEO poisoning related to Mother’s Day Google searches results in a large increase in the infection rate. This version ditches the Windows XP fake JavaScript screen and substitutes a very professional looking fake Finder that “detects” malware on your Mac.

May 15, 2011: We begin seeing the first attempts to obfuscate the content inside the malware to disguise its functionality. Early versions had the registration codes embedded in plain text, but now the registration codes are encoded so they are more difficult to discover.

All of these original variants still prompted the user for their Administrator password to install the malware. As Apple advises in their knowledge base article on the topic, this is a warning sign and an excellent opportunity to abort the installation.

May 25, 2011: Just like in the Windows versions, the latest variants seen today (OSX/FakeAvDl-A) no longer require administrative credentials. They now install into areas of the system that only require standard user privilege. In other words, the attacks no longer ask for an admin password. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases.

Here’s how the latest Mac malware attack works in pictures (click for a larger version of each image):

First, you visit a poisoned webpage using Apple’s Safari web browser. Perhaps you stumbled across it by clicking on a dangerous thumbnail while doing a search using Google Images.

Click for larger version

Safari downloads the file, and automatically begins to run the installer for a program called “Mac Guard”:

Click for larger version

It looks like a regular install process, but doesn’t require you to enter your username and password:

Click for larger version

With the destination drive chosen, the install of the fake anti-virus software begins:

Click for larger version

Once installed, the software claims to have found lots of malware threats on your Mac, but advises that you need to register your copy to remove the infections:

Click for larger version

What’s that? You don’t have a registration number? Not to worry, the criminals have thought of that and urge you to enter your credit card details to buy the required serial number. Unfortunately, you can’t tell what they plan to do with your credit card information – but you can be sure they’re up to no good.

Click for larger version

Of course, if you were running an anti-virus product on your Mac (such as the free Sophos Anti-Virus for Mac home users) then you would have been protected and the bad guys wouldn’t have been able to scare you into entering your credit card details.

Click for larger version

In this case, Sophos detects the threat as OSX/FakeAvDl-A.

Happy MacApple has stated:

"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants."

This is good news for OS X users who have been affected, but with new variants arriving daily, how will this work?

When Apple introduced XProtect with OS X 10.6 Snow Leopard, they added rudimentary detection of malware. In the nearly two years since its introduction, they have only updated it a few times.

Are they going to develop their own anti-virus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to.

SophosLabs continues to investigate and publish protection for Mac users. We invite you to download Sophos Anti-Virus for Mac Home Edition for free to help you keep your Mac safe and secure.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

Creative Commons image of a Mother’s Day card courtesy of MothersandDaughters Flickr photostream.