Security hole in MacKeeper used to shove malware onto Macs

Man holding Mac courtesy of Shutterstock

There isn’t a lot of Mac malware.

Most cybercrooks, we have to assume, are making so much money from infected Windows computers that they haven’t had to worry about supporting other platforms, such as OS X.

But that’s only most, not all cybercrooks.

Mac malware does indeed exist, and it should be no surprise that Mac crooks have a similar MO (modus operandi) to their counterparts in Windows-based cybercrime.

Here are some examples we’ve seen over the years where the Windows malware “playbook” has been followed, in some cases extremely effectively, on OS X:

  • 2012: Java-based exploit. The Flashback malware was injected onto your Mac via an unpatched Java bug. Flashback was a bot, or zombie, meaning that crooks could remotely send it instructions to help them commit further cybercrime. Estimates suggest that more than 600,000 Macs ended up infected, supposedly including “274 from Cupertino.”
  • 2013: Word-based exploit. SophosLabs reported on attackers using an exploitable bug in Microsoft Word for Mac to target Chinese minority groups. If you opened a booby-trapped document, disguised as some sort of political commentary, the crooks got control of your Mac via zombie malware called OSX/Agent-AADL.
  • 2014: Fake “undelivered item” documents. If you opened the bogus PDF file, really an application in disguise, you could end up infected with a data-stealing Trojan called OSX/LaoShu-A. Amongst other things, this one would find files such as documents, spreadsheets, presentations and archives…and send them to the crooks.

What now?

Researchers at BAE just reported on a Mac bot known as OSX/Agent-ANTU that was allegedly distributed in a novel way.

The crooks used a security hole in a controversial Mac security and cleanup utility called MacKeeper.

MacKeeper quickly patched the hole after it became known, but until you received the update you were at risk of a Remote Code Execution (RCE) hole.

As long as you were unpatched, a crook could simply entice or redirect you to a poisoned website, and use a single line of JavaScript to send a command script to MacKeeper, which would then run it.

Unfortunately, according to BAE, some crooks struck while the iron was hot.

The crooks sent unpatched MacKeeper users to a web page that tricked their Macs into downloading the OSX/Agent-ANTU malware.

Ironically, the downloader used a fake malware report to justify any MacKeeper popup that might ask you for your administrative password, thus giving the malware system-wide powers.

As in the OSX/LaoShu case mentioned above, the malware included not only a downloader component to let the crooks install what they wanted, but also an upload function handy for stealing files.

What to do?

If you have MacKeeper, and intend to keep on using it, make sure it’s up-to-date.

Of course, if you don’t have MacKeeper, that alone doesn’t make you immune from infection by OSX/Agent-ANTU, or any other Mac malware, for that matter.

Also, don’t assume that Mac malware always needs an administrator prompt before it can do anything harmful.

Consider ransomware, for example: that sort of malware generally leaves your system files and applications well alone, even if it does have administrator access, so that you can still get online easily to pay the unscrambling fee.

But ransomware, while it’s running under your account, can nevertheless scramble all your data files – the ones that really matter!

So, if you haven’t yet crossed the bridge and become a Mac anti-virus user, now would be a good time to give it a go.

Sophos Anti-Virus for Mac Home Edition

Want to keep an eye out for malware, however the crooks deliver it, and to avoid other threats to your beloved Mac?

Sophos Anti-Virus for Mac Home Edition is 100% free (email address required), with no expiry and no time limit on updates.

Sophos for Mac stops threats for Windows too, so it also protects non-Mac users you share files with.

Choose from blocking viruses in real time (on-access virus prevention), scanning at scheduled times, or running a check whenever you want.

Click to go to download page...