- 1 Mac Malware : A Brief history of malware for Apple’s Mac OS from 2004 to present
- 2 2004: Renepo: A shell script worm:
- 3 2006: Leap: First virus for Mac OS X sent via iChat:
- 4 2007: BadBunny worm: First financial malware:
- 5 2008: MacSweeper: Poisoned TV website adverts:
- 6 2008: Imunizator: Procurement of funds by scaring users:
- 7 2009: Jahlav: Impersonated as a video codec:
- 8 2009: Pirated versions of iWork and Adobe Photoshop CS4
- 9 2010: Boonana: Spread via social networking sites:
- 10 2010: PremierOpinion: Spyware wrapped in free Mac apps and screen savers:
- 11 2011: MacDefender : Posed as an antivirus software:
- 12 2012: Flashback Malware : Posed as an Adobe Flash Installer:
- 13 2014: Mac.BackDoor.iWorm : OS X Botnet:
- 14 2014: Wirelurker : Spread via pirated Mac Apps
Mac Malware : A Brief history of malware for Apple’s Mac OS from 2004 to present
Mac users are pretty sure Apple’s integrated systems will never encounter any malware, how true is that? Lets check a brief history of Mac malware.
Microsoft Windows users were the ones who were mostly affected with the computer malware, trojans, viruses. Just a few decades back, Mac users, on the contrary, would always feel proud to be using the right equipment because they believed Apple’s integrated systems would never encounter any malware. However, security researchers would tell us a different story. Few decades back, Microsoft Window’s larger user base made it easy for hackers to target the user of this OS. However, now Apple’s market and in turn Mac users are also growing and at the same time Mac-oriented malware too is gaining popularity. This article is a recap of Apple’s complicated history with malware.
2004: Renepo: A shell script worm:
This was designed specifically for OS X, though it was not a serious malware, it was prominent because it was the first malware that was targetted against the much reputed Apple’s integrated system.
In terms of operation, Renepo was just a shell script worm which was not able to travel across the web and required an admin password or some physical access to the targeted Mac software in order to get installed. Upon installation, Renepo would disable Mac OS X security by turning off OS X’s firewall and security programs, later it would also install a password cracker and further help hackers to gain complete access of the compromised system.
The executable code could be further disguised as an MP3 music file on an Apple Mac, hackers had written a proof of concept program termed as Amphimix just to help other hackers into using this malware
2006: Leap: First virus for Mac OS X sent via iChat:
Leap, first virus designed for Mac OS X was discovered in early 2006. Leap did not exploit any security gaps in OS X and did not do any major damage and was more of a proof of concept malware.
This Trojan Horse was not at all sophisticated and it required the affected users to carry out a number of proactive steps to actually get their software infected by the malware. Hackers used the social engineering methods i.e. iChat’s Bonjour buddy list, to spread the malicious file and it could successfully infect the Mac user only if the file was downloaded, decompressed once the file was opened through iChat.
Leap worked only on OS
X Tiger when it was released and it was also referred to as “Oompa Loompa”.
2007: BadBunny worm: First financial malware:
Next was the turn of BadBunny worm which was discoverd by the experts at SophosLabs and this was an OpenOffice multi-platform macro worm which was capable of running right from Windows to Linux and even on Mac computers.
Sophos discovered that Ruby script viruses were dropped on Mac OS X systems by these BadBunny worms which resulted into display of an indecent JPEG image of a man who wore a rabbit’s costume.
BadBunny was the first financial malware created for Mac and the criminals had developed Mac as well as Windows versions of the OSX/RSPlug-A Trojan horse.
The Trojan posed as a codec and pretended to help users view pornographic videos; however once user tried to download the content it would divert the DNS server entries to other websites without browser’s knowledge.
2008: MacSweeper: Poisoned TV website adverts:
This malware was again discovered by the experts at SophosLabs. MacSweeper can be termed as a scareware because this was a piece of malware that tricked Mac users into believing that there were some serious privacy vulnerabilities on their device and then it would also offer them some software to eradicate a problem, which surprisingly was never there on the device.
As per the reports from SophosLabs, ITV a website which is competitor of BBC had been the victim of this poisoned web advert campaign.
Experts discovered that a Macromedia Flash file,the scareware as Troj/Gida-B, was injected into traffic served up by ITV.com via third party advertising agencies.
These poisoned adverts were designed to promote a cleaner known as MacSweeper on Apple Macs and Cleanator on Windows. Both the programs made fake claims to detect “compromising files” on user’s computer and fooled users to purchase full version of their software.
2008: Imunizator: Procurement of funds by scaring users:
Another Trojan Imunizator just like MacSweeper was a scareware. This scareware, also known as Troj/MacSwp-B, actually posed as a software that claimed to clean the Mac system of certain fake malicious files which never existed.
This fake claim used to scare the users and the malware then would prompt the users with a message that read: “get rid of compromising files now” thus fooling the users into purchasing the entire “Imunizator clean up” software suite.
2009: Jahlav: Impersonated as a video codec:
Jahlav impersonated as a “video codec” which claimed to be an essential requirement in case one wished to view pornographic content on the web.
This bogus webpage was created by the cyber criminals and whenever user visited a particular pornographic site a message would pop up stating the device does now have correct codecs installed to watch that particular video.
The site would then offer .DMG (Disk Image) file to an user of Apple Mac. Once the codec was installed, the malware would redirect website links to heavily advertising websites and plaguing the user with pop-up ads.
2009: Pirated versions of iWork and Adobe Photoshop CS4
In the year 2009, a new Mac OS X Trojan affecting the dubious copies of iWork’09 and Adobe Photoshop CS4 started showing up on the peer-to-peer (P2P) file sharing networks.
- iWork’09: The Trojanized copies were found on the PirateBay torrent site as ZIP file, when this file was unpacked it would give a proper Mac .pkg.file; the iWorkServices.pkg file would an install package for OSX/iWorkS-A malware. Once user installed the OSX/iWorkS-A it would create several files and triggered a process to botnet the Mac computers. (Botnet is a collection of comprised computers which have been infected with the malware that is in complete control of the attacker.)
- Adobe Photoshop CS4: Similar to the iWork’09, experts further discovered a new variant of the Apple Mac iWorkS Trojan horse which was being distributed via a pirated version of Adobe Photoshop CS4 on the P2P sharing networks. It was further found that the Trojan was being distributed through pirated versions of commercial copyrighted software, hence if users were not downloading any software illegally from the BitTorrent sites then they were not at the risk of encountering the malware. The infected Macintosh users faced the risk of having their computers remotely controlled by the attacker and further used to by attackers to send spams, steal identities and for the purposes of spreading the malware.
Boonana was a multi-platform Trojan Horse which was spread to computers via social networking sites such as Facebook. The malware was discovered by SecureMac in 2010.
Here, users used to receive a link which used to be accompanied with a phrase: “Is this you in the video?” This was a trap for the curious users who used to click on the link and then the malicious software would get downloaded to the computer which in turn used to modify the system files, settings and other security mechanisms thus allowing the hackers to get an easy access to the content of the computer.
A security firm, Intego, figured out that Boonana was not that scary as it was expected to be because it was infested with bugs and hence it could not operate at a level it was expected to be by its makers.
2010: PremierOpinion: Spyware wrapped in free Mac apps and screen savers:
In 2010, Intego warned the Mac users regarding the spyware which was being wrapped in some free Mac apps and screen savers. This happened before Apple introduced its safety apps on Mac App Store.
In this case the free app contained a spyware which made it compulsory for the user to run through some “market research program” and in the meantime it would scan the files on user’s computer and also record the online activity of user and send all these information to some remote server.
This particular piece of malware already existed since 2008 and it had infected several Windows user. However, it started attacking Mac users since 2010.
2011: MacDefender : Posed as an antivirus software:
MacDefender, a piece of malware, marked the beginning of an altogether new era in the history of Mac malware. The exquisite design of this malware actually succeeded in convincing the users to easily fall prey to the tricks of this malware.
MacDefender posed as an antivirus software and user’s were required to click on a malicious link to get the software downloaded to their computer. Further, the software required user to type in their system password for the installation of this dubbed anti virus software.
Once, unsuspecting users punched in their system password, the attackers could easily gain access to the victim’s Mac computer even without their knowledge. This malware was discovered in 2011 and then Apple had even circulated a series of OS X updates to address the issue of MacDefender.
2012: Flashback Malware : Posed as an Adobe Flash Installer:
In 2012, the Flashback Malware infected over 600,000 Mac users across the globe.
The malware spread through a Java vulnerability and functioned as a botnet. Basically, the malware posed as an Adobe Flash Installer and thus fooled the unsuspecting users to download the fake malicious malware.
Upon installation, the malware would start stealing the system data such as passwords and other sensitive credentials such as credit card information and even user’s online searches were redirected to malicious websites.
A free online removal tool to disable the automatic execution of Java applets was released by Apple to combat the malicious malware. Later, experts also revealed that Oracle has already patched the Java vulnerability a couple of months before it actually hit the Mac; however Apple was not that quick and Mac users had to face this malware.
2014: Mac.BackDoor.iWorm : OS X Botnet:
Security researchers from Dr. Web had discovered this OS X botnet in 2014 and it has already infected more than 17,000 Mac users worldwide. Surprisingly, the infected Macs were able to communicate with the administrators of the malware via Reddit.com in an interval of about five minutes.
2014: Wirelurker : Spread via pirated Mac Apps
2014, witnessed the Wirelurker malware which existed for a short time. Mac users in China were the ones to be affected the most with this malware.
The malware spread through pirated Mac apps. Actually it was found to be embedded in the third party applications found on the unofficial Mac App Stores.
Experts found that the malware was able to hop from an infected computer to an iPhone through a USB cable and it was able to do so even in case the iPhone was not jailbroken.
The third party app store which spread this malware was eventually shut down and three criminals responsible for the malware were arrested.
The history of Mac malware clearly indicates that Mac computers and devices are not fortified and Mac users definitely need to guard their devices with proper antivirus software. One more word of caution to all the Mac users would be that they should never download any pirated links and dubious software through any of the social networking sites.