Mac/Apple Malware, Virus, Worm, Etc.


Not really progressive politics, but just out of consideration for my many Mac using friends, I thought this would be an important story. I copied it directly from the source and I’m sure some of the embedded videos, links etc. will be loathe to run. So you will do better going to the original link. Sophos is the computer security company that you won’t hear much about unless you are a professional in the field. Then you will know them as a premier security company.

The short history of Mac malware: 1982 – 2011

Join thousands of others, and sign-up for Naked Security’s newsletter

by Graham Cluley on October 3, 2011 | Be the first to comment

Filed Under: Apple, Featured, Malware

In late 2010, I wrote a short history of Apple Mac malware. Since then there have been some significant developments, so here’s a revised and updated version.

Before we begin, it’s worth recognising that malware on the Mac is a subject which raises strong emotions. There are some who believe that the problem is overhyped (or even non-existent!) and others who believe that the malware problem on Macs is underestimated by the Apple-loving community.

Hopefully this short history will go some way to present the facts, and encourage sensible debate.

From the early 1980s, right up until the present day, here are some of the highlights in the history of Apple Mac malware.

Mac malware timeline

1982


The first virus to affect Apple computers wasn’t written for the Macintosh (that iconic computer wasn’t set to appear until 1984) but is of historic interest none the less.

Apple IIIn 1982, 15-year-old student Rich Skrenta wrote the Elk Cloner virus, capable of infecting the boot sector of Apple II computers.

On every 50th boot the Elk Cloner virus would display a short poem:

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!

It will stick to you like glue
It will modify RAM too
Send in the Cloner!

What may surprise some Apple fans is that the Elk Cloner boot sector virus predates IBM PC viruses by some years.

Rich Skrenta, by the way, went on to found the web companies Topix and Blekko. Clearly his early entanglement with malware-writing didn’t make him a completely bad apple.

1987


Macintosh SE/30The nVIR virus began to infect Apple Macintosh computers, spreading mainly by floppy disk.

It was a similar story to what was happening in the world of MS-DOS malware, where viruses would typically travel from computer to computer by users sharing floppy disks.

Source code for nVIR was later made available, causing a rash of variants for the Mac platform. In response, the first anti-virus products for Mac – some free, some commercial – began to emerge.

1988


It appears that the first HyperCard virus was written in 1988. Running on early versions of Apple’s Mac OS, one HyperCard virus displayed a message about Michael Dukakis’s US presidential bid before self-destructing:

"Greetings from the HyperAvenger! I am the first HyperCard virus ever. I was created by a mischievous 14 year old, and am completely harmless. Dukakis for preseident in '88. Peace on earth and have a nice day"

1990


The MDEF virus (aka Garfield) emerged, infecting application and system files on the Mac.

1991
HC (also known as Two Tunes or Three Tunes) was a HyperCard virus discovered in Holland and Belgium in March 1991.

On German language versions of the operating system it would play German folk tunes and display messages such as “Hey, what are you doing?” and “Don’t panic”.

1995


Microsoft accidentally shipped the first ever Word macro virus, Concept, on CD ROM. It infected both Macs and PCs running Microsoft Word.

Concept was not written with malicious intent (aside from spreading, it just displayed a message box containing the number “1”) but thousands of macro viruses were to follow, many also affecting Microsoft Office for Mac.

Word macro viruses turned the world of Mac *and* Windows malware on its head overnight.

Macros in the Concept virusMacro viruses were written in the easy-to-understand macro language that Microsoft included in its Office programs making it child’s play to create new variants.

Furthermore, most people at the time considered documents to be non-dangerous, and were happy to receive them without thinking of the possible security implications. Just opening a Word .DOC file could infect your computer, because the macro virus’s code was embedded within.

You could measure how good your anti-virus software was by how quickly and seriously it responded to the macro virus threat.

1996


Laroux, the first Excel macro virus, was released and hit owners of Windows computers.

Mac users escaped unaffected at first – at least until the release of Excel 98 for Mac meant they could also become victims.

1998


Hong KongIt was in Hong Kong, in 1998, when the next significant Mac malware outbreak was first spotted. A worm – dubbed AutoStart 9805 – spread rapidly in the desktop publishing community via removable media, using the CD-ROM AutoPlay feature of QuickTime 2.5+

David Harley of Macvirus tells me that he remembers watching with interest as reports of Autostart spread from Asia to the rest of the world.

In the same year, Sevendust, also known as 666, infected applications on Apple Mac computers.

Big changes to the Mac malware scene were just around the corner, however, with the release of Mac OS X – a whole new version of the operating system which would mean that much of the old malware would no longer be capable of running.

In the future, Mac-specific malware would have to be written with a new OS in mind..

2004


Anglepoise iMacThe Renepo script worm (also known as “Opener”) attempted to disable Mac OS X security including the Mac OS X firewall.

In addition, the Renepo worm would download and install hacker tools for password-sniffing and cracking, make key system directories world-writeable, and create an admin-level user for hackers to later abuse.

The shell script used by the Renepo worm contains a number of comments from its authors, including:

In 2004, hackers also wrote a proof-of-concept program called Amphimix which demonstrated how executable code could be disguised as an MP3 music file on an Apple Mac.

Amphimix

Amphimix was not likely to be encountered by Mac users, and appeared to have been written as a proof-of-concept highlighting a vulnerability in Apple’s software.

2006


Leap-A, the first ever virus for Mac OS X was discovered.

Leap virus

OSX/Leap-A was programmed to use the iChat instant messaging system to spread itself to other users. As such, it was comparable to an email or instant messaging worm on the Windows platform.

Therefore, it was correct to call OSX/Leap-A a virus or a worm. It was not correct to call OSX/Leap-A a Trojan horse. Not that that stopped many in the Mac community claiming it wasn’t a real virus.

The Inqtana worm and proof-of-concept virus soon followed in the footsteps of the Leap virus.

A buggy proof-of-concept virus called Macarena a;sp appeared, written in Xcode. Every infected file contained the phrases

"MachoMan - roy g biv"

and

"26/10/06"

2007


BadBunnySophos discovered an OpenOffice multi-platform macro worm capable of running on Windows, Linux and Mac computers.

The BadBunny worm dropped Ruby script viruses on Mac OS X systems, and displayed an indecent JPEG image of a man wearing a rabbit costume.

The first financial malware for Mac was discovered. The gang behind the attacks developed both Windows and Mac versions of their OSX/RSPlug-A Trojan horse.

Mac users can infect themselves by downloading and running a fake codec

The Trojan posed as a codec to help users view pornographic videos, but in fact changes DNS server entries to direct surfers unwittingly to other websites.

2008


Cybercriminals targeted Mac and PC users in equal measure, by planting poisoned adverts on TV-related websites. If accessed via an Apple Mac, surfers would be attacked by a piece of Macintosh scareware called MacSweeper.

MacSweeper

Close relatives of MacSweeper followed shortly afterwards, including Imunizator – another example of scareware for the Apple Mac, which claimed to find privacy issues on the user’s precious computer.

Imunizator

In June, the OSX/Hovdy-A Trojan horse was discovered that could steal passwords from Mac OS X users, open the firewall to give access to hackers, and disable security settings.

Troj/RKOSX-A was discovered – a Mac OS X tool to assist hackers create backdoor Trojans, which can give them access and control over your Apple Mac computer.

Apple Mac and Leopard CD ROMIn November, Sophos warned of the Jahlav Trojan. Similar to other malware campaigns, cybercriminals created a bogus webpage claiming to contain a video.

Visiting the site produces a message saying that you don’t have the correct codec installed to watch the video – whereupon the site offers you an EXE if you run Windows, and a DMG (Disk Image) file if you are using an Apple Mac.

Controversially, Apple issued a support advisory urging customers to run anti-virus software – but after media interest, rapidly deleted the page from their website.

2009


iWork 09In January 2009, hackers began to distribute the OSX/iWorkS-A Trojan horse via BitTorrent inside pirated versions of Apple’s iWork ’09 software suite.

In the same month, a new variant of the Trojan was distributed in a pirated version of Adobe Photoshop CS4.

In March, Sophos reported on how hackers were planting versions of the RSPlug Trojan horse on websites, posing as an HDTV program called MacCinema.

In June, SophosLabs discovered a new version of the Tored email worm for Mac OS X, and hackers planted a version of the Jahlav Mac Trojan horse on a website posing as a portal for hardcore porn videos.

Shortly afterwards, the Twitter account of celebrity blogger Guy Kawasaki had a malicious link posted onto it, claiming to point to a sex video of Gossip Girl actress Leighton Meester. In reality, however, the link lead unsuspecting users to malware which could infect Mac users.

Meanwhile, Apple finally began to introduce some rudimentary anti-malware protection into Mac OS X.

Although it wasn’t really equivalent to a true anti-virus product (it only protected against a handful of Mac malware, doesn’t defend you if you try to copy an infected file from a USB stick for instance, and doesn’t offer clean-up facilities), it was still encouraging to see some attempt to offer more protection for Mac users.

2010


The OSX/Pinhead Trojan (also known as HellRTS) emerged.

The backdoor Trojan horse can allow hackers to gain remote control over your treasured iMac or MacBook.

Once again, the malware was distributed disguised as a legitimate application – in this case, iPhoto, the photo application which ships on modern Macs.

More recently, the Boonana cross-platform worm appeared, using a Java applet to target not just Windows computers for infection, but Mac OS X and Linux too.

Boonana

Sophos detects various components of the attack as Troj/Boonana-A, Troj/KoobStrt-A, Troj/KoobInst-A, Troj/KoobCls-A, Troj/Agent-PDY, Troj/DwnLdr-IOX, and Troj/DwnLdr-IOY. In addition, Sophos’s web protection blocks access to the malicious webpages.

A piece of Mac spyware called as Spynion (also known as OpinionSpy or PremierOpinion) came to light, attached to screensavers and other add-ons for users’ Macs.

Spynion would take advantage of users not properly reading End User License Agreements (EULAs), allowing it to spy on browsing habits and search behaviour.

Spynion

Free anti-virus for Macs
In late 2010, Sophos issued a free anti-virus for Mac home users. We have been protecting business customers who have Macs for years, and now there was an opportunity for home Mac users to protect themselves against the threat too, at no charge.

Early reports indicated that there are plenty of Mac users with malware on their computers – some of it Windows malware, some Mac OS X, and some cross-platform.

There’s no doubt that the Windows malware problem is much larger than the Mac threat – but that doesn’t mean that the danger of malware infection on Mac OS X is non-existent.

The events of 2011 would make it clearer to Mac users than ever before that the malware threat was real..

2011

BlackHole RATThe BlackHole RAT, a Trojan allowing hackers to gain remote access to your Mac, emerged.

Uncompromising text contained inside its code made it clear what the author’s intentions were:

"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!

"I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it.

"So, Im a very new Virus, under Development, so there will be much more functions when im finished."

But there were other attacks for Mac users to worry about.

In 2011, a massive search engine poisoning campaign was undertaken by cybercriminals with the intention of infecting Mac users. Apple Mac users were considered a soft target by malicious hackers because of the low adoption rate of anti-virus software.

The initial attacks took the name of a legitimate Mac security program, MacDefender, and – as users searched the web for images – popped up bogus alerts claiming to have found malware on their computers.

The fake anti-virus attack was very similar to ones we had seen many times before for Windows, but this time targeting Mac users instead.

MacDefender scareware setup

MacDefender scareware

Within days, the attacks began to adopt new disguises such as “Mac Security”.

In all of the attacks, the intention was to scare users into believing that their Mac computer had a security problem and fool them into purchasing a solution. In other words, to give your credit card details to the very people who had compromised your computer in the first place!

The scammers had no qualms about poisoning popular search terms such as “Mother’s Day” in their attempt to fool Mac users.

In some cases, once in place, the malware would deliberately pop up inappropriate websites – in an attempt to convince you that you needed to buy a clean-up solution.

Saucy URLs

Saucy website

Mac users had not seen a malware attack impacting them on anything like this scale since the 1990s, and many struggled to protect their computers.

Apple itself seemed also to have been caught napping, and technology writer Ed Bott discovered that calls to the AppleCare support line were “4-5 times higher than normal”, with the overwhelming majority of calls coming from customers who have been hit by a fake anti-virus attack.

With the problem flooding Apple’s online support forums also, perhaps the most surprising news was that Apple’s support reps were ordered not to help users remove the malware.

Leaked Apple memo

Those spreading Mac malware quickly realised that they were not limited to simply poisoning Google’s search results. They also undertook to spread Mac malware via popular social networks, such as Facebook.

When serious allegations of a sex attack were laid against the IMF’s Dominique Strauss-Kahn, hackers took advantage spreading malicious scareware links across Facebook which could infect both Windows and Mac users.

Facebook malicious link

Scareware attacks continued to cause problems for Mac owners throughout the summer of 2011 with many users coming to realise that perhaps an anti-virus program might be wise after all.

Separately, more malicious attacks occurred targeting Mac users.

For instance, the OSX/Revir-B Trojan appeared to disguise itself as a PDF file about a controversy between Japan and China about the contested sovereignty of some islands

And the Flashback Trojan horse disguised itself as an update for Adobe Flash.

Sophos intercepts Flashback Trojan

Once in place, the Flashback Trojan horse (called OSX/FlshPlyr-A by Sophos products) could allow a remote hacker to gain access to your computer or download further malicious code to your Mac.

It’s perhaps no surprise, with a backdrop of increased malware activity for Mac OS X, that a poll conducted by Sophos revealed that 89% of people would tell their Mac-using friends to install anti-virus software.

Poll results

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

3 Comments

  1. Posted April 30, 2013 at 3:50 pm | Permalink | Reply

    Fantastic blog! Do you have any recommendations for
    aspiring writers? I’m planning to start my own blog soon but I’m
    a little lost on everything. Would you recommend starting with a free platform like WordPress or go for a paid option?
    There are so many options out there that I’m completely confused .. Any suggestions? Thanks!

    • Posted May 1, 2013 at 3:36 pm | Permalink | Reply

      I’m not an expert on blogs. Both of my blogs are operated at the most basic level. There are many folk who do much more with photography, creative themes, interactivity. This blog is mostly just a spewing of my opinion and a republication of what I consider good ideas written by others. My other blog is my own writing, but it is much less frequently updated.
      Technically, I’ve been using WordPress for several years. I have been tempted to put WordPress on my own website, but just find using their domain just fine and can’t see any point.

      My other blog, Traveling Through SpaceTime, is on Blogger–again, the free version. Blogger has more options and tools available at no charge (You can modify the underlying CSS file to some extent, add more widgets, etc.)

      Do go for it.

  2. Posted July 4, 2013 at 3:59 am | Permalink | Reply

    Its like you read my mind! You seem to know a lot about this, like
    you wrote the book in it or something. I think that you could do with a few pics
    to drive the message home a bit, but other than that, this is wonderful blog.
    A great read. I will certainly be back.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 143 other followers

%d bloggers like this: