Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Does Mac OS X Need Protection?

View all posts > 

Does Mac OS X Need Protection?

Posted: 07 Jul 2011 03:00 PM | Anonymous | 3 comment(s)




Over the last couple of months, the concern of whether Mac OS X has become a greater target for attackers has grown, and rightfully so. The Mac OS X market share has steadily increased, and is currently well above 10 percent.

 

From the attackers standpoint, what it always comes down to is dollars. At a certain point, if the user-base becomes large enough, then the profit margin to target and exploit these users becomes reasonable for attackers to invest in. Thus, tools, frameworks, and infrastructure are created and in many cases, much of what has already been built for the Windows platform can be reused. Only the malware and exploits have to change to target specific features of the Mac OS X operating system. This is because malware and exploits created for Windows operating systems will not work for Mac OS X.

 

The fact that Mac OS X hasn't been a major target up until only recently has given many users a false sense of security. It's not uncommon to hear rants from a Mac owner of the inherent security of their invulnerable Mac OS X. The truth is that Macs are as vulnerable as Windows, they just don't have the long running history of gaining the focus and attention of both blackhat and whitehat vulnerability researchers and malware authors. I might even go as far as to say Macs are more vulnerable than Windows, because Microsoft has been in the security game longer than Apple and has a very well-established product development life cycle where security testing plays a very large part in the testing process.

 

Mac OS X Vulnerabilities and Active Exploitation


There were only 34 vulnerabilities identified for the Mac in 2009; in 2010, that number rose to 175. This last month (June 2011), Apple released Java for Mac OS X 10.5 Update 10 and Java for Mac OS X 10.6 Update 5 to address multiple vulnerabilities. Apple also released Mac OS X 10.6.8 and Security Update 2011-004 to address multiple vulnerabilities. Many of these vulnerabilities allow for remote code execution. The numerous security updates indicate that the days of vulnerability researchers not paying attention to Macs is coming to an end. It's also interesting to note that in this year's CanSecWest's Pwn2Own contest, a fully patched Mac OS X 10.6.6 computer running Safari 5.0.3 was 0wned in less than 5 seconds.


DIY Crimeware Kits


You've probably heard of a few Do-It-Yourself (DIY) crimeware kits for Windows, such as Zeus and SpyEye. DIY crimeware kits are progams that can automatically create malware. Up until now we've only seen crimeware kits that build Windows malware, but this year the Danish IT security company, CSIS Security Group, blogged about Weyland-Yutani BOT, a DIY crimeware kit designed for PCs that is able to target the Mac OS X platform. The builder component of the kit runs on Windows machines and the user has the option of specifying whether they want the resulting malware to run on Mac OS X. The builder will then create a Mac OS X binary.

 
(Figure 1:  
 Weyland-Yutani BOT admin interface)


The Weyland-Yutani BOT DIY crimeware kit and it's ability to create Mac OS X malware is a first of it's kind and could mean we'll be seeing more auto-created Mac OS X malware in the future.

 

Mac OS X Malware

 

More and more malware is turning up targeting Mac OS X.  On average, about 5,000 new pieces of Mac OS X malware are received by security companies a day. This is still quite small compared to the 70,000 pieces of malware received targeting the Windows platform. We believe this number will increase by next year, due to the Mac OS X market share growing and the increase in underground interest in Mac OS X malware creation.

 

Mac OS X Rogue Antivirus

 

Rogue Antivirus is and has been a hugely successful technique by attackers to scare users into thinking they have been infected, when in reality they haven't been, and downloading what they think is antivirus software, paying for it, and installing it on their machine. The end result is that a user pays the attacker directly for installing fake software. This typically happens when a user goes to a legitimate site, which has been compromised and a window that looks much like the Windows Explorer window or desktop window pops up indicating that the machine has been infected:


(Figure 2: Windows Rogue Antivirus pop-up window)

 

In reality, the above screen is actually not Windows Explorer, it's a web page that's been created to look exactly like Windows Explorer, in order to scare you into thinking your operating system is telling you that your machine has been infected. By clicking through and continuing, you're then prompted with an option to download and install antivirus software that will remove all the infections. Once you download it and start the installation process, you're asked to pay for it. At this point, if you decide to pay for it, the attackers have accomplished their goal, they've tricked you into paying them directly for fake software; the software doesn't need to steal, or hide itself, it's done its job.

 

Attackers running these scams have the ability on a website to check what operating system you've had, and up until only recently tricked Windows users, since the graphics on these pages have been crafted to look like the Windows desktop. But attackers have started to target Mac users, and in the last few months, the same websites that used to only trick Windows users, have been tricking Mac OS X users. They started with poisoning Google Search Images to lead to rogue antivirus and then facebook viral scams. The screen will typically look like this for Mac OS X users:


(Figure 3: Mac OS X Rogue Antivirus pop-up window)

 

The screen above looks much like the Mac OS X Finder, the built-in file explorer, and if a user downloads and starts the install process, they, too, are promoted to pay a standard license fee to clean what they assume is an infected machine. The variants that have emerged are Mac Defender, Mac Protector, and Mac Security: 


(Figure 4: Mac Defender admin interface)


(Figure 5: Mac Protector admin interface)


(Figure 6: Mac Security admin interface)

 

All of these rogue antivirus variants accomplish the same thing: they trick the user into paying for security issues they never had. After installing, they each do slightly differently things, but the goals are all the same: pay the attackers.

 

Conclusion

 


So, yes, Mac OS X needs protection, at the moment mainly from its own users. Exploitation is still fairly minimal and common sense should help users avoid being socially engineered (tricked), into downloading, installing, and ultimately willingly handing over their credit card details and payment to the bad guys. 


Websense Security Labs is dedicated to keeping up with the latest emerging threats, be it for Windows, Macs, or any operating system. Our concern is the safety of our users. We continually deploy protection measures into ACE, our Advanced Classification Engine, to detect and block all web content that serves exploits and malware, regardless of what operating system it targets.

 

To protect yourself as a home user, try to follow the following best practices to protect yourself online:

 

  • Do not download or open files from untrusted websites 
  • Do not click on links from unknown or untrusted web sites or suspicious links from trusted sources
  • Do not open e-mail attachments from unknown users or suspicious emails from trusted sources
  • Apply appropriate patches to vulnerable systems immediately after appropriate testing
  • Educate yourself on common threats so as to recognize them and avoid being tricked into falling victim to them

 


Please leave feedback or comments, so we can make sure to fully address any questions or concerns you have about Mac OS X security threats.

Thanks!

Stephan Chenette - Principal Security Researcher


Filed under: ,

Comments

lance arzadon said on Friday, July 08, 2011 2:10 AM

So this will not be prompted on my workstation if our gateway is secured by Websense? I am referring to the fake av that is running in browsers (looks like windows explore)

Anonymous said on Friday, July 08, 2011 2:32 PM

hi lance. That is correct, if you are running a Websense product with ACE technology and real-time detection the web page that is serving the rogue av binary will be blocked, so your users won't even be prompted with the binary.

Our approach is protection in depth. We detect and block the webpage, and have additional  protection mechanisms for the rogue av binary.

lance arzadon said on Saturday, July 09, 2011 8:13 PM

Thank you very much for the information Stephan. :)


Leave a Comment

(required)  

Email address: (required)