Cybercriminals Set Their Sights on Mac Users

Written by: Ryan Angelo Certeza

For the longest time, one of the Mac OS X’s greatest advantages over Windows OSs has been the limited number of malware targeting the former. This has made Macs a more attractive choice for users, as these do not necessarily require the installation of security software. Unfortunately, this is no longer the case.

Malware specifically targeting Mac OS X have been around for years now though it seems cybercriminals are only starting to pay the platform more attention. Two noteworthy threats targeting Mac users have recently surfaced – FAKEAV and Flashback. The most recent of the two, Flashback was reported to have infected thousands of computers located mainly in the United States and Canada. This news clearly debunks the notion that Mac is malware-free.

In this article, we take a closer look at Flashback, FAKEAV, and other threats that have hounded Mac users for the past years.

Which noteworthy attacks have targeted Mac users?

  • FAKEAV

Last year, FAKEAV threats targeted Mac users via blackhat search engine optimization (SEO) attacks that use Google's image search. Users were served links that led to either FAKEAV landing pages or to sites that host the BlackHole Exploit pack. What was more interesting, however, was the fact that the landing pages have been specially crafted to imitate Mac OS X’s look and feel.

As of this writing, the FAKEAV used the following product names in its attempt to infect unsuspecting users' systems:

  • MacSecurity
  • MacProtector
  • MACDefender
  • MacSweeper
  • iMunizator
  • Mac Shield
  • MacGuard

Trend Micro detects the FAKEAV variant as OSX_FAKEAV.A.

How does OSX_FAKEAV.A arrive on users’ systems?

Mac users utilizing Google’s image search feature may inadvertently download a FAKEAV variant detected by Trend Micro as OSX_FAKEAV.A. To carry out the attack, cybercriminals hijack top-ranking search results using a combination of top Google search results for particular keywords and image search results for hot-linked images returned for the same keywords. When these links are clicked, they redirect users to FAKEAV landing pages. A more recent discovery, OSX_DEFMA.B, is spreading through Facebook status messages.

Once installed, OSX_FAKEAV.A displays fake alerts that warn users of infection. It also displays fake scanning results just like typical Windows-based scareware to convince users to purchase the full version of the rogue antivirus software.

  • Flashback

Flashback is a family of Trojans and most recently, backdoors. It was first found in October 2011 masquerading as a Flash Player installer. Its next wave of variants were discovered to be dropped by malicious Java files that targets vulnerabilities found in Java. Flashback typically exploits vulnerabilities to modify the content of the web browser. OSX_FLASHBACK.AB exploits CVE_2012-0507.

What does OSX_FLASHBCK.AB do?

OSX_FLASHBCK may be dropped by another malware. As mentioned above, This malware exploits CVE-2012-0507. The said vulnerability was already patched for Windows environments as early as February 2011. Apple has already released the same patch to Mac users.

Based on our analysis, OSX_FLASHBCK.AB has domain generation algorithm (DGA). This means that it randomly generates domains to connect to at a given time. Currently, we have seen that it connects to five different domains.

This routine poses greater risks to systems as well as the data in it. It may do this to report infections to remote users. It can also use this routine to communicate with a server. It may use this routine to download malware, or send stolen information.

We have also found other variants of FLASHBACK that users should be aware of:

  • OSX_FLASHBCK.A – Trojan disguised as a Flash Player installer for Mac
  • OSX_FLASHBCK.DL – exploits two Java vulnerabilities
  • OSX_FLASHBCK.IC – steals information via injection into web browsers

What are the other known Mac malware?

Most of the previously discovered Mac malware were disguised as free software. Other Mac malware were downloaded onto systems from malicious sites. The following list shows some of the Mac malware we have seen so far:

  • OSX_KROWI.A: Poses as a component of a pirated version of iWork ’09.
  • OSX_JAHLAV.D and OSX_JAHLAV.C: Disguised as MacCinema installers.
  • OSX_HELLRTS.A: Arrives as a fake iPhoto installer that had backdoor capabilities.
  • OSX_RSPLUG.B: Displays a MacCinema installation graphical user interface (GUI).
  • OSX_OPINIONSPY.A: Bundled with screensavers that sniff instant-messaging (IM) conversations and that monitor Real Time Messaging Protocol (RTMP) data packets.
  • OSX_JAHLAV.K: Creates a cron job to enable its periodic execution.
  • OSX_LEAP.A: Spreads through iChat.
  • OSX_INQTANA.A: Spreads via Bluetooth.
  • OSX_LOSEGAM.A: Bundled as a gaming application.

Apart from attacks that specifically target Mac OS X, cross-platform threats likewise pose risks to users. These leverage various social engineering tactics to trick users into giving out sensitive data regardless of the OS they use. These include spamming and phishing attacks on social networking sites.

During our research, we have also uncovered threats that are not only Mac OS specific, but are also directed towards specific parties. Below are some of these threats:

  • OSX_KONTROL.EVL and OSX_KONTROL.HVN. Both are dropped files of TROJ_MDROPR.LB, which arrives as a malicious .DOC file attached to specific email.
  • OSX_OLYX.EVL. The malicious JAVA_RHINO.AE exploits the vulnerability cited in CVE-2011-3544 to drop this Mac OS backdoor. Once installed, OSX_OLYX.EVL communicates with its C&C server to send specific information.

Despite its claim of invincibility, Mac computers have been faced with several noteworthy security issues since it was first launched in the 1980s. Below are some of these threats:

Why are Mac attacks noteworthy?

Attacks targeting Mac users show that cybercriminals are giving Mac OS X’s growing market share its due attention. The frequency and scope of these attacks will only increase in the near future, along with the growing popularity of Apple products like iPods and iPads, and the iPhone. These attacks continue to finance cybercriminals' efforts. But social engineering attacks remain cybercriminals’ favorite tool against Mac users.

The Flashback threat made the headlines due to the large amount of possibly infected machines. According to reports, an estimated number of 650,000 Mac systems all over the world are still infected with the Flashback Trojan. The sheer number of infected machines and the other Mac-related threats disproves the supposed resilience of Mac OS against malware.

Based on our Trend Micro™ Smart Protection Network™ , users from the United States are the most affected by OSX_FLASHBACK.AB. See the chart below for the total feedback count.

What do the recent Mac attacks mean for users?

Macs are not invincible. They can be as susceptible to threats as systems running on Windows OS. Macs initially appeared to be malware-free because cybercriminals were focused more on targeting the Windows OS. The user base of Macs was not large enough to be of interest to crooks who want to profit from as many users as possible. However, the growing popularity of Mac among users make it more appealing to cybercriminals.

Also worth noting is that Macs may be an attractive target for cybercriminals because of its user base. Macs are generally more expensive compared with PCs, which indicates the income level of Mac users. A study concurs that most Mac users are likely to earn than PC users.

We can also expect other threats like online banking Trojans to shift to Macs because of its importance and prevalent usage among Internet users.

Does Trend Micro™ Smart Surfing for Mac protect users from Mac threats?

Trend Micro Smart Surfing for Mac, powered by the Trend Micro Smart Protection Network™, protects users from all known Mac malware variants and their components. Web reputation technology blocks user access to malicious sites in order to prevent malware downloads. Despite this, however, users are strongly advised to keep their systems up to date.

What can Mac users do to prevent these threats from infecting their systems?

Mac users can follow many of the best practices that PC users live by to stay safe from all of the featured threats. Here are some tips:

  1. Avoid clicking suspicious links in spammed messages
  2. Delete malicious attachments in email (especially those that come from unreliable sources)
  3. Refraining from visiting suspicious sites
  4. Watch out for social engineering attacks that come in the form of social networking scams,
  5. Ensure that your security software can block access to malicious sites to keep malware from reaching systems.

Choosing your security software, of course, should be done with the utmost care and vigilance. FAKEAV targeting Mac systems aims to trick users that it's a legitimate security solution. When in doubt about your chosen security solution, this simple test should be able to help you find out if what you installed is a legitimate security program or a strain of FAKEAV.

Users should always be cautious and vigilant, no matter what device they're using. Cybercriminals are always trying to find ways to catch the unsuspecting user off guard. As such, it's best not to give them any chance to.

FROM THE FIELD: EXPERT INSIGHTS

“FAKEAV variants continue to be the most prolific method by which cybercriminals generate income. They have now demonstrated that Mac users are a viable target. We can expect to see many of the same tricks used against PC users to be successfully leveraged against Mac users.”—Nart Villeneuve, Trend Micro senior threat researcher

“For a long time, Mac users seemed to be relatively safe from malicious attacks. However, FAKEAV has proven that no OS is safe, especially when cybercriminals employ social engineering to proliferate threats. It's as if FAKEAV has tagged Mac OS X as the freshest and most interesting exploit target. It wouldn’t be surprising for banking Trojans and botnets for Macs to make their presence known in the near future.”—Erika Mendoza, Trend Micro threat response engineer