{"id":17839,"date":"2015-10-02T11:18:46","date_gmt":"2015-10-02T17:18:46","guid":{"rendered":"https://www.webroot.com/blog/?p=17839"},"modified":"2018-05-30T08:54:29","modified_gmt":"2018-05-30T14:54:29","slug":"history-of-mac-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2015\/10\/02\/history-of-mac-malware\/","title":{"rendered":"History of Mac Malware"},"content":{"rendered":"

The subject that fan boys of each side love to argue about.\u00a0 Mac malware.\u00a0 The fact is that malware for Mac is real and it continues to grow as a problem.\u00a0 In 2012 Apple removed the statements “It doesn’t get PC viruses” and “A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.”\u00a0 I would like to shed light on the malware from beginning to now in hopes that it will bring an understanding of why security is needed on all operating systems, including your Mac<\/a>.<\/p>\n

\"macmalware1\"1982 –\u00a0<\/strong>The first threat that occurred was the Elk Cloner (this however did not actually affect the Mac) which would cause the Apple II to boot up with a poem:<\/p>\n

Elk Cloner: The program with a personality<\/em><\/p>\n

It will get on all your disks<\/em>
\nIt will infiltrate your chips<\/em>
\nYes, it’s Cloner!<\/em><\/p>\n

It will stick to you like glue<\/em>
\nIt will modify RAM too<\/em>
\nSend in the Cloner!<\/em><\/p>\n

1987-2003<\/strong><\/p>\n

There were a few different malware families that came out but being as they are using an operating system that is not really used I won\u2019t go into great detail.\u00a0 In 1987 nVIR virus began to infect Macintosh computers.\u00a0 In 1988 HyperCard viruses started to gain traction. HyperCard was software created by Apple to execute scripts immediately on opening.\u00a0 MDef was discovered in 1990.\u00a0 MDef infected application and system files on the Mac.\u00a0 In 1995 Microsoft released a virus that would infect both PC and Mac users via Microsoft Word called Concept.\u00a0 In 1996 Laroux, the first Excel macro virus was found but didn\u2019t actually do anything to Macs until Excel ’98 was released.\u00a0 In 1998 Both AutoStart 9805 and Sevendust were discovered.<\/p>\n

2004-Present –\u00a0<\/strong>This brings us into the modern operating system we all know and love OS X. Also the time frame where threats are created that can still affect systems in use today.<\/p>\n

2004<\/strong> \u2013 Renepo was found. It had the ability to disable a system firewall, and it would try to copy itself to \/System\/Library\/StartupItems<\/em>.<\/p>\n

\"macmalware2\"2004<\/strong>– Amphimix a program which is also a MP3 file. When launched it displays a dialog box which reads “Yep, this is an application. (So what is your iTunes playing now?)” It then loads itself into iTunes as an MP3 file called “Wild Laugh”, playing four seconds laughter.<\/p>\n

 <\/p>\n

\"macmalware3\"2006<\/strong> \u2013 Leap is widely considered to be the original Mac Trojan. Leap used iChat to spread itself; forwarding itself as a latestpics.tgz<\/em> file to the contacts on the machine. Inside the Gzipped Tar File (.tgz) was an executable file masked as a JPEG. When executed, it infected all Cocoa applications.<\/p>\n

2006<\/strong> – Inqtana was the second worm for Mac OSX. The worm propagated through a vulnerability in unpatched OSX systems.<\/p>\n

2008 was a big year for Mac malware… Apple published an advisory to use antivirus software. They removed the statement from its website after being up for about two weeks.<\/u><\/strong><\/p>\n

2008<\/strong> \u2013 BadBunny is a multi-platform worm written in several scripting languages and distributed as an OpenOffice document containing a macro.\u00a0 It spreads itself by dropping script files that affect the behavior of popular IRC (Internet Relay Chat) programs, causing it to send the worm to other users.<\/p>\n

2008<\/strong> – RSPlug is a Trojan that changed DNS to send users to malicious servers. It originally spread as a video codec that was downloaded from various porn websites.<\/p>\n

2008<\/strong> \u2013 AppleScript.THT tries to disable security software, steal user\u2019s passwords, turn on file sharing, take screenshots of the desktop, and take a photo of the user via the built-in camera.\u00a0 The malware exploits a vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.<\/p>\n

\"macmalware4\"2008<\/strong> – MacSweeper, Mac’s first \u2018rogue\u2019 application (a fake antivirus misleading users by reporting infections that doesn\u2019t exists). When the infected user tried to remove the “infections”, MacSweeper asked to provide credit card details and pay $39.99 for a \u201clifetime subscription serial key.\u201d<\/p>\n

I won\u2019t lie, before I got into threat research, I ended up with this on my Mac…<\/p>\n

2008<\/strong> \u2013 Hovdy tried to install itself to \/Library\/Caches<\/em>. It disabled syslog\/system updates, stole password hashes, open ports in the firewall, disabled security software, installed LogKext keylogger and started web server, VNC, and SSH. It also tried to get root access by way of ARDAgent vulnerability.<\/p>\n

2009<\/strong> \u2013 Iservice was discovered in a pirated version of iWork \u201909. It copied itself to \/usr\/bin\/iWorkServices<\/em> and tried to execute a HTTP request. Updated variants were later found in a pirated versions of many high use programs.<\/p>\n

August 28, 2009 \u2013 Apple released an anti-malware tool called XProtect,at release it could protect a Mac against only two threats (RSPlug and Iservice).<\/u> <\/em><\/strong><\/p>\n

2010<\/strong> \u2013 HEllRTS (aka HellRaiser) is a Trojan that allows control of a computer by a remote user. The remote user has the ability to transfer files, pop up chat messages, display pictures, and even restart or shut down the infected machine.<\/p>\n

2010<\/strong> – Boonana, a Trojan that spread via social media and email disguised as a video. It runs as a Java applet, which downloads its installer to the machine.\u00a0 After installed it starts running in the background and communicating with a variety of servers such as command and control servers.<\/p>\n

2011<\/strong> \u2013 MacDefender, another rogue like MacSweeper that installs itself into the \/Application<\/em> folder and wants you to pay them for the “infections” to be removed from your mac.<\/p>\n

\"macmalware5\"2011\/2012<\/strong> – Flashback was disguised as a Flash player download and targets a Java vulnerability on Mac OS X. The system is infected after the user is redirected to a compromised bogus site, where JavaScript code causes an applet containing an exploit to load. The Flashback malware was the largest attack to date, hitting more than 600,000 Mac computers.<\/p>\n

2013<\/strong> – Lamadai, a backdoor Trojan, targeted NGOs (Non-Government Organizations) and exploited a Java vulnerability to drop further malware code.<\/p>\n

2013<\/strong> – Hackback spied on victims and was designed to take a list of certain file types, find all files matching those types, compress them into a zip located in \/tmp\/ and upload them to a remote server.<\/p>\n

2014<\/strong> – LaoShu went viral via spam emails posing as a notification from FedEx. It contacts a remote server sending system information, files, and screenshots. It is important to note that it is signed with a valid Apple developer ID certificate.<\/p>\n

2014<\/strong> – CoinThief is designed to steal Bitcoins from infected machines, and is disguised as legitimate apps.\u00a0 The source code was on Github for a while under an app named StealthBit.<\/p>\n

\"macmalware6\"<\/a><\/p>\n

It\u2019s worth mentioning that these have been the main threats seen on the Mac and not all of them.\u00a0 There are many smaller variants and proof of concepts that are not listed.\u00a0 Also, that I didn\u2019t include any adware variants such as Genieo or VSearch on here, but I did write about in my last blog.\u00a0 Even after seeing all of these there will still be those that refuse to believe that their mac is vulnerable to attack, but trust me it will only get worse from here.\u00a0 Apple is increasing their market share and with that comes an opportunity for malware writers to make more money.<\/p>\n","protected":false},"excerpt":{"rendered":"

The subject that fan boys of each side love to argue about.\u00a0 Mac malware.\u00a0 The fact is that malware for Mac is real and it continues to grow as a problem.\u00a0 In 2012 Apple removed the statements “It doesn’t get PC viruses” and “A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.”\u00a0 […]<\/p>\n","protected":false},"author":65,"featured_media":17841,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[18875,11169,18861,3619,3483,3487,18869,3521,18859,3477,18863,3655,5739,6163,16851,18867,3653,3819,4143,4611],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/17839"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=17839"}],"version-history":[{"count":14,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/17839\/revisions"}],"predecessor-version":[{"id":24387,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/17839\/revisions\/24387"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17841"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=17839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=17839"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=17839"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=17839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}