It's been easy to see why, historically, most Mac users haven't felt the same level of security-related anxiety as Windows users. Until now, no one has really bothered targeting them.
When commentators like this one dared suggest, in 2003, that Apple's OS X software was susceptible to the same sorts of vulnerablities that have plagued other operating systems, the reader reaction was so severe it was worrying.
Indeed, one of the comments posted on the piece by a particularly passionate reader suggested ZDNet's Sydney bureau would make an excellent destination for a truck laden with explosives.
Keep in mind that in 2003 there were few vulnerabilities being disclosed in OS X, leading most consumers to genuinely regard it as more secure. But from there, a trickle of bugs began to be disclosed. By 2008, OS X was giving Windows a real run for its money in terms of the number of bugs being disclosed and patched. The myth of OS X as a "secure" operating systems was destroyed among the more savvy types in the IT industry, and Apple dropped its rhetoric about its operating system's amazing invulnerability to malware.
Yet in the years since the malware never showed up. Sure, anyone with half a clue could trigger a client-side exploit in OS X, but what then? The science of writing Trojans for Windows-based operating systems is mature; staff at CERT teams and AV companies have actually found comments and evidence of revision control in modern PC malware.
Mac malware has been primitive in the extreme by comparison -- the bad guys just haven't built up their OS X chops yet.
Last year, news of simple script-based Mac malware doing the rounds surfaced. The badware would simply alter the user's DNS settings, so it was pretty simple stuff. Some may argue that's actually pretty serious -- if an attacker can control their target's DNS, a man-in-the-middle hack is trivial, thanks to browser insecurity (Hi, Safari!). Still, this early Mac malware was hardly what you'd call sophisticated.
But now we're seeing some much, much nastier stuff. Risky.Biz forwarded a recently obtained Apple malware sample to two parties -- Paul Ducklin at Sophos (disclaimer: Sophos is a sponsor) and a contact who'd prefer not to be named.
Paul had seen that sample before, and Sophos's products detected its payload. But it was what the other had to say that I found particularly interesting.
His analysis indicated the sample -- which pops up as a flash installer on, err, "video sites" -- may in fact automatically trigger upon download. How? Well, every time Safari downloads a file with a DMG (Apple disk image) extension, it will auto-mount it when the download's complete.
That's really handy, but also a security issue, especially when you remember that there have been buffer overflow vulnerabilities in the code OS X uses to mount DMG disk images. So if a user hadn't patched against the DMG overflow, all they'd have to do is click "ok" to a bogus Flash installer notification, served from the domain apple-updates.com. OS X would do the rest for you.
My contact couldn't be 100 percent sure the sample was trying to trigger the DMG bug, but even the possibility should give us pause; it would mean the badware is getting much smarter.
To be fair, Windows still does some similar, super-daft things. The Conficker malware is currently spreading left right and centre because it's basically impossible to disable autorun in Windows without resorting to a registry hack.
The payload in the Mac malware sample in question was a 'dloader,' tasked with connecting to some shady data centre in Eastern Europe and downloading more bad stuff.
This is much more sophisticated than a script that just alters some DNS settings. It's closer in sophistication to the malware we've been seeing targeting PCs for the last 10 years.
Interestingly, we haven't seen this dloader actually grabbing a payload yet. That tells me these guys haven't bothered actually writing a serious Trojan yet -- they've just sent the first stage of the attack out there to see how many bots they wind up with.
If they get enough, undoubtedly they'll actually create some "real" malware for it, and begin distributing it to pre-infected hosts.
So that's it folks. Mac malware has arrived, and what a party it's going to be. Most Mac users are convinced they're using a magical, impenetrable platform, so they don't actually use antivirus software. Apple's advertising campaigns of yesteryear actually encouraged that mentality. Combine that with Apple's expanding market share, and the average Mac user is now a very tempting target. A sitting duck, if you will.
Enjoy the next couple of malware free months, Mac users, because you're in for a rough ride in '09.
Patrick Gray is the managing editor of Risky.Biz and the host of the Risky Business security podcast.
