OS X security myths dismantled by the recent developments in the malware landscape


The past couple of weeks have mostly been about Mac threats. Once touted as being the crème de la crème of system security, the Mac OS X systems are now faced with an assortment of e-threats ranging from intelligently-crafted rogue antivirus utilities to highly advanced malware development tools. On top of that, the large number of 0-day exploits and flaws in both Apple software and third-party apps make it harder for the regular Mac OS X user.

MacDefender: classical Rogue AV with a twist

Rogue antiviruses may not be breaking news for the OS X user, since they have been around for a while, but the new contender called MacDefender takes the business to a whole new level.  This classic example of truly efficient search engine poisoning paired with the “Open ‘Safe’ files after downloading” option in Safari made it easier for the crooks behind the MacDefender business to automate the extraction process of the malware from its archive and launch it without the user’s interaction.In order to get installed, the application still asks for the administrator’s password, but most inexperienced users will actually fall for this.

MacOS  AV - Rogue AV

The MacDefender Rogue AV is hard at work

The installation process goes like this: the Mac user performs an image search query (such as lookups for pictures related to Osama Bin Laden’s death). When clicking on a poisoned link, a fake scanner pops-up on the screen, initializing a bogus scan that ends up triumphantly announcing the user that his system is swarming with malware. This is common practice in case of a rogue AV. At this point, the victim is hooked and ready to open his wallet in order to pay for a solution to this problem.

The fake scanner offers the answer: a not-yet-registered antimalware solution appears on the screen. The user only needs to download a .zip file with a filename like "BestMacAntivirus2011.mpkg.zip". It will start disinfection the moment the user pays a “small” fee that the victim perceives, under the circumstances, as a blessing. Apart from the sum of money, the cyber-crook has at this point the user’s credit card credentials as well.

This piece of malware has been originally discovered on May 2nd and ever since, new morphed variants are emerging under different names, such as MAC Defender, Mac Security and Mac Protector. 

Heavy Duty malware kits

Next in line is a DIY crimeware kit we have got word of since last month. Known by now under the name of Weyland-Yutani, this malware creation tool is meant to grow a nice new botnet with the help of cybercriminal wannabes. The builder has been sold on the underground forums for a while now and lets less tech-savvy cyber-thugs create their own malware by simply filling in some info in its builder. The Weyland-Yutani kit is equipped with a builder, an admin panel and it can also support encryption. The resulting bots support web injects and form grabbing in Firefox and – judging by the claims of its author – both Chrome and Safari will soon follow. The web-injects templates are identical to the ones used in Zeus and SpyEye. It is true that there have been other attempts at creating Do-It-Yourself malware kits for Mac OS X users, such as the HellRaiser bundle, but the Weyland-Yutani bundle is much more sophisticated.

The good news is that its author does not sell the kit anymore to individuals, which means that there are only a few builders bought by now. The bad news is that we’ve seen this move back in the heyday of Zeus, when the original DIY kit was pulled off just to be improved and get sold as SpyEye.

Software flaws leading to remote code execution

Last month’s update pack coming from the Cupertino-based vendor has an impressive log. According to the Apple Security Bulletin for April, the company has delivered no less that 9 fixes for various types of attacks ranging from buffer overflows to memory corruption in multiple applications and libraries. All of these flaws allow arbitrary code execution when a malicious movie file or image is opened. To be more specific, when you open a movie or image from the web, someone may actually execute code (plant malware) on your OS X computer without your intervention. No administrator password required.

Other fixes address buffer overflow and memory corruption issues in font-handling components that also allow a remote attacker to install malware on the computer without the user’s interaction. Things go as simply as visiting a website containing a specially crafted embedded font. Privilege escalation is also present in the bulletin: “A privilege checking issue in the i386_set_ldt system can result in a local user being allowed to execute arbitrary code with system privileges,” quotes the document. This means that, in special circumstances, non-administrators are able to execute and install software, which makes social engineering a lot easier.

I’m not going discuss the other vulnerabilities in third-party software that can get your Mac-running machine owned, but it’s worth mentioning that Skype issued an advisory documenting a flaw that allows an attacker to take control of the system by simply sending a specially crafted message. That’s easy, eh?

Bottom line

Now that Mac OS X has gained well above 10 percent of market share, cyber-crooks seem to have taken the users into their crosshair. If you think that you still don’t need a security solution just because you’re running a Mac OS X, then you’d probably be shocked to learn that during the latest Pwn2Own conference a fully-patched Mac OS X 10.6.6 computer running Safari 5.0.3 was owned in less than 5 seconds, leaving it open to further attacks.

BitDefender is aware by the fact that Mac OS X users also need protection. We have developed a fully-fledged antivirus with antiphishing technology that stops malware and phishing attempts cold. If you’d like to try it out for 30 days, just point your browser to the product’s page and discover a safer way to do everything you’d like with your Mac OS X computer.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.