Mac Malware

Reports Show A Surge In Highly Targeted Malware For Macs

The security world has been warning Mac users for a long time that the lack of malware targeting their machines is a result of cybercriminals focusing on Windows’ larger market share.  This unfortunately is not because Apple’s brilliant security evaded such cyber-attacks.  Human-rights groups warn that the illusion of security Mac users once enjoyed is a thing of the past, after hackers succeed in infecting networks in highly targeted espionage attacks.

At the SecTor conference in Toronto this year (Toronto’s IT Security Conference), security researcher Seth Hardy of the University of Toronto’s Citizen Lab research center warned that 2012 has seen a significant increase in new variants of targeted, Mac-focused malware reported by the human rights organizations the Citizen Lab research center seeks to aid. Over the year so far, five new types of espionage malware for Apple’s operating system were reported, compared with just one in 2011 and none in prior years.

“This was a very rare anomaly in 2011. This year it is part of the new normal,” says Hardy. “Attackers have noticed that a lot of organizations are using Macs. If they want to target these organizations, they need a wider range of tools to get into these systems.”

The most prominent example of Mac malware to appear in 2012 was the occurrence of the Flashback malware, a cybercriminal botnet that hijacked machines for click fraud and used a Java vulnerability to infect more than 600,000 Macs at its peak. But that kind of fraud-focused mass malware does not concern Citizen Lab as much as the more targeted and less widely known samples that the activists find on their networks and anonymously pass on to Citizen Lab’s researchers.

Here are the targeted Mac malware samples Hardy mentioned at the SecTor conference in Toronto:

  • Revir/IMuler: Revir first spotted in May of 2011, and reappeared in infections throughout 2012, carried in spoofed emails with content crafted to appeal to specific recipients. The malware is capable of stealing files or sending screenshots of the target machine to a remote server. According to various antivirus firms, the latest versions of Revier are also capable of evading detection by shutting off when it sees analysis tools running.
  • Sabpab: Also known as Sabpub, Olyx, Lamadai, Lasyr, and other names, Sabpab was initially delivered using vulnerabilities in Java to infect target machines. Like Revir/IMuler, it is capable of sending files or screenshots to its controllers, and Hardy says it will continue to be used in future attacks.
  • Maccontrol: This program is often delivered in a .zip file and is capable of taking full control of an infected machine. Citizen Lab traced its command-and-control servers to match them with a Windows-based attack on the same group.
  • Davinci: Also known as Morcut and Crisis, Davinci is a piece of commercially available spyware built by the Italian security company, Hacking Team.
  • Netweird: A low-grade commercially sold spyware targeting Macs that was first discovered by the antivirus firm Intego. Hardy says that despite seeing advertisements for the program in hacking forums, it has yet to be seen on real-world networks.

Hardy says that Citizen Lab cannot reveal the direct source of its malware samples due to agreements established with the human rights groups it deals with, although he will say that many of the groups are in the Tibetan activist community. And given the difficult nature of tracing cyber-attacks, Citizen Lab has not tried to identify the malware variants’ sources.


Five examples of Apple-focused, targeted malware samples, up from zero in the previous year, shows that determined attackers with a specific victim in mind are now capable of compromising Macs when it suits their purposes.  It is likely that Apple’s code base is marginally more security than Windows, but the rising motivation of skilled attackers to target Macs means any sense of immunity has disappeared.

Mac-focused, targeted malware is beginning to grow in volume and sophistication.  It is suggested that Apple users take the same precautions as other organizations, like teaching staffers to take a skeptical approach to attachments or external links in emails that might run a software exploit on their machine or route them to an infected web page, as well as running an antivirus as a second layer of defense.

Though Mac-focused malware is a relatively new phenomenon, it is no surprise that Apple’s software is exploitable by hackers. Despite the company’s hints that its machines have been immune to viruses, researchers have been demonstrating weaknesses in its defenses for years.

In June, even Apple itself tacitly admitted that its machines are being increasingly targeted by malware and deleted a claim on its website stating that Macs “do not get PC viruses”.  This is a clear a sign that the sense of security afforded by Windows’ being the greater temptation to hackers no longer offers Mac users real protection.

– Andy Greenberg 10/08/12, Forbes Staff –