This paper on Apple security was written and presented at EICAR 2010 with Pierre-Marc Bureau, a friend and colleague at ESET, and Andrew Lee, then with K7 Computing but also a long-time friend and colleague and now CEO of ESET North America. “Perception, Security, and Worms in the Apple” was presented at the 2010 EICAR conference in Paris on 11th May 2010. Available here by kind permission of EICAR (http://www.eicar.org/).
Download here: EICAR Apple Security
Apple’s customer-base seems to be rejoining the rest of the user community on the firing line. In recent years, criminals have shown increasing interest in the potential of Mac users as a source of illicit income, using a wide range of malware types, while issues with jailbroken iPhones have highlighted weaknesses in Apple’s reliance on a white-listing security model.
A recent survey carried out on behalf of the “Securing our eCity” community initiative, however, suggested that Mac (and, come to that, PC users) continue to see the Mac – or at any rate OS X – as a safe haven, while Apple seems wedded to the idea that it has no security problem.
However, analysis of hundreds of samples received by our virus labs tells a different story. While the general decline of old-school viral malware is reflected in the Macintosh statistics, we are seeing no shortage of other malicious code including rootkits such as WeaponX, fake codec Trojans, malicious code with Mac-specific DNS changing functionality, Trojan downloading and installation capability, server-side polymorphism, fake/rogue anti-malware, keyloggers, and adware (which is often regarded as a minor nuisance, but can sometimes have serious impact on affected systems).
Nor is this just a matter of Mach-O (Mach Object File) format binaries: scripts (bash, perl, AppleScript), disk image files, java bytecode and so on are also causes for concern. While neither the possibility nor the actual existence of a threat always equates to the probability of its having measurable impact, we take the position that the tiny proportion of compromised machines reflects, at least in part, the still limited market penetration of Apple products. The surprisingly swift escalation of exploits of a single iPhone vulnerability from PoC code to multi-platform hacker tool to functional botnet has perhaps been given more exposure than its impact in terms of affected machines might deserve, yet it demonstrates how closely criminal elements are watching for any weakness that might be turned to advantage.
A security model based on white-listing and restricted privilege, implemented on the presumption of the user’s conformance with licence agreements, can fail dramatically where there is an incentive to circumvent security for convenience or entertainment. Some types of attack (phishing is an obvious example) are completely platform agnostic because the “infected object” is the user rather than something on the system. Security reliant on the inability of a user to gain privileged access may lead to disaster if it fails to anticipate the ingenuity of hobby hackers and criminals alike, or the possibility of a conjunction of social engineering and technical vulnerability.
This paper will compare the view from Apple and the community as a whole with the view from the anti-virus labs of the actual threat landscape, examining:
- The ways in which the Apple-using community is receiving increasing attention as a potential source of illegitimate profit,
- Reviewing the directions likely to be taken by malware over the next year or two
- Assessing the likely impact of attacks against Apple users.
- The implications for business and for the security industry in an age of interconnectivity, interoperability, and the paradox of accelerated computing power on ever-shrinking devices.
Small Blue-Green World
ESET Senior Research Fellow