Current Mac Malware, 2011-07: Introduction

In order to help Mac users understand the current state of malware on the platform, I am providing a review  of each current form. This will not be an exhaustive review, but should help relieve much misunderstanding and concern about the ongoing, many years old, anti-Apple security FUD Fest.

I will be going through the malware in reverse chronological order, featuring the most current concerns first and the oldies but gnarlies last.

The first thing to know is that technically, ALL currently active Mac malware are Trojan horses. That means that they are entirely inert until such time as a user (or 'LUSER', in cynical terminology) inadvertently installs them.

I am NOT including any hacker tools or 'legal' spyware in my details articles. These require a third party to be able to physically access your computer and directly install them for their nefarious purposes. You won't personally be in any danger of installing them unless a hacker or IT administrator directs you to do so. They require hackers or administrators to access your computer in order for them to do any harm. I may address these forms of software at another time. I am more concerned about what YOU might mistakenly install.

THE LIST:

1) Trojan.OSX.MACDefender.A - O [15 strains]

2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]

3) Trojan.OSX.Boonana.A

4) Trojan.OSX.OpinionSpy.A - B [2 strains]

5) Trojan.OSX.iServices.A - C [3 strains]

6) Trojan.OSX.PokerStealer.A

7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species are 7.
The total number of Mac malware strains are 42.


The 'Malware' Hacker Tools I Am Leaving Out:

'Trojan'.OSX.Lamzev.A

'Trojan'.OSX.Hellraiser.A - D [4 strains]

There are a number of inert malware as well as 'Proof of Concept' malware of no concern which I have also left out of my list. You may find them on other lists but you won't find them infecting anyone with up-to-date computers, apart for test computers in a lab. (A famous example of 'Proof of Concept' malware is Trojan.OSX.Oomp.A, aka Trojan.OSX.Leap.A. It is of no consequence or importance).

If you'd like a list of current 'legal' spyware, I suggest the list kindly provided at the MacScan/SecureMac site.

Note that, due to the lack of adherence to standards within the anti-malware community, there are a lot of name variations for the exact same malware. In the case of the MAC Defender Trojan I discovered 15 different names. I am not including them here in my list as these alternative names are irrelevant and needlessly confusing. What I have listed here are the 'official' names from my point of view as well as those whom I consider to be professional experts and original malware discoverers in the field. However, I will be listing a number of the alternative names in my subsequent articles that provide details about each of the current malware species.

As ever, I request corrections to my information. If I have missed a malware species or strain, please let me know asap. Much appreciated!

The CARO Malware Naming Scheme

--

In 2009, amidst my trying to sort out why malware naming is chaotic within the anti-malware community, I came across an elegant malware naming system from CARO (The Computer AntiVirus Researcher's Organization) that is considered the standard. It has no competing proposed system apart from the 'whatever' mess practiced by the various anti-malware researchers/companies.


Recently I have been volunteering time with a group of other Mac security geeks as we try to keep track of what is going on with the Trojan.OSX.MAC Defender scamware series and provide malware signatures to the ClamAV Open Source project. One of our members was musing about applying the biological taxonomy system to malware naming. I wrote back that malware naming doesn't successfully fit within that system. Instead I described the CARO Scheme while tossing in a few of my usual rants about chaos in the anti-malware community. For those interested, here is my description of the CARO Scheme:


~~~~~~~~~~

There is an standard malware naming system called the 'CARO Malware Naming Scheme'. Despite its existence and age, it is generally ignored in favor of chaos. As the description article itself states:

No matter how good a naming standard, it is mostly worthless if nobody is using it. And, as experience has demonstrated, some anti�virus producers would fol- low their own malware naming scheme in royal disregard of any proposed standards.

You can read about the CAROS scheme here:

http://www.people.frisk-software.com/~bontchev/papers/naming.html

To quote:

The general format of a Full CARO Malware Name is

[(type)://][(platform)/](family)[.(group)][.(length)].(variant)[(modifiers)][!(comment)]

where the items in square brackets are optional. According to this format, only the family name and the variant name of a piece of malware are mandatory and, as we shall see later, even the variant name can be omitted when reporting it. The Full Name is white space�delimited. That is, it cannot contain white space (i.e., space, tab, car- riage return, line feed), and there is a white space before and after it.

Here is the general CARO approach:

1) The name starts with the type of malware. For Macs, all the malware are Trojan horses. Therefore, they all begin with 'Trojan' followed by a period. 

Due to the mixed types of malware being created these days, this can get messy. Some malware these days are Trojans that infect the target with a bot, which itself is a worm by way of spewing SPAM or DDOS attackes. This is the case with the iServices Trojan. But I believe the best approach here is to name the malware type as that which is initially presented to the target computer. Therefore, Trojan works in all the current Mac cases.

However, I still argue that hacker tools are NOT Trojans. They're just hacker tools. They are only infected onto computers by way of 'LUSER' behavior whereby a hacker inadvertently has physical access to the target computer.

2) The malware type is followed by the target OS name. In our case it is 'OSX'. Previous to Mac OS X, the term 'MacOS' was used. But since Mac OS X is certified UNIX, the term 'Mac' is being dropped and only 'OSX remains. The OS name is followed by another period.

3) The third part of the name is supposed to be left to whomever first discovers the malware in the wild and chooses a name for it. 

For example, Andrew Welch (of Ambrosia Software) was the first person to fully describe and name the proof-of-concept Trojan which he named "Oompa-Loompa" or simply "Oomp". Using his variation on the Caro scheme, the resulting name was:

Trojan/OSX/Oomp-A

But Symantec has more clout than Andrew and after his work pushed out the name 'leap' instead, resulting in their name of it:

Trojan.OSX.Leap.A

4) The fourth part of the name specifies the variant, starting with A through Z, proceeding to AA through ZZ, etc. Therefore, at this point we have (I think):

Trojan.OSX.MAC Defender.A

Trojan.OSX.MAC Defender.B

Trojan.OSX.MAC Defender.C

Trojan.OSX.MAC Defender.D

Unfortunately, it is left up to interpretation as to what constitutes a new variant. As I noted over the weekend, I've seen MAC Defender.E listed, for reasons I cannot explain. With the two new proven varients, apparently that naming source would be up to MAC Defender.G at least, at this point.

I like Shawn's idea about digging into the actual Trojan app's Contents directory to check out the guts of each potentially new 'variant'. The web page GUI variations are clearly of little importance compared to the actual Trojan app variations.

5) If there are further details about a specific malware, they are typically put in parentheses after the variant identifying letter. For the MAC Defender variants this would include all the names for the installer files and the various names the Trojan application gives itself. Therefore, we could have:

Trojan.OSX.MAC Defender.B (aka Apple Security Center, aka Apple Web Security...)

~~~~~~

I have never seen the Caro scheme used exactly in the original proposed format. But the general approach of focusing from abstract to specific has remained in most of the offshoots of the scheme. Typically, the separators between the naming items are simply periods, as in: 

Trojan.OSX.MAC Defender.A

Intego stick to this specific pattern.

Microsoft use a colon instead of the first period, resulting in:

Trojan:OSX.MAC Defender.A

See:

http://www.scribd.com/doc/55285854/37/Appendix-A-Threat-Naming-Conventions

Some companies choose to use forward slashes and dashes in their malware naming, resulting for example in:

Trojan/OSX/MAC Defender-A

Overall, because this is what I call 'The Wild West Era' of the anti-malware community, malware naming chaos reigns. There are commonly three publicly published names from various anti-malware researchers/companies for exactly the same malware. In the case of MAC Defender I've counted over 15 names at VirusTotal for what may only be MAC Defender.A.

I hope my lecture was helpful. ;-)

:-Derek
--

XProtect from Apple, New MAC Defender variant: Excellent Summary from Sophos!

--
Early this AM Sophos published an EXCELLENT article about Apple's XProtect software. XProtect is part of Mac OS X 10.6 Snow Leopard (not 10.5 Leopard, sorry). It was updated as part of Apple Security Update 2011-003 this past week. It now automatically checks every 24 hours for new malware signatures from Apple. It's terrific! Except the malware rats immediately responded with a new work around version of the MAC Defender (the correct spelling) Trojan horse series. And that sucks.

Read all about it!

Apple to malware authors: Tag, you're It!

. . . Apple's XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.

If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions. . .

Keep in mind folks that this is a series of Trojan horses. Our computer's worst security flaw isn't Mac OS X! It's you and me. WE install Trojan horses, not our computer. Trojan horses are the bane of EVERY computer. Every Windows box, every Mac, every Linux box, etc., is vulnerable to Trojan horses.

Therefore, the 'Security Through Obscurity' ignorant FUD trolls can take a nap. Trojan horses do not apply. (And why is that? Read the paragraph above over and over until it sinks into your empty troll heads).

What IS new is that social engineering malware rats have hit the Mac in a persistent wave. If Mac LUSERS weren't falling for their fake anti-malware, they wouldn't bother. It's time for we the Mac users to grow up and pay attention to EVERYTHING we click and EVERYTHING we install.

There are psychopaths (aka malware rats, Neo-Con-Jobs, TardPartiers, The Red Hacker Alliance, etc.) out there in the world. They want EVERYTHING they can lay their self-destructive claws and fangs on. Nothing is sacred. We are the target, as well as themselves. That munching sound is them eating your computer, while their own insecurities eat them.

FAKE "MAC Defender" Scamware Attack via infected Webpages

What is 'scamware'? (Also known as 'rogueware'). It is a form of malware that pretends to be something it is NOT in order to use social engineering / LUSER behavior to get you to install actual malware. The most numerous kind of scamware occurs on the Internet where you visit a web page and start getting bombarded with messages on your screen that you have been "INFECTED" with whatever, when in fact you have NOT. If you are, let's be blunt, foolish enough to allow your web browser to automatically download software, or even worse, if you allow your web browser to actually OPEN what you automatically download, you're a prime sucker for scamware. Don't do that!

This is the very first instance of actual working scamware for Mac OS X that I am aware of. The most excellent SANS NewsBites Volume 13 Number 35 newsletter issue provides an announcement of the situation as well as resource links. You can sign up for the free SANS newsletters HERE. (I occasionally have disagreements with SANS over their FUD publishing and spelling, but overall they're a terrific resource).

DETAILS

The Scamware: "MAC Defender" (Note the spelling difference from 'MacDefender', which is an actual program developed in Germany, sadly hurt by bad publicity created due to the 'MAC Defender'  scamware).

The Infection Vector: Web pages.

The Setup:

1) Through nefarious means, the scamware tosses messages on your screen that you Mac has been infected with something. It insists that you pay $money$ to install the scamware Trojan horse in order to remove the fake 'infection'. Here is an illustration kindly provided by PCWorld.com.

2) If you foolishly allow your web browser to download software, the infected web page will IMMEDIATELY auto-download the Trojan horse to your Mac. THIS IS BAD!

3) If you foolishly allow your web browser to open software it has automatically downloaded, the Trojan horse will automatically open. THIS IS VERY BAD!

4) If you happily never allow auto-anything, then you could still be coerced into clicking the download link for the scamware Trojan horse. Worse yet, you might even open the Trojan horse on your computer. DON'T DO THAT!

At the moment, this scamware attack is occurring at a variety of web pages related to the killing of terrorism scourge Osama Bin Laden. Be extra special watchful at such websites for this scamware.

The STING: You fork over $money$ and your CREDIT CARD information for what is worthless garbage software that does nothing at all. Your credit card has just been stolen.

Note how I still call this scamware a 'Trojan horse'. There are two reasons why. First, it's not what it pretends to be, despite it being an 'empty' Trojan horse. Second, the scamware could easily contain one of the current actual Mac OS X Trojan horses, three of which are capable of botting your Mac. And that's very very bad.

How to Protect Yourself:

A) The Second Rule of Computing! Verify the authenticity and legitimacy of absolutely every piece of software you are tempted to install. In this case, you'll save yourself spending $money$ on worthless garbage as well as your credit card information. Also, seeing as there are currently 28 different Trojan horses for Mac OS X, (26 actually, if you exclude the hacker tools), you'll be preventing yourself from getting infected for real.

Adding to SANS Editor Northcutt's comments in NewsBites, dangerous malware can be hidden in nearly any piece of software. This includes anything you are sent (via email or chat, etc.) or anything at any Internet location.

B) Don't auto anything! That means no auto-download or auto-open. Turn all such features OFF in your web browsers and other Internet related applications. (All such features should be removed from all programs as they are inherently dangerous).

C) Use a decent anti-malware application to protect you from infected web pages. As usual, I recommend Intego VirusBarrier X6, which I own and use and enjoy (usually) and want to marry. When you connect to an potentially dangerous web page, VirusBarrier stops it from loading and warns you of a detected threat. You are able to choose to ignore, block, or add the page to your 'Trusted Sites'.

Here are links with further details for your reading pleasure:

Fake AV Targets Mac OS X Through Poisoned Search Links

Fake "MAC Defender" antivirus app scams users for money, CC numbers

Fake security software takes aim at Mac users

Intego Security Memo � MAC Defender Fake Antivirus Program Targets Mac Users


Fake "MAC Defender" Brings Malware to Macs

Bogus MAC Defender malware campaign targets Mac users using Google Images

Apple Support Communities: Search for 'MACDefender'

(Please note that I corrected the name of this scamware in a few of the the titles above. I see no point in perpetuating misspelling. Thank you as ever to Intego and ars technica for correct spelling ;-).