Think Apple OS X is below the malware radar Think again

14.10.2015
Instances of Apple OS X malware are soaring this year, already totaling more than five times the number tallied over the previous five years combined, according to an in-house Bit9 + Carbon Black tally.

Instances totaled 180 from 2010 through 2014, but have already reached 948, according to “2015: The most Prolific Year in History for OS X Malware”, the results of a 10-week study of malware crafted for the operating system.

The Bit9+Carbon Black research team analyzed data it gathered from its own research efforts, culling open source data such as Contagio malware dump, experience from incident response-engagements involving OS X that were made by Bit9 + Carbon Black’s partners, and suspicious code uploaded to Bit9 + Carbon Black from its customers. They came up with 1,400 unique OS X malware samples.

“Based on the observations in the 10-week analysis, the Bit9+Carbon Black Threat Research Team confidently expects Mac OS X malware attacks to accelerate in the coming months,” the report says.

The researchers used a custom sandbox to observe and identify common actions performed by malware, such as file creation and network communications. This revealed artifacts left by malware execution as well as command-and-control infrastructure.

Some observations about the malware include that it tended not to attempt to reside in the OS X kernel but rather in user space, and that rather than attacking underlying UNIX mechanisms, the malware went after Mac OS X-specific mechanisms.

Given the Unix/Linux roots of OS X, researchers expected attackers would adapt Linux and Unix malware to OS X, but that turned out not to be the case.

The malware takes advantage of mechanisms built into the operating system that allow the malware to persist. For example, it can take advantage of mechanisms that enable legitimate applications to start when the computer boots up or when a user logs in.

Some of these mechanisms in OS X are common to Unix and BSDs, but the writers of the malware focus more on using persistence mechanisms unique to OS X. Perhaps the writers of the malware have backgrounds in Windows environments and worked from OS X documentation rather than a knowledge of Unix, says Mike Sconzo, senior manager of threat research for Bit9 + Carbon Black.

(www.networkworld.com)

Tim Greene