Mac Malware

By: Shane Binkerd, Shane Moreland,Travis Gardner

Amphimix• Appeared in 2004• Trojan Horse• Disguised as an MP3 file

o Including the MP3 icon

Leap• First appeared in 2006• Worm• Used a graphic icon to mimic a JPG• Spread by a file claiming to be the latest Leopard

Mac OS X screenshotso Through iChat messenger

Inqtana• Appeared in 2006• Worm• Used the Bluetooth OBEX Push request

Jahlav• Appeared in 2007• Trojan Horse• Fake video codec

o Claims to solve an Active X object error• Disguises itself as a MacAccess installer

Macsweeper & iMunizator

• Appeared in 2008• First reported scareware• Fake security application

o Claimed to be a 3-in-1 Mac cleaner• Flagged legitimate applications and processes

o Offered to fix for money• iMunizator closely related to Macsweeper

HellRTS aka the Hellraiser

• First malware of 2010• Backdoor Trojan• Intercept passed information• Spread by Social Engineering

OpinionSpy• Appeared 2010• Spyware• Spread by part of the installation process for a

number of screensavers• Allowed backdoor access

Boonana• Appeared 2010• Java-based Trojan

o Can infect Windows, Linux, Mac• Spread across social network sites as a form of

video• Attempt to retransmit via a reblog or repost

BlackHole• Appeared in 2011• Backdoor Trojan• Execute shell commands remotely

MacDefender• Appeared in 2011• Spread via bad links• Made use of some Safari exploits

Kitmos & Hackback• Appered in 2013• Backdoor Trojan• Allows attacker to run executables sent to

victim’s machine o Take screenshots and send them to the attacker

• Modifies loginitems.plist to ensure startup execution

• Hackback zips .txt, .doc, .eml, .pdf, etc. and sends to attacker

• Tied to Operation Hangover

Icefog• Found in 2013• Backdoor• Targeted attacks against East Asian companies

and governments• Disguised as legitimate programs like AppDelete

and CleanMyMac

CoinThief• Appeared in 2014• Multiple legitimate applications used to hide

o BitVanity, StealthBit, Litecoin Ticker, Angry Birds• Browser extensions• Attacks Bitcoin-QT wallets

o Modified to send Bitcoins to remote machine• Found by only F-Secure, Sophos, Trendmicro

LaoShu• Appeared in 2014• Trojan• Spread by fake email from FedEx• Cleverly disguised as PDF of legitimate FedEx

domaino Actually executable

• LaoShu is digitally signedo Gatekeeper lets it pass

Appetite• Appeared in 2014• Backdoor• Seems to be aimed at government, diplomatic,

and corporate targets• Contains Windows components• Uses rootkit and bootkit techniques to hide• Noted for encoding configuration data and

encrypting network traffic

Conclusion• There is no safe haven for Windows or Macs• Windows is a much larger percentage of the OS’s

used• 9.9% Mac users• 81% Windows users (9.4% XP)

o http://www.w3schools.com/browsers/browsers_os.asp

References• "Antivirus scan for CoinThief - VirusTotal." Antivirus scan for CoinThief - VirusTotal. 14 Feb. 2014. 27

Apr. 2014 <https://www.virustotal.com/en/file/398aa459eea689dafdb98567644a2ab1f4d5b90cb4e3ad3a06ab7e0b2da4d8ad/analysis/>.

• Cluley, Graham. "Press Releases." First ever virus for Mac OS X discovered. 16 Feb. 2006. Sophos. 27 Apr. 2014 <http://www.sophos.com/en-us/press-office/press-releases/2006/02/macosxleap.aspx>.

• Cohen, Peter. "Sophos warns against iMunizator 'scareware' | Macworld." Macworld. 2 Apr. 2008. Macworld. 27 Apr. 2014 <http://www.macworld.com/article/1132800/imunizator.html>.

• Cortes, Santiago. "OSX.Kitmos." Technical Details. 16 May 2013. Symantec. 27 Apr. 2014 <http://www.symantec.com/security_response/writeup.jsp?docid=2013-051616-5911-99&tabid=2>.

• Leyden, John. "Scareware scammers target Mac users." • The Register. 15 Jan. 2008. The Register. 27 Apr. 2014 <http://www.theregister.co.uk/2008/01/15/mac_scareware_scam/>.

• Li, Yi. "OSX.Hackback." Technical Details. 20 May 2013. Symantec. 27 Apr. 2014 <http://www.symantec.com/security_response/writeup.jsp?docid=2013-052003-5213-99&tabid=2>.

• Liu, Yana. "OSX.Apptite.A." Technical Details. 13 Mar. 2014. Symantec. 27 Apr. 2014 <http://www.symantec.com/security_response/writeup.jsp?docid=2014-021723-5609-99&tabid=2>.

• "Mac Malware Facts." Mac Malware Facts. ESET. 27 Apr. 2014 <http://www.eset.com/int/mac-malware-facts/>.

• Niemela, Jarno, and Gergely Erdelyi. "Worm:OSX/Inqtana.A." Worm:OSX/Inqtana.A. 22 Feb. 2006. F-Secure. 27 Apr. 2014 <http://www.f-secure.com/v-descs/inqtana_a.shtml>.

References• "OSX/HackBack [Threat Name] go to Threat." OSX/HackBack.A. ESET. 27 Apr. 2014

<http://www.virusradar.com/en/OSX_HackBack.A/description>.• "OSX/HackBack-A." Detailed Analysis. 19 June 2013. Sophos. 27 Apr. 2014

<http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~HackBack-A/detailed-analysis.aspx>.

• "OSX/Icefog-A." Detailed Analysis. 27 Sept. 2013. Sophos. 27 Apr. 2014 <http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Icefog-A/detailed-analysis.aspx>.

• "OSX/Kitm [Threat Name] go to Threat." OSX/Kitm.A. ESET. 27 Apr. 2014 <http://www.virusradar.com/en/OSX_Kitm.A/description>.

• "OSX/StealBit-B." Detailed Analysis. 20 Feb. 2014. Sophos. 27 Apr. 2014 <http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~StealBit-B/detailed-analysis.aspx>.

• "Press Releases." Mac OS X MP3 Trojan horse threat overhyped, says Sophos. 13 Apr. 2004. Sophos. 27 Apr. 2014 <http://www.sophos.com/en-us/press-office/press-releases/2004/04/va_macmp3.aspx>.

• "Threat Encyclopedia." OSX_CARETO.A. TrendMicro. 27 Apr. 2014 <http://about-threats.trendmicro.com/us/malware/osx_careto.a>.

• "Trojan-Downloader:OSX/Jahlav.A." Trojan-Downloader:OSX/Jahlav.A. F-Secure. 27 Apr. 2014 <http://www.f-secure.com/v-descs/trojan-downloader_osx_jahlav_a.shtml>.