Tuesday 2 November 2021

The Coming Mac Threat (Revisited)

Foreword

The following article was written and published in 2008. The first iPhones were less than six months old and Apple's OS X operating system was just seven years old. The previous year Apple launched a version of OS X that could run on Intel systems. The following year OS X could *only* run on Intel systems. This could have made life easier for attackers, as they faced a familiar underlying system.

A lot has changed since then. According to some statistics the use of OS X (now MacOS) has risen between 2009 and 2021 from below 4% to around 16%. This is clearly a significant rise, but with around 75% of computer users still staring at Windows, the value to an attacker of MacOS exploits is still relatively low.

Attackers have targets and the chances of a valuable one using a Mac is now five times as likely. We've seen news reports of exploits targeted Apple-based devices. NSO's Pegasus spyware is now widely recognised as being a threat that targeted civilians, including journalists.

It's not all bad news. Despite the claims of some (anti-virus) security firms, the malware threat for most Apple users is low. The main problem is so-called ad-ware, annoying software that tries to monetise your computing experience by showing you adverts and misdirecting your web searches. The viruses, worms and Trojans mentioned in this article don't seem to have developed for the Mac in the way that they could have. Which is obviously a good thing.

However, as the article states, "While the Mac remains relatively unmolested by attackers, you can be sure that they are monitoring the situation and waiting for the right time to start a full-on attack." MacOS and the iPhone's iOS operating systems are not definitively, 100% secure. Advanced attackers have proved this. And these are the cases we know about.

We can only hope that Apple-focussed threats don't become commoditised in the same way that they have for Windows users.

Simon Edwards (8th October 2021)

The Coming Mac Threat

The Mac’s luck could be about to run out. So far it hasn’t been plagued to any large degree by viruses and online criminals. But given the current Apple sales surge, there is every danger that your Mac could now be in the firing line.

For many years Macs have enjoyed immunity from the vast numbers of computer viruses, worms and other online threats that attack Windows PCs. This fact was mentioned in one of the (in)famous Mitchell and Webb Mac adverts, while Apple’s own website smugly professes: ‘114,000 Viruses? Not on a Mac.’ It has long been the boast of Mac advocates that a simple solution to the threat of computer viruses is simply to buy a Mac.

What many don’t realise is that the Mac is not inherently immune to viruses. Mac viruses do exist but there aren’t many of them because far fewer people use Macs than Windows PCs.

In fact, if everyone did buy a Mac then the virus problem would certainly shift from plaguing Windows users to attacking Macs. As it stands the Mac continues to gain popularity and so Mac-compatible viruses and other bad software, collectively known as malware, are increasing in number.

The days when owning a Mac meant instant security from online threats are about to become history. The last few months have seen a steady increase in threats to Mac users and there is plenty of evidence to suggest that there will be an explosion in viruses, spyware and other malware that targets Apple products.

You are the quarry

The truth is that one way or another all computer systems can be broken into. There’s just no such thing as 100 per cent security.

Hacking victims can include supercomputers, Windows and Linux PCs, Macs running any operating system (among them the latest version of Mac OS X), smartphones like the iPhone, games consoles and even broadband routers.

Viruses are essentially automated ways to hack a computer and if attackers know about a vulnerability in Mac OS X, there is nothing to stop them writing an automatic attack that scans the Internet, looking for victims.

To understand the risks and so better defend ourselves, we need to know how people are able to create malicious programs and why they do so. One of the most common ways to attack a computer is to identify and exploit a security hole – usually a flaw in the operating system or a program running on it. If you think that the Mac is free of security holes, you had better think again. Macs haven’t been entirely virus-free. Apple’s Software Update program has had security issues in the past that allowed attackers to hack into and take control of vulnerable machines.

Extremely Critical Security Holes

Security company Secunia has monitored Mac-based threats for the past five years. It claims that 93 per cent of known vulnerabilities in Mac OS X have been fixed and that the majority (62 per cent) were moderately, highly or extremely critical to the system’s security. Not only that, but also 68 per cent of the security holes could be exploited remotely.

It is naïve to assume that all existing vulnerabilities are known to the good guys. So-called ‘zero day’ exploits are traded online regularly, while security companies report that viruses and other malware often abuse previously unknown security holes to take over systems.

In addition Secunia reports a small number of holes in the iPhone and iPod touch devices. Other powerful handheld devices, including Windows and Symbian smart phones, are occasionally cracked but at present this is not a major problem (see **Pocket Problems**).

On the 18th March, Apple released an enormous bundle of patches, fixing at least 80 vulnerabilities in Mac OS X (both Tiger and Leopard). The download, which was labelled Security Update 2008-002 v1.0 Server (Universal), was 107MB in size and addressed problems with a range of programs and services.

One such problem allowed an attacker to run code on the victim’s machine if they simply opened an image. Another patch fixed security issues in the Safari web browser.

Why Mac Users Are So Vulnerable

Mac OS X is a Unix-based operating system. As such it has a lot in common with millions of other computers in the world. While this means that it is compatible with a vast library of readily available software, the flip-side is that the system can become vulnerable when security holes are discovered in those other programs.

By using a well-understood operating system, Mac users benefit but also place themselves at greater risk than when using the relatively obscure Mac OS 9. In the past three months there have been documented problems in the Adobe Flash Player plug-in, iChat and Spotlight. Even Mac OS X’s own Software Update application has shown that it isn’t immune.

Once we accept that the Mac is hackable the next step is to determine how attractive the Mac community is as a target. Before going to the effort of creating a virus or some spyware, its writer has a number of factors to take into account. One of these is: ‘How popular is my target?’ As the Mac becomes more popular, with various versions of Mac OS X and Safari appearing on millions of desktops, laptops and other gadgets, it starts to become more attractive.

Another question is: ‘How easy will it be to fool the victims?’ Let’s not forget that regular Mac users are unused to handling the sort of security threats that have dogged Windows’ users for years. New Mac users will be largely clueless about viruses and other security issues. And a large group of computer users who know little about security is a juicy target for online criminals.

The third important question a crook will ask is: ‘Will these victims have any money I can steal?’ This is the question above all that explains why the attacker exists in the first place. It’s all about the money.

Money for nothing

It may seem hard to understand why someone would go to the trouble of attacking computers, be they Macs or anything else. The old stereotype of a hacker was of someone who broke into computers for the thrill, possibly to gain bragging rights. Some virus writers even taunted anti-virus companies with insults embedded in the virus code. According to security firm F-Secure, it used to be quite common to see insults written inside virus code.

Today’s evidence suggests that the days of maladjusted teenagers writing viruses and hacking to show off are long gone. In 2004 the author of the Netsky virus was arrested. According to Alex Shipp of UK security firm MessageLabs, this 18-year-old German had written the "last of the spotty-kid viruses". Following the release of his virus, things changed. The scenario moved on to "organised crime and the spam that comes as a result of that".

Modern viruses writers are commercially minded, their wares being designed to control rather than damage the computers that they infect. With money being the motivation to hack websites, steal bank account details and send spam, online criminals go to great lengths to find rich seams of easily stolen wealth. And these lengths include determining the most popular types of computers connected to the Internet and, equally critically, the most popular applications that run on them.

What are the threats?

The threats to your Mac’s security and integrity are largely related to the Internet. There are a number of common ways for the bad guys to attack, including network worms, viruses, Trojans and spyware.

These are all general methods of attack, with the actual details of the security hole being abused changing rapidly.

Worms

A network worm is an automatic program that scans the Internet, looking for vulnerable computers. A worm might look for one or more vulnerabilities and, when it finds a suitable system, it infects it. One side effect of the infection will usually be that the infected system starts scanning for other victims.

Worms can’t attack systems that are effectively protected by a firewall. If your Mac is not advertising any services such as file-sharing or a web server, then it’s virtually immune to worms. The same goes for any computer behind a firewall. Hardware firewalls such as those included in broadband routers are a safer bet than software ones installed on your Mac. One reason for this is that software firewalls can themselves be vulnerable to attack. Hardware firewalls on the other hand are much trickier for worms to subvert.

Viruses/Trojans

A virus is a computer program able to replicate and spread itself automatically. A Trojan is a file that claims to be something attractive such as a photo or a game, but in reality harbours something malicious.

Viruses often attract victims by hiding inside an attractive Trojan package. Once the file is run the virus contaminates the system and, just like a human virus, it can prove highly infectious. Sometimes it will spread to the outside world by attaching itself to email messages.

In addition, some viruses attach themselves to hardware. Many years ago boot sector viruses spread by attaching themselves to floppy discs. Now viruses are starting to appear on other storage devices such as USB flash drives. There have even been cases where factory-shipped iPods, TomTom GPS units and digital photo frames have shipped pre-infected.

In September 2006, Apple distributed a number of Video iPods infected with the RavMonE.exe virus. The company apologised, noting that the virus would affect only Windows systems. However, the fact that the virus was for Windows is a red herring. The real problem is that a new product from a trusted source was shipped complete with a piece of malicious code.

The most popular counter to viruses is anti-virus software. Additionally, some people claim that if you avoid the seedier parts of the Internet, and never open uninvited email attachments, you can avoid viruses. As we will see in Spyware, below, this is no longer the case.

Spyware

The most prevalent type of online threat that web users will encounter is spyware. The simplest definition of this is: software that installs itself on your system with a view to stealing your information.

Criminal gangs are closely associated with this menace, which commonly appears on websites. Simply visiting an infected web page can result in a ‘drive-by’ hack where the spyware installs itself silently and secretly, using security holes in either the operating system or (in most cases) the web browser.

In a recent trend, attackers have started to break into popular websites, infecting the pages with spyware. This means that the old advice of ‘stick to trusted websites’ is no longer as watertight as it once was. Last year some MySpace pages were infected with a Trojan that used a flaw in Apple’s QuickTime application. It stole users’ personal details from both Windows and Mac computers.

Just last month Trend Micro’s website was infected with a virus that attacked visitors. That was embarrassing for the world’s third largest anti-virus company, but horribly dangerous for trusting users.

You can see a short list of Mac-specific spyware at http://macscan.securemac.com/spyware-list. One particularly interesting example is the DNSChanger Trojan. This works on Mac OS X targets by fooling the user into installing it. It pretends to be a video codec but instead will display pornographic adverts. It can be removed, using a tool like SecureMac’s DNSChanger Removal Tool.

Mac Menace

While the Mac remains relatively unmolested by attackers, you can be sure that they are monitoring the situation and waiting for the right time to start a full-on attack.

At present, Windows PCs account for the vast majority of personal computers used in the world, making them the most economical target. However, if Apple’s market share continues to increase at its current rate, it may not be long before the bad guys see Mac computers as an attractive target.

Sometimes there is security being in the minority.

Pocket problems

Mobile computing has become increasingly popular since the introduction of the Apple iPod touch and iPhone. Both of these gadgets make it easy to put powerful computer devices in your pocket. And once lots of people start using them to bank, gamble and shop online, they will present a lucrative target.

Any computer system can be broken into – and mobile phones have been the focus of much speculation over the past few years. Security firms including Symantec, Kaspersky and F-Secure have all produced anti-virus software for powerful mobile phones, some of which run Symbian operating systems; while others use a cut-down version of Microsoft Windows. So far there have been virtually no serious threats and it’s not unreasonable to speculate that this is because there is no common mobile phone operating system.

At some stage in the future, however, there is likely to be greater standardisation, with many people using the same basic mobile phone operating system. It is possible that Google’s recently-announced Android handset system will be adopted widely.

Whichever option the manufacturers choose, the criminals will be sure to pay close attention. At present, there is little point in the bad guys trying to hack 50 different types of mobile phone. But if there are just three or four options being used by owners to handle valuable data, such as credit card transactions, things will inevitably change.

Which is the easiest computer to hack?

In March 2008, a security conference ran a competition to discover which type of personal computer was the easiest to hack. CanSecWest, in Vancouver, provided remote access to a Windows, Linux and Mac computer. The prize for the first person to hack each one was $25,000. To make the challenge harder, contestants were not allowed to use the same attack on each system and only unknown vulnerabilities were fair game.

The results disproved most people’s perceptions about which computers are the most secure. The MacBook Air, running a fully-patched version of Leopard, was the first to fall. This was followed by the Windows Vista PC a day later. The Linux PC, which ran Ubuntu, was not compromised.

Charlie Miller exploited a vulnerability in the Safari web browser, which gave him full access to the Mac. Miller said that he chose the Mac to attack because "it was the easiest". This exercise proves that someone experienced in security issues can defeat a fully-patched system given time. It also proves that a Mac is genuinely hackable. However, it does not indicate that Mac OS X is essentially less secure than Windows or Linux. Some security experts who specialise in Linux would have been able to break into the Ubuntu system but may not have stood a chance against the Windows PC and Mac.

First Published in MacUser, Vol 24 No 8, 11 April 2008. The above article is © Dennis Publishing Limited 2008. UK property of Dennis Publishing Ltd. This article may not be reproduced or transmitted in any form in whole or in part without the written consent of the publishers.

No comments:

Post a Comment