Handwritten Text Recognition for manuscripts and early printed texts
Mac OS X Malware: From Myth to Mainstream
1. Mac OS X Malware: From Myth to
Mainstream
Vicente Diaz, Senior Security Analyst, Global Research & Analysis Team, Kaspersky Lab
Kaspersky Security for Mac Launch Event, Moscow, 14-16, May 2012
21. Flashback attack vector
Main infection vector: Hacked WordPress sites
Late February to early March: between 30,000 and
100,000 sites were hacked
85% of hacked sites were based in the U.S.
Traffic hired from partner program associated with the
rr.nu gang
Depending on OS and browser, victims are redirected
to an exploit
24. Advanced Persistent Threat targeting MAC OS X users
The “10th March Stamnet” Doc files from 2010, rearmed with new
exploits
CVE-2009-0563 – targets Office
CVE-2012-0507 – targets Java
Installs backdoor on victim´s machine
APT is currently ACTIVE
27. Call to action: Apple’s security update process
• Allow Oracle to patch Mac OS X vulnerabilities
in Java directly, rather than issuing your own
security updates.
• Implement automatic security updates for user
systems
• Respond faster to new security vulnerabilities to
minimize window of exploitation
28. Conclusions & predictions for users
• The myth of Mac OS X being
invulnerable to malware has been
shattered
• Use AV software and proper security
practices to protect yourself
• Mac OS X mass-malware attacks will
increase. This will include drive-by
downloads and Mac OS X-based
botnets
• Expect cross-platform exploit kits with
Mac OS X-specific exploits
• Apple is pushing for a more controlled
ecosystem (GateKeeper) but this will
be a cat-and-mouse game.
29. Thank You
Vicente Diaz, Senior Security Analyst, Global Research & Analysis Team, Kaspersky Lab
@trompi
Kaspersky Security for Mac Launch Event, Moscow, 14-16, May 2012
Editor's Notes
Users feel like they are invulnerableApple itself decided back in 2008 that it would not suggest using any antivirus packageThe company’s stance is quite contradictory however: they say it offers additional security … when supposedly it is not needed!
Wow, those guys are great! However, just to be sure, let’s check it out
Java vulnerabilties: patchesprovidedby Oracle, but Java isresponsibleforthis JRE implementation and patchingUsers of OSX olderthan Snow Leopard are notcovered!Tiger wasreleasedlessthan 5 yearsago and isnotcovered. Thislifespanistoo short, especiallyforbusinessusers
In the case of Office, third-party software was the open door – but faulty ASLR implementation made the exploit possible.TheJava patch was made by Oracle, but Java is still responsible as they implement their own version of the JRE. In this case the problem was a logic bug that allowed the attack to jump out of the sandbox in a privileged environment.
It took four years to get even basic anti-exploit measures fully implemented on Lion.Apple’s vision is to prevent its computers from running software apart from trusted apps sold in its stores, and storing its data in iCloud.BUT: if the cloud is compromised (see dropbox problems); if the apps in the appstore are compromised (see android marketplace problems); if the user does not stick to the rules, or the ecosystem is broken (jailbreaks), then the risks remain. Exploits are still possible, social engineering is still possible, credentials can still be stolen and malicious code can be developed and deployed.This raises the bar on Mac OS X security and makes it harder and more expensive to attack an Apple machine. That’s the good news. But don’t get carried away: the system will still be a target.
These are the main attack vectors, and we have examples of all of them. But there are many other possibilities as well.
Wow, those guys are great! However, just to be sure, let’s check it out
sum-up stats based on IP addresses (not UUID) which were found in the botnet during the whole period of research
Two versions of SabPub have evolved quickly to use new exploitsATP active (goat machine)Wake-up call for companies, governments and business users using Mac OS XGangrelated to LuckyCat.
The market share shows the tipping point. Is not the number of samples or vulnerabilities, it is the number of potential victims.Fairly significant share among business users and advanced markets.
Allow Oracle to patch Mac OS X vulnerabilities in Java directly rather than issuing your own security updates. Make security a priority and take the onus off the user to install security updates. Issue updates that install automatically on users’ systems rather than sending reminder prompts. Teach users how to enhance the security settings on their computers so they don’t fall victim to cybercriminals and mass-malware attacks. Swifter response to new security vulnerabilities. Do not wait several months to issue an update – the longer the delay, the longer cybercriminals can exploit the problem.
Mac OS X is no safer than any other operating system – take security updates seriously and install them as soon as they’re available.Use antivirus software: the myth of Mac OS X being invulnerable to malware has been shattered.Increased market share motivates cybercriminals. Expect more drive-by downloads, mass-malware attacks and Mac OS X-based botnets to appear.Apple is pushing for a more controlled ecosystem (GateKeeper) but this will be a cat-and-mouse game instead of a bulletproof security solution.Expect cross-platform exploit kits with Mac OS X-specific exploits included.
