2015 is a year that will be remembered by Apple's software and security engineers. This is the most prolific year for OS X malware, in history.
The threat research team at Bit9 + Carbon Black spent over two months of 2015, 10 weeks to be precise to look into every fragment of a reported case of OS X malware. The findings were as memorable as they were damning. They discovered five times more malware in 2015 than all the malware samples discovered during the previous five years. Combined.
Perhaps more startlingly, the Bit9 + Carbon Black Threat Research Team is confident in their assessment that OS X malware attacks are bound to increase and even accelerate in their occurrences as we head into the end of the year.
The security honeymoon that Macintosh has enjoyed may be over.
[ ALSO ON CSO: Do automatic OS X security updates signal a sea change at Apple? ]
PCs are believed to the the more vulnerable operating system of the two prominent platforms when it came to cyberattacks. For the longest time, this was indeed a fact. However, with Macs taking a bigger share of the market, they seem to have attracted the nefarious malware peddlers.
As things stand, 16.4 percent of the end user market is comprised of machines running OS X. Notably, 45 percent of companies even offer Macs as an option to their employees, according to the study.
2015 will also be remembered as the year of the XcodeGhost, the first instance where a malware had a major breakout in the famously hard-to-infiltrate App Store. Going against conventional malware intrusions, the target this time was Xcode, Apple's official tool that developers obtain in order to publish and develop applications.
Even OS X El Capitan, a version of Apple's Mac operating system for desktops and laptops contained significant vulnerabilities within its Gatekeeper and Keychain features.
Altogether, the research team collected over 1,400 unique samples that were a result of the team's independent research efforts and collections from incident responses involving OS X, black lists, peer research, open sources and other sources.
The bottom line: 2015 alone had more than five times the number of OS X malware samples from 2010, 2011, 2012, 2013 and 2014, put together.
The numbers prove that it is already beyond time for security professionals, enterprise users and end-users to start taking the threat of malware targeting their Apple devices.
Observations of malware studied
The team had to discard tools that are routinely used for Windows malware analysis such as Process Monitor for compatibility reasons.
Instead, the research team resorted to custom built tools and several pre-built tools for dynamic analysis of malware targeting Macs. They include dtrance, opensnoop and fs_usage.
The research team quickly identified routine actions that are commonly associated with malware. Red flags were raised during auto file creations and intrusive network communications. The team then proceeded to look at command-and-control infrastructure along with any artifacts left after payload execution in the malware samples.
Interestingly, routine Unix persistence mechanisms were seldom seen in the samples of OS X malware that were analyzed. For instance, the team found that procedures such as "trojaning" startup locations such as rc.common or even adding cron jobs were seldom used. Strikingly, the malware authors specifically chose Mac OS X-specific mechanisms.
Analysis showed that most OS X malware used features of the actual OS like LaunchDaemons/LaunchAgents along with other login items and browser plugins. The malware was discovered to reside in user-land and other leveraged persistence mechanisms that offered support for this, instead of any attempts to worm into kernels by writing custom extensions to the kernel.
Even more surprisingly, there were no Unix/Linux malware traces despite OS X's roots in FreeBSD.
Also, LC_MAIN, Apple's new load command to define an entry point into the Mach-O format since the release of OS X 10.8 was not used by nearly 90 percent of OS X malware samples. Instead, the previous load commands, namely LC_THREAD and LC_UNIXTHREAD were still being used. In fact, most samples throughout 2010 to 2015 still used the previous load command, although there was a small percentage that shifted to the newer command since 2014.
This led the research team to believe that most malware authors still used the old load command instead of the newer one.
The report was simple in its summation of this particular discovery:
"Malware authors are not updating their malware to conform to the latest specifications by Apple."
More malware, less sophisticated malware
With the aggressive expansion in malware peddling to strike the OS X platform, malware authors have not particularly made their wares sophisticated.
The research team noted that malware authors are foregoing the Unix philosophy in combining "small and sharp tools" to get to their goals. In fact, the Unix-malware seems to have a monolithic tinge to it, the likes of a Windows-malware. This is in stark contrast to a composability approach, wherein the malware would look to exploit legitimate Unix-specific OS operations in their very design.
Detection methods for enterprises
It is perhaps understandable that enterprises have failed when it comes to installing safeguards for OS X devices because of that 'honeymoon' period enjoyed by the platform. When they did have to look into it, there has been distinct lack of OS X support from several security vendors.
It's important to note that most infections captured by malware detectors and sensors are adware based and only lately has there been an increase in sophisticated malware.
The threat, substantial as it is, can be monitored by making use of an enterprise-class scalable endpoint threat detection and response solution.
Additionally, osquery is a comprehensive, enterprise-grade tool maintained by Facebook that will come in handy. It is also open source.
The following queries can be utilized to look into monitoring and analysis with osquery.
- select name,program,path FROM launchd;
- select name,program,path FROM launchd where username = ‘root’;
- select name,linked_against,path from kernel_extensions;
- select name,path,type,source from from startup_items;
- select * from preferences where domain = ‘loginwindow’;
- select * from preferences where domain = ‘loginitems’;
- select * from crontab
For malware that springs along with launchd, the queries are:
- select * from shell_history where command = “launchctl”;
- select * from shell_history where command = “/bin/launchctl”;
Similarly, the following queries would be applicable when looking into browser extensions:
- select identifier,path from safari_extensions; (mostly adware malware)
- select identifier,path from chrome_extensions; (mostly adware malware)
If you suspect your organization might be compromised, make sure to contact an Incident Response company to review your concerns and if needed, to respond. This will minimize the damage caused.
Detection mechanisms for end-users and consumers
It's always recommended that consumers have an antivirus software solution with the most recent updates.
Additionally, two helpful utilities are:
Dynamic Hijack Scanner - A simple utility that scans your computer for applications that are vulnerable to hijacking or those that may have been hijacked.
KnockKnock - Looks into persistently installed software to reveal malware in them.
This article is published as part of the IDG Contributor Network. Want to Join?