A brief history of Mac malware

A run-down of Apple’s complicated history with malware.


It's no Windows, but...

While Apple products have traditionally been a safer refuge for computer users than Windows, malware is no stranger to the Mac. Historically, Windows’s large user base made it a much more appealing target for hackers. But as Apple’s market share began growing, Mac-oriented malware became more commonplace and more sophisticated to boot. Here is a rundown of some of the more notable malware attacks that have targeted the Mac since the days of OS X.

See also: A brief history of Linux malware

slide 2

Renepo – 2004

Renepo was the first piece of malware designed specifically with OS X in mind. Operationally, Renepo, itself a shell script worm, wasn’t terribly sophisticated – not only was it unable to travel across the web, it required an admin password or physical access to the target computer in order to install. Once infected, Renepo turned off OS X’s firewall and security programs, installed a password cracker, and gave hackers full access to the compromised system.

Again, this was not a serious piece of malware in terms of infected users, but it is notable as the first time that OS X was targeted despite its paltry market share.

slide 3

Leap – 2006

In early 2006, the first Trojan Horse for Mac OS X was discovered. Called “Leap,” this Trojan didn’t do any concrete damage and was arguably more of a proof of concept piece of software. Of particular note is that Leap wasn’t terribly sophisticated and required a number of proactive steps on the part of the user for successful infection (i.e. downloading, decompressing, and opening a malicious file sent via iChat). Also of note is that Leap didn’t exploit any security gaps in OS X, but rather relied on tried-and-true social engineering methods in order to spread, in this case via iChat’s Bonjour buddy list. Interestingly, Leap was also known as “Oompa Loompa” and, upon its release, only worked on OS X Tiger.

slide 4

MacSweeper – 2008

Discovered by SophosLabs, MacSweeper was a piece of malware (or scareware, to be exact) that tried to trick/scare OS X users by telling them privacy vulnerabilities were discovered on the device and subsequently offering them software to eradicate problems that they didn’t actually have.

slide 5

Imunizator – 2008

Similar to MacSweep, Imunizator was a piece of scareware posing as software that promised to clean users' systems of malicious files which, shockingly, didn’t really exist. The malware lured users in by prompting them with a “get rid of compromising files now” message in the hope that users would ultimately purchase the Imunizator “clean up” software suite.

slide 6

Jahlav – 2009

Jahlav spread by masquerading as a video codec that claimed to be a requirement to view pornographic videos on the web. When an unsuspecting user downloaded the “codec” in the form of a .DMG file, the malware installed itself on the host computer and redirected website links to advertising-heavy websites, in addition to plaguing the user with pop-up ads.

slide 7

Pirated versions of iWork and CS4 – 2009

Pirating software doesn’t pay, kids. Back in 2009, pre-release copies of iWork ’09 and Adobe’s CS4 showed up on P2P networks. Users who downloaded the software, however, in fact ran the risk of downloading a malicious Trojan that aimed to create a botnet of Mac computers.

slide 8

Boonana – 2010

Originally discovered by SecureMac in 2010, Boonana was a multi-platform Trojan Horse that propagated itself to new computers via social networking sites like Facebook. Boonana attempted to spread to new machines by sending unsuspecting users a link accompanied by the phrase, “Is this you in the video?” Once a curious user clicked on the link, malicious software was downloaded to the computer that modified system files, settings, and security mechanisms to allow outsiders access to the computer’s contents.

While scary at first glance, the security firm Intego at the time pointed out that Boonana was riddled with bugs and didn’t operate as the makers intended.

slide 9

PremierOpinion – 2010

In 2010, before the safety net of the Mac App Store, Intego warned users that some free Mac apps and screensavers were being bundled with spyware. While the apps themselves functioned as intended, the accompanying spyware (which required user consent to a “market research” program) scanned a user’s files, recorded their online activity, and sent all of this information back to a remote server.

Notably, this particular piece of malware wasn’t specially crafted for the Mac; it had existed on the Windows platform since 2008.

slide 10

MacDefender – 2011

In 2011, a piece of malware dubbed MacDefender hit the scene. MacDefender masqueraded as a piece of antivirus software which, naturally, tricked some users into clicking on a malicious link and downloading files to their computer. Still, for MacDefender to work properly, users had to actively enter in their system password to install it.

In the wake of MacDefender, Apple issued a series of OS X updates to address it. MacDefender represented a new era in Mac malware, as it was elegantly designed and therefore more likely to convince and trick users into getting infected.

slide 11

Flashback Malware – 2012

Flashback was originally discovered in 2012 and, at its peak, reportedly infected upwards of 600,000 Mac users worldwide. Functioning as a botnet, the malware spread via a Java vulnerability and tricked users into downloading it by posing as an Adobe Flash installer. Once installed, the software operated by stealing system data such as passwords and credit card information, and it even redirected search engine queries to malicious websites.

To beat the malware, Apple released a free online removal tool which disabled the automatic execution of Java applets. It was later revealed that Oracle had patched the Java vulnerability two months before it hit the Mac. Apple was not as quick to do the same.

slide 12

Mac.BackDoor.iWorm – 2014

In 2014, security researchers from Dr. Web discovered an OS X botnet which touted upwards of 17,000 Macs across the globe. Oddly enough, infected Macs were found to communicate with the purveyors of the malware via Reddit.com in five-minute intervals.

slide 13

Wirelurker – 2014

A short-lived piece of malware, Wirelurker was spread via third-party applications found on unofficial Mac App Stores, once again proving that piracy doesn’t pay. While Wirelurker was mostly a problem in China, the malware was notable for its ability to hop from an infected computer to an iPhone via a USB cable, even if the iPhone itself wasn’t jailbroken.

Eventually, the third party app store in question was shut down, and three suspected perpetrators behind the malware were arrested.

Copyright © 2014 IDG Communications, Inc.