2015: The Most Prolific Year for OS X Malware, Ever

2015 is a year that will be remembered and pinned for later reference by Apple’s software and security engineers. This is the most prolific year for OS X Malware, in history.

The threat research team at Bit9 + Carbon Black spend over two months of 2015, ten weeks to be precise to look into every fragment of a reported case of OX malware. The findings were memorable as they were damning. They discovered five times more malware in 2015 than all the malware samples discovered during the previous five years. Combined.

Perhaps more startlingly, the Bit9 + Carbon Black Threat Research Team are confident in their assessment that OS X malware attacks are bound to increase and even accelerate in their occurrences as we head into the end of the year.

The security honeymoon that Macintosh has enjoyed may be over.

PCs are believed to the more vulnerable operating system of the two prominent platforms when it came to cyber attacks. For the longest time, this was indeed fact. However, with the advent of Macs taking a bigger share of the market, they seem to have attracted the nefarious malware peddlers.

As things stand, 16.4% of the end user market is comprised of machines running OS X. Notably, 45% of companies even offer Macs as an option to their employees, according to the study.

2015 will also be remembered as the year of the XcodeGhost, the first instance where a malware had a major breakout in the famously hard-to-infiltrate App Store. Going against conventional malware intrusions, the target this time was Xcode, Apple’s official tool that developers obtain in order to publish and develop applications.

Even OS X El Captain, a version of Apple’s Mac operating system for desktops and laptops contained significant vulnerabilities within its Gatekeeper and Keychain features.

Altogether, the research team collected over 1,400 unique samples that were a result of the team’s independent research efforts, collections from incidence responses when involving OS X, black lists, peer research, open sources and other sources.

The bottom line: 2015 alone had more than five times the number of OS X malware samples from 2010, 2011, 2012, 2013 and 2014, put together.

The numbers prove that it is already beyond time for security professionals, enterprise users, and end-users to start taking the threat of malware targeting their Apple devices, seriously.

Observations of Malware Studied

The team had to discard tools that are routinely used for Windows malware analysis such as Process Monitor for compatibility reasons.

Instead, the research team resorted to custom built tools and several prebuilt tools for dynamic analysis of malware targeting Macs. They include dtrance, opensnoop, and fs_usage, along with Carbon Black, a custom-built
sandbox.

By using this sandbox, the research team quickly identified standard actions that are commonly associated with malware. Red flags were raised during auto file creations and intrusive network communications. The team then proceeded to look at command-and-control infrastructure along with any artifacts left after payload execution in the malware samples.

Interestingly, general Unix persistence mechanisms were seldom seen in the samples of OS X malware that were analyzed. For instance, the team found that procedures such as “trojaning” startup locations via rc.common or even adding cron jobs were seldom used. Strikingly, the malware authors specifically chose Mac OS X-specific mechanisms.

Analysis showed that most OS X malware used features of the actual OS like LaunchDaemons/LaunchAgents along with other login items and browser plugins. The malware was discovered to reside in user-land and other leveraged persistence mechanisms that offered support for this, instead of any attempts to worm into kernels by writing custom extensions to the kernel.

Even more surprisingly, there were no Unix/Linux malware traces despite OS X’s roots in FreeBSD.

Also, LC_MAIN, Apple’s new load command to define an entry point into the Mach-O format since the release of OS X 10.8 was not used by nearly 90% OS X malware samples. Instead, the previous load commands, namely LC_THREAD and LC_UNIXTHREAD were still being used. In fact, most samples throughout 2010 to 2015 still used the previous load command, although there was a small percentage that shifted to the newer command since 2014.

This led the research team to believe that most malware authors still used the old load command instead of the newer one.

The report was simple in its summation of this particular discovery:

“Malware authors are not updating their malware to conform to the latest specifications by Apple.”

More Malware, Less Sophisticated Malware

With the aggressive expansion in malware peddling to strike the OS X platform, malware authors have not particularly made their wares sophisticated.

The research team noted that malware authors are forgoing the Unix philosophy in combining “small and sharp tools” to get to their goals. In fact, the Unix-malware seems to have a   monolithic tinge to it, the likes of a Windows-malware. This is in stark contrast to a composability approach; wherein the malware would look to exploit legitimate Unix-specific OS operations in their very design.

The 7 Distinct Persistence Techniques Observed

With a complete lack of surprise, most OS X malware shows to leverage a persistence technique while staying on the targeted system. Altogether, 13 persistence techniques were identified. They are:

1) LaunchAgents – An OS X-way to start programs on a system-wide or per-user basis.

2) LaunchDaemons – An OS X-way to start programs on a system-wide or per-user basis while used interchangeably with LaunchAgents.

3) Cron job – A time-based job scheduler in Unix-like operating systems. They’re put to regular use by running scripts and programs at fixed times, dates or intervals periodically.

4) Login items – The means used for programs to run when a user logs into an OS X account, akin to “startup items” in Windows.

5) Browser plugins – Otherwise simply known as code that runs within the context of a Web browser.

6) StartupItems – Programs that boot up along with the system startup.

7) Binary infection – This occurs when one executable modifies another to ensure that control is passed to the malicious code when the original executable is run.

Detection Methods for Enterprises

It is perhaps understandable that enterprises have failed when it comes to installing safeguards for OS X devices because of that ‘honeymoon’ period enjoyed by the platform. When they did have to look into it, there has been a distinct lack of OS X support from several security vendors.

It’s important to note that most infections captured by malware detectors and sensors are adware based, and lately, there has been an increase in sophisticated malware.

The threat, substantial as it is, can be monitored by making use of an enterprise-class scalable endpoint threat detection and response solution.

Additionally, osquery is a comprehensive, enterprise-grade tool maintained by Facebook that will come in handy. It is also open source.

The following queries can be utilized to look into monitoring and analysis with osquery.

  • select name,program,path FROM launchd;
  • select name,program,path FROM launchd where username = ‘root’;
  • select name,linked_against,path from kernel_extensions;
  • select name,path,type,source from from startup_items;
  • select * from preferences where domain = ‘loginwindow’;
  • select * from preferences where domain = ‘loginitems’;
  • select * from crontab

For malware that springs along with launchd, the queries are:

  • select * from shell_history where command = “launchctl”;
  • select * from shell_history where command = “/bin/launchctl”;

Similarly, the following queries would be applicable when looking into browser extensions:

  • select identifier,path from safari_extensions; (mostly adware malware)
  • select identifier,path from chrome_extensions; (mostly adware malware)

Detection Mechanisms for End-Users and Consumers

It’s always recommended that consumers have an antivirus software solution with the most recent updates.

Additionally, two helpful utilities are:

Dynamic Hijack Scanner – A simple utility that scans your computer for applications that are vulnerable to hijacking or those that may have been hijacked.

KnockKnock – Looks into persistently installed software to reveal malware in them.