Mac Malware
April 11, 2012
By Roger Thompson
For quite some time, techies have understood that Macs were not invulnerable to malware, and the idea that there was not much Mac malware was a natural consequence of relative market opportunity for the bad guys. Put another way, there were way more PCs than Macs, so there was simply more opportunity for a return on their development and marketing effort. To paraphrase John Dillinger, “I rob banks because that’s where the money is.”
 
With the announcement last week that a Russian AV firm had detected a botnet of 500,000 to 600,000 Macs, everybody needs to come to the realization that there is a new “bank” in town, and all the Cyber Dillingers are thinking hard about how to make a withdrawal.
 
I was initially skeptical about the announcement, if for no other reason than that the numbers seemed so large, and thought that perhaps they’d just looked at a stats page for the malware itself, and had believed the stats.
 
Over the weekend, however, I found a bit more information about how they made their determination. There is a game commonly played between the bad guys and the good guys. As soon as we figure out where a botnet’s Command and Control (C&C) server is, we try to get it shut down as quickly as we can, and they try to bring up new ones just as quickly. If we get all the C&Cs shut down before they bring up new ones, we cut off the head of the botnet, and it’s not much use to anyone, and we win. Sort of. It’s a cyber version of Whack-A-Mole.
 
To combat this, these operators adopted a strategy of programmatically generating server names, rather than using hard coded ones. A simple example would be to generate a server name based on the date. That way, your bots would know where to find a new server every day, if they couldn’t find the one they normally talked to.
 
At least two antivirus companies reversed-engineered the bots to the extent that they knew the format of new server names, and simply registered one before the bot operators could. This meant that they were able to watch as bots joined the server looking for instructions. They were also able to count the distinct bots, and track the IP addresses. They were also able to determine that most, if not all, bots were Mac OS X machines.
 
What, then, does this all mean to an end user, and what should they do about it?
It means that Mac malware is not just a reality, but is now a genuine problem. The issue is that for a decade, Apple has made a point of telling users that they had no malware problem, and the result of that is that Mac users have no antibodies, when it comes to malware. They don’t expect it, and too many people will click on, and install, anything. You might enjoy re-visiting this ad … http://www.youtube.com/watch?v=GQb_Q8WRL_g
 
Folks, it’s time to install an anti-virus program. There will soon be a name for Mac users who are not running AV… victims 
 
Keep safe
Roger

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.