Malware first targeted Apple computers back in the 1980s. One of the first viruses in the wild was Elk Cloner for...
the Apple II. These first viruses prompted the launch of the antivirus industry. Some of the same defenses from 30 years ago are still relevant today, albeit with many improvements to the underlying technology. However, due mainly to the OSes’ smaller market share, malware on a Mac has only recently become a significant concern with the availability of crimeware kits.
In this tip, we’ll discuss the modern evolution of malware for Macs, crimeware kits and what enterprises need to do to defend against the increasing tide of Mac malware.
The modern evolution of malware on a Mac and crimeware kits
While Mac-based malware has advanced in sophistication since the first viruses emerged, it has done so at a much slower pace than Windows-based malware. Recently, the evolution of Mac malware made significant advancements with MacDefender, MacProtector and MacSecurity. This new breed of malware is similar to the fake antivirus malware now common on Windows-based machines. It is installed in a similar way as on Windows, where a Web browser exploit is used to install the malware or a user clicks on a pop-up message.
It’s possible for enterprises to detect this malware either by running a centrally managed antimalware application on their Macs and monitoring the alerts, or by installing detection rules in their intrusion detection systems. Apple has even released instructions on how to remove the malware. These malware strains and other crimeware kits allow for easy creation of customized malware targeting Macs.
Crimeware toolkits allow less technical attackers to use a GUI tool to create a customized version of the malware with the functionality they want. Mac users were at lower risk than Windows users for malware infection, so many Mac users have not implemented basic security controls. Now that crimeware kits significantly lower the bar to entry for attacking Macs and -- potentially open the door to multiple platform attacks in the same kit -- Mac owners and enterprises should ensure the necessary security controls are in place.
Defenses against malware on a Mac
Many of the same defenses on Windows PCs apply to Macs. Apple has instructions on how to prevent a Mac from getting infected with malware and includes limited blacklisting of malware within the OS via XProtect. The blacklist is relatively short, infrequently updated and requires manual intervention to remove the malware from the trash. Apple has only recently developed XProtect, and some of the deployment issues, such as ensuring timely updates, are still being worked out. Apple describes the working of its antimalware functionality in its knowledge base. If Apple devotes sufficient resources to the project, the company could develop a reasonable antimalware application.
Enterprises may not want to wait for this development or may want to have a different vendor for their antimalware application than their operating system. Many of the same antimalware controls for PCs apply to Macs, such as a dedicated Mac antimalware application on the endpoint, keeping patches updated, using the most up-to-date version of MacOS, not allowing end users to log in as admins, disabling unnecessary services, etc. While many times these settings can’t be managed directly from Windows management tools already in place, there are commercial third-party plug-ins (from vendors such as LanDesk Software Inc., IBM BigFix and Centrify Corp.) for the management applications to support other operating systems. You could use a Mac management tool like Apple Remote Desktop or Radmin to manage these settings. There are other utilities or configuration settings that are necessary to secure a Mac, such as using features like FileVault full disk encryption or the host-based firewall, like on Windows PCs, which require more than antimalware applications.
While Mac malware has not been as serious a threat as malware for PCs, the recent advancements in the development of crimeware toolkits for Apple products increases the threat. If Macs are not already included in your enterprise’s security program and you do not have a plan to implement the basic security controls on Macs, you should investigate including them in your general management infrastructure. Including them in your automated management tools will help ensure Macs and all systems are adequately secured and your sensitive data is protected on all systems
About the author:
Nick Lewis (CISSP) is an information security architect at Saint Louis University. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.