The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm


Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016

New Bashware Hacking Technique Has Potential To Affect Windows 10 Users

A new hacking technique found and dubbed ‘Bashware’ by cyber security firm Check Point can be used by hackers seeking to attack Windows 10 users.

The exploit comes from the Linux shell that already exists inside Windows 10, the Windows Subsystem for Linux, or WSL, and it allows malware to just completely go undetected past antivirus software and other protections in place.

The potential impact of this attack is huge since many people use Windows 10 as their operating system, and anybody who does run it could be at risk from hackers who use this technique.

Check Point researchers Dvir Atias and Gal Elbaz commented on the threat after performing some tests with major protection software: “We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all”. This shows that in its current state, the WSL provides a major gateway for hackers to get into even protected systems.

What WSL does on Windows systems is that it allows for testing code on Windows and Linux settings but requires a developer to activate it.

The reason why the exploit exists is not because of lackluster coding but because it was not something that was known by the developers at the time of implementation so it was impossible to protect against.

The one thing that could hinder this hacking technique is the fact that the attacker would need to have admin access to the computer but many hackers already have ways to access this via other programs or social engineering.

Microsoft is actively trying to find a way to fight against this exploit but a spokesperson said that they are not worried. In fact, they view this as low risk. The spokesperson stated that “One would need to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default”.

All an attacker would need to do is obtain the admin access to the computer and trick the user into rebooting the computer.

The Bashware technique is a particularly powerful exploit for Windows 10 that can be used to bypass even the best anti-virus software but security companies are already working on a fix.



– Alex Haubert

CareerBuilder Phishing Attacks

Once again, another popular website is facing the consequences of a phishing attack, although this time it is a little different. Normally when you think of a phishing attack you come to the conclusion that some clueless individual clicked a link in an email and corrupted the system, or gave away important information to a phony account and cost their business millions of dollars. The blame isn’t as easily directed on certain individuals this time around.

For anyone who doesn’t know what is or has never heard of it, it is a popular job searching service website. Tons of companies post job advertisements on this website such as open positions, then users can browse these job postings by area or category and apply. Generally you are able to just apply right from the website and upload your resume and attach it as a word document. Whenever a job seeker uploads their resume to a job posting, careerbuilder then notifies the company of the uploaded document. The people behind these attacks just simply title the document things such as “resume.doc” or “cv.doc” and employers open them as if it was just another typical resume. The employees download these attachments which on the surface appear to be just another applicant, but the files then go on to exploit a memory corruption vulnerability in Word RTF. This causes the infected machine to download a payload, which downloads a .zip file containing an image file which then drops a rootkit, Sheldor, on the machine. An image file is used because anti-virus programs tend to look past image files as they are expected to be nothing more than that. This is a dangerous peace of malware working its way into the organizations seeking new employees. Although the methods behind these attacks require a lot more work from the attackers due to having to find job posting and actually apply to them manually with their documents, the benefit is that it is very likely the majority of their attempts will indeed be successful. Typically, these kind of phishing attacks are just attempted with fake email accounts trying to fool people and is much less likely to work.

Researchers from a firm known as Proofpoint uncovered the information behind these malware attacks stating that the malicious documents were created in a program called Microsoft Word Intruder (MWI), a FireEye tool that was created in April of this year. This tool is sold on underground forums and serves up CVE-weaponized docs and costs around $2000-$3500 to purchase. Proofpoint also claims that careerbuilder took swift action against these attacks, but didn’t state exactly how. The bigger issue here is the fact that these attacks are always going to be a risk on job search websites and other alike websites with file attachments for attackers to parse out malware.



Additional Information:

-Liam Ellis

Six ways to make them say yes.

Rather than a listing of a new security threat, I wanted to give an in depth talk and social engineering and how to get your target to say yes. Based on Robert Cialdini’s book, Influence: The Psychology of Persuasion, this article has listed six solid techniques.

The first principle is reciprocity. This is the idea of I scratch your back, you scratch mine. To use this principle, you must initiate giving something to someone in order to get something in return. By doing this you gain a psychological power over them by them ‘owing you one.’ An example would be on a job interview, you prove to them that you are a value to the company. The reciprocation is that they will give you a job. The downside to this is that it’s dependent on the target’s personality, if they expect you to do something for them or are selfish and accept your offer with no intention of reciprocation, this principle will not work. The key is finding what they want and giving it to them.

The second principle is scarcity. This idea is that if you make a resource appear scarce, it gives it more value making them want it. An example would be saying that you’re selling something and there are only 5 items left and you won’t be restocking them. You may have only started with 5 items but they are unaware of that and they may jump on the track and get it so they don’t miss out. This principle can be used in tandem with reciprocity in order to give value to what you’re offering. One downside would be if you make something out to be more scarce than it is and they call your bluff, it could backfire right in your face. But I mean De Beers has been doing this with diamonds for years.

The next principle is authority. Authority is the idea that people will trust you if they think you are in a position of authority. This was proven in the Milgram experiments where good people would be told to effectively kill people and they would do it. Authority can come from tonality, appearance, any non-verbal communication really.

Consistency is the next principle. This one is a little abstract but the gist is that if you say that you’ll do something and then do it, you’re extremely likely to do it again with more conviction.

The fifth principle is consensus. Basically, if you view that many other people like something, then you will like it too, even if you weren’t going to like it initially. This is why you see 4/5 doctor’s recommend this toothpaste. Even though you don’t know the doctor’s at all, you are more likely to buy that toothpaste because a consensus of people like it. This also moves into people constantly looking for approval. The weakness to this is if the target thinks about the decision long enough, or likes to go against the grain, consensus principle will be ineffective.

The sixth and final principle is liking. We like people who are similar to us, people who pay us compliments, and people with similar goals as us. That’s it, try to make the person view that your goals are inevitably the same as theirs.

Follow the six principles, reciprocity, scarcity, authority, consistency, consensus, and liking the next time you’re trying to get someone to say yes to you. If you’re interested in social engineering I would highly recommend checking out Influence: The Psychology of Persuasion by Robert Cialdini.

– Bryon Wilkins


Influence: The Psychology of Persuasion by Robert Cialdini

Dyre Wolf

Dyre Wolf is an ongoing and complex attack that combines multiple types of attacks into one large scam that has managed to make the attackers millions of dollars from companies. The attack consists of an initial spear phishing attack on a company. Contained within the email is an installer that will install the program upatre that is commonly disguised as pdf or some other file type. Once installed the attacker is allowed access to the computer by the installed software. The attacker installs Dyre onto the victims computer which allows the attacker to modify information when he chooses. The attack really ramps up when the victim goes to log into the bank. Dyre allows the attacker to modify the page returned to show a fake phone number and a message telling the user to call the number to resolve the issues. At this point it is up to the attacker to use social engineering to coerce the proper banking information out of the user. Once this happens the attacker will go and transfer the money to an account that is offshore commonly. Then the attacker will run a DDoS attack against the company to try and throw the company off from what happened and slow the companies ability to figure out who the attacker was.

Some steps to help prevent this would include making sure that people know to report anything that seems suspicious. Run mock phishing attacks against your users to help train them to look for the suspicious emails.

Samuel Mosher