The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm

Sources

Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016

Advertisements

Vulnerabilities in systems without updated EFI

Recently there has been a study done. A company by the name of “Duo” has been analyzing the firmware in many models of Apple computers. What they had found is that while the OS may have been up to date, in some cases the computers EFI firmware was not. Duo’s reasoning behind using Apple products was that Apple themselves handle everything, from the software, to the hardware, and everything in between. This is not to say that the issue doesn’t occur on windows systems.

Actually, it might even be worse due to the fact that most windows systems use parts from other manufacturers. This essentially means that unless you update the firmware yourself you probably will not be receiving updates for it. On the other hand an Apple computer is usually set to install EFI firmware updates as the operating system updates. However, the problem has become when that doesn’t happen.

I’ve been going on about EFI and that it probably isn’t being properly updated on the systems, but what is it? EFI, or Extensible Firmware Interface, is a type of firmware. Firmware is a type of software that is fully independent from the operating system and can perform many tasks. The first and foremost job of EFI is to get your system up and running, though it can take on other roles like remote diagnostics to fix problems on a computer without anyone being present at the physical device.

So, what can be done by an attacker if your EFI isn’t up to date? Well, in an Apple system there are a few attacks that come to mind. The first being Thunderstrike. Basically what Thunderstrike allowed an attacker to do was flash a new EFI in place of the current Apple firmware version. This allowed for the attacker to have control of many aspects of the system without the user realizing it or being able to remove it. This mode of attack required physical access to one of the machines thunderbolt ports in order to write the new boot ROM. Later, Thunderstrike 2 came around. This did basically the same thing, except that the attacker could do it remotely.

Who is at risk? On average about 4.2% of the systems Duo analyzed had the wrong EFI version for their respective models. That doesn’t sound like a lot, but given the vast user base of Apple products this is actually quite a lot of systems. It also depends on the model you have. Some are more likely to have the wrong version over others. Duo released a table of Mac models that are likely to not have the correct firmware version.

Mac Model Version Number
iMac iMac7,1; iMac8,1; iMac9,1; iMac10,1
MacBook MacBook5,1; MacBook5,2
MacbookAir MacBookAir2,1
MacBookPro MacBookPro3,1; MacBookPro4,1; MacBookPro5,1; MacBookPro5,2; MacBookPro5,3; MacBookPro5,4
MacPro MacPro3,1; MacPro4,1; MacPro5,1

If your device is listed in this table then it has the potential of not having the correct version of EFI firmware or the firmware may have never been updated at all.

The bottom line is that EFI is just important to keep up to date as our operating systems, but most of us don’t even realize that it’s an issue. It doesn’t generally affect system performance so we generally don’t even think about it. In the world of Apple consumers this shouldn’t be a problem, seeing as the newest updates were supposed to fix the issues of EFI patches not being installed. However if you are on a Windows, Linux, or any other type of system, you may want to update your EFI firmware. In most cases this comes as a BIOS update for your motherboard.

Duo analyzed about 73,000 real world Mac systems, only using systems with updates that had been released within the last three years.

–Brett Segraves

Duo also has their study publicly available in PDF format.
Duo Labs Report: The Apple of Your EFI

Sources:

Duo Apple of your EFI Security Research
Wired: Critical Code in Millions of Macs isn’t getting Apple’s Updates
Info-Security: Many Patched Macs Still Vulnerable Via EFI Issues

Smart Watch Security Threats

As with any piece of new technology, the introduction of smart watches come with new threats to security. A recent study was conducted on these watches and to no ones surprise, many vulnerabilities were found. A few of the vulnerabilities listed include, a lack of transport encryption, lack of user authentication, privacy problems, and firmware problems. It was also found that communications were easy to interfere with and intercept. This means that as of right now, if sensitive data is being transmitted over the watches, anyone could get a hold of it.

Experts recommend to protect sensitive information with strong passwords and to make sure you are controlling your communications to avoid middle man attacks. Another suggestion they make is to manage your transport layer security settings and make sure they are in good shape for protecting you. The biggest concern however seems to be the vulnerabilities of the apps rather than the watch itself. Previously there have been attacks on apps for the iPhone and such so the experts say it wouldn’t be surprising to see attacks on the smart watch apps.

The bottom line is to approach these new smart watch products with care and to focus more on the security of the apps than the watch itself. Additionally, as time goes on, more apps for increased security will be released. Apple has already released several since the release of their Apple Watch.

-Thomas Coburn

New Malware Infect Non-Jailbroken Devices

Recently researchers from Palo Alto Network have discovered a new iOS malware, called YiSpecter that can infect Jailbroken and Non-Jailbroken devices. It the first malware researchers seen to abuse private APIs in the iOS system and abuse the enterprise distribution mechanism. It is currently targeting users in China and Taiwan. Many users have already reported to Apple of the malware. YiSpecter haves been out for about 10 months. Since 2014, only one of the 57 venders from VirusTotal have detected YiSpecter as a malware which was Qihoo. Qihoo did not give out any samples so no other venders could detect YiSpecter.

So far, researchers found four different ways YiSpecter was spread. YiSpecter was disguised as a media player app such as “QVOD” and “DaPian”. The two apps would then download other malicious apps that are components to YiSpecter which are called: Nolcon, ADPage, and NolconUpdate. The malware was also spread from ISP’s traffic hijacking. There are some local ISPs in China supported DNS hijacking and internet traffic hijacking attacks. The third way YiSpecter was spread by was from the Lingdon worm. YiSpecter was also on offline app installations. Offline app installations is where a user downloads a developer’s app and get money for downloading it.

YiSpecter apps were singed with three iOS enterprise certificates. By doing this, it bypasses Apple’s strict code review. Though when installing the apps, the users now must have the profile of the enterprise as “trusted” and also must verify to open when executing for the first time.

Nolcon is a malicious complenent of YiSpecter. Nolcon can remove an already downloaded app on the iOS and replace it with a “fake” app. Nolcon will update regularly and see if other components of YiSpecter is still downloaded. Users who uninstalled the main app will still be infected. The components also have a function that make itself hidden on the springboard making it impossible to uninstalling it. Another Nolcon’s function is to hijack other apps with ads. Nolcon can change and modify the bookmarks and search engines of Safari. Lastly the app can collect data of the device such as apps installed, running processes, UUID, and MAC address.

Luckily, there is a way to remove YiSpecter by removing all unknown/untrusted profiles.

  • Go to Settings->General->Profiles and remove all unknown or untrusted profiles
  • Delete any apps named: “情涩播放器”, “快播私密版” or “快播0”
  • Use a third-party iOS management tool to delete the default iOS installed apps

Christopher Tu

Sources: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/

Apple watch security risks (and benefits)

http://www.esecurityplanet.com/mobile-security/apple-watch-security-risks-and-benefits.html

In short, this article is informing the public about an issue that is overlooked when it comes to apple smartwatches, how “weak” the security on those watches actually is. There are several openings in these apple smartwatches that can be exploited due to their lack of actual security. For example, an apple smartwatch can be easily “bluejacked” a term used to describe a 3rd party gaining access said watch. As a result, the 3rd party can access many parts of the phone and send things like images,sounds, or even viruses to the smartwatch (some of which can take over the phone and listen in on conversations or block out owners control of the phone for however long the hacker chooses). The worst part is, this is not even the worst thing that could happen, when it comes to loopholes in the security of the device. Like all devices that can download apps without restraints, the apple smartwatch is capable of downloading apps which can contain harmful malware that could take on a variety of forms and become difficult to combat. There seems to be a claim that even if the smartwatch is vulnerable to many variations of malware, viruses, and other methods of attack used by hackers, since the smartwatch is tied to apple which is already a target of hackers it does not seem to cause much concern. In fact, since the smartwatch will automatically lock if taken of the users wrist it is presumed to be more safe than a phone if both are left unaccounted for in a public place.