A look back at the malware of 2014
Published January 2nd, 2015 at 4:34 PM EDT , modified January 2nd, 2015 at 4:34 PM EDT
As most Mac users know, Macs don’t get malware. Unfortunately, what most Mac users know on this topic is actually wrong! There actually is Mac malware out there, there’s just a lot less than there is for Windows. Fortunately, in 2014, new malware appearances have dropped since 2013.
Mac malware has always been pretty rare, but it came to a relative peak in 2012, with 11 different malware families making an appearance. The following year saw only 8 new pieces of malware, and 2014 the number dropped to only 6.
The first of these, LaoShu, appeared in late January. It mined infected systems for interesting data, but was swiftly killed by Apple, who revoked the Developer ID used to sign the LaoShu app and added a signature for LaoShu to the anti-malware protection in MacOS X (called XProtect).
In February came CoinThief, a trojan designed to steal Bitcoins (an electronic currency) from the infected computer. This malware wasn’t signed with a Developer ID, so it was blocked by Gatekeeper by default. For those who might have bypassed Gatekeeper to allow it to open, it really wasn’t a threat for the vast majority of Mac users, most of whom don’t have any Bitcoins on their computer.
The next, XSLCmd, wasn’t discovered until September. It was a port of Linux malware, but as far as anyone knows, it was never actually “in the wild.” No trojan was ever found that installed this malware, so at most, it was installed manually by a hacker with some kind of physical or remote access to the target Mac.
Also in September came iWorm, a trojan that installed a backdoor and used a series of Reddit pages to receive commands. It was found that the trojan was embedded in stolen (and modified) software installers downloaded from PirateBay.
October saw the appearance of Ventir, which included many backdoor capabilities, but not much else is known about it. I never came across any reports of it being seen “in the wild,” and nobody ever knew exactly how it got installed (ie, whether it was a trojan or required manual installation by someone with access to the target Mac).
The final piece of Mac malware to appear in 2014 was WireLurker, which was discovered in November. It infected Macs through trojans downloaded from a Chinese app store. These trojans were disguised as pirated apps. Once installed, its sole job seemed to be to wait for an iOS device (ie, an iPad, iPhone or iPod Touch) to be connected, and then it would infect that device with malware. Interestingly, the sole purpose of the iOS component of this malware seemed to be to identify the user of the device, leading some to speculate that it was an attempt to identify Chinese software pirates.
All of these ended up getting blocked by Apple. Signatures for each were added to the XProtect anti-malware system, and those that were signed with a Developer ID had that ID revoked. Any command-and-control servers used by these malware programs were shut down (or in the case of iWorm, the malicious Reddit pages were removed). None of these are still a threat, though I’m sure they will continue to turn up as people discover them on previously-infected systems.
In all, no serious threats were found during 2014. The bigger issue last year was the continued worsening of the adware problem. For those unfamiliar with the term, adware is often considered not to be true malware, as its sole purpose is to display ads and not to steal data from the infected computer. Adware typically injects ads into the web browser, onto pages that would not normally contain those ads, and/or redirects searches to strange search engines that the user didn’t choose.
Adware has become a very serious problem on the Mac. Most Mac users are completely unprepared for such things, since they erroneously believe their Macs are safe from such threats. In addition, those who feel safe because they have installed anti-virus software are likely to discover that anti-virus software rarely does a good job of detecting, blocking or removing adware. (Those who feel they may be infected with adware can remove it using my AdwareMedic app, or by following the manual removal instructions in my Adware Removal Guide.)
This by far overshadows any threat that malware has ever had in the entire history of the Mac. I have received literally thousands of e-mails from people who have been affected by adware, just since September (when I released the first version of AdwareMedic). On Apple’s discussion forums, I see dozens of posts per day from people having problems caused by adware… and those are only the ones I find amongst the high volume of posts. In contrast, I probably only was contacted by a couple dozen people who were affected by the Flashback malware, which was the most prevalent piece of malware in the history of the Mac, affecting hundreds of thousands of users.
Thus, 2014 had some good news and some bad news. The good news was that the new malware appearing on the Mac was overall fairly lame, was quite rare and all of it has been effectively killed. The bad news is that adware has crept in to fill the vacuum, and is a worse problem than malware ever was. So now more than ever, it’s important to be extremely cautious about what you download and where you download it from. (For more details on that, see my Mac Malware Guide.)
In 2015, I don’t anticipate much in the way of malware. Criminal types are learning that that approach just doesn’t pay on the Mac… if malware becomes too successful, it gets noticed and disabled, and all their hard work is down the drain. However, the flip side of that coin is that adware has proven to be wildly successful, meaning that we’ll probably continue to see an upswing in adware throughout 2015, unless there is some kind of significant change to the adware ecosystem, such as Apple deciding to put the hammer down on the adware problem.
Here’s wishing you a happy new year, hopefully free of any kind of malicious software!