OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

A look back at the malware of 2014

Published January 2nd, 2015 at 4:34 PM EDT , modified January 2nd, 2015 at 4:34 PM EDT

As most Mac users know, Macs don’t get malware. Unfortunately, what most Mac users know on this topic is actually wrong! There actually is Mac malware out there, there’s just a lot less than there is for Windows. Fortunately, in 2014, new malware appearances have dropped since 2013.

Mac_malware_2014_graphMac malware has always been pretty rare, but it came to a relative peak in 2012, with 11 different malware families making an appearance. The following year saw only 8 new pieces of malware, and 2014 the number dropped to only 6.

The first of these, LaoShu, appeared in late January. It mined infected systems for interesting data, but was swiftly killed by Apple, who revoked the Developer ID used to sign the LaoShu app and added a signature for LaoShu to the anti-malware protection in MacOS X (called XProtect).

In February came CoinThief, a trojan designed to steal Bitcoins (an electronic currency) from the infected computer. This malware wasn’t signed with a Developer ID, so it was blocked by Gatekeeper by default. For those who might have bypassed Gatekeeper to allow it to open, it really wasn’t a threat for the vast majority of Mac users, most of whom don’t have any Bitcoins on their computer.

The next, XSLCmd, wasn’t discovered until September. It was a port of Linux malware, but as far as anyone knows, it was never actually “in the wild.” No trojan was ever found that installed this malware, so at most, it was installed manually by a hacker with some kind of physical or remote access to the target Mac.

Also in September came iWorm, a trojan that installed a backdoor and used a series of Reddit pages to receive commands. It was found that the trojan was embedded in stolen (and modified) software installers downloaded from PirateBay.

October saw the appearance of Ventir, which included many backdoor capabilities, but not much else is known about it. I never came across any reports of it being seen “in the wild,” and nobody ever knew exactly how it got installed (ie, whether it was a trojan or required manual installation by someone with access to the target Mac).

WireLurker installerThe final piece of Mac malware to appear in 2014 was WireLurker, which was discovered in November. It infected Macs through trojans downloaded from a Chinese app store. These trojans were disguised as pirated apps. Once installed, its sole job seemed to be to wait for an iOS device (ie, an iPad, iPhone or iPod Touch) to be connected, and then it would infect that device with malware. Interestingly, the sole purpose of the iOS component of this malware seemed to be to identify the user of the device, leading some to speculate that it was an attempt to identify Chinese software pirates.

All of these ended up getting blocked by Apple. Signatures for each were added to the XProtect anti-malware system, and those that were signed with a Developer ID had that ID revoked. Any command-and-control servers used by these malware programs were shut down (or in the case of iWorm, the malicious Reddit pages were removed). None of these are still a threat, though I’m sure they will continue to turn up as people discover them on previously-infected systems.

In all, no serious threats were found during 2014. The bigger issue last year was the continued worsening of the adware problem. For those unfamiliar with the term, adware is often considered not to be true malware, as its sole purpose is to display ads and not to steal data from the infected computer. Adware typically injects ads into the web browser, onto pages that would not normally contain those ads, and/or redirects searches to strange search engines that the user didn’t choose.

downlite_iconAdware has become a very serious problem on the Mac. Most Mac users are completely unprepared for such things, since they erroneously believe their Macs are safe from such threats. In addition, those who feel safe because they have installed anti-virus software are likely to discover that anti-virus software rarely does a good job of detecting, blocking or removing adware. (Those who feel they may be infected with adware can remove it using my AdwareMedic app, or by following the manual removal instructions in my Adware Removal Guide.)

This by far overshadows any threat that malware has ever had in the entire history of the Mac. I have received literally thousands of e-mails from people who have been affected by adware, just since September (when I released the first version of AdwareMedic). On Apple’s discussion forums, I see dozens of posts per day from people having problems caused by adware… and those are only the ones I find amongst the high volume of posts. In contrast, I probably only was contacted by a couple dozen people who were affected by the Flashback malware, which was the most prevalent piece of malware in the history of the Mac, affecting hundreds of thousands of users.

Thus, 2014 had some good news and some bad news. The good news was that the new malware appearing on the Mac was overall fairly lame, was quite rare and all of it has been effectively killed. The bad news is that adware has crept in to fill the vacuum, and is a worse problem than malware ever was. So now more than ever, it’s important to be extremely cautious about what you download and where you download it from. (For more details on that, see my Mac Malware Guide.)

In 2015, I don’t anticipate much in the way of malware. Criminal types are learning that that approach just doesn’t pay on the Mac… if malware becomes too successful, it gets noticed and disabled, and all their hard work is down the drain. However, the flip side of that coin is that adware has proven to be wildly successful, meaning that we’ll probably continue to see an upswing in adware throughout 2015, unless there is some kind of significant change to the adware ecosystem, such as Apple deciding to put the hammer down on the adware problem.

Here’s wishing you a happy new year, hopefully free of any kind of malicious software!

 

Tags: ,

58 Comments

  • Paul S G says:

    Very many thanks for the helpful and informative advice

  • Steve L'Heureux says:

    OS X NTP Security Update:OS X is a pretty serious situation, I wonder if this shouldn’t have been included in above discussion, while not malware or adware, still is something people should protect against. Also relevant is that normal users do not understand which OS X versions are still covered by X-Protect and which are not. None of my clients have clue one. Most are oblivious to security concerns and blow off all cautionary attempts to teach otherwise. It’s truly disturbing.

    • Al Varnell says:

      Vulnerabilities are just that. OS X and it’s apps have hundreds, maybe thousands of vulnerabilities with various degrees of seriousness and NTP is just one of several dozen that were patched last year. This article is about malware which are threats that have been developed to exploit one or more vulnerabilities and have either been found in-the-wild or documented proof-of-concept examples which can actually threaten OS X, it’s applications or user privacy data. As far as we know, there have not been any exploits developed to take advantage of the NTP vulnerability and attack OS X users.

      I’m not sure whether your XProtect statement was a question or not, but XProtect is still kept up-to-date for all versions of OS X 10.6.7 and above.

  • Ofelia says:

    Thomas — I just want to say thank you so much for all of the helpful advice you give us!

  • Diane Ross says:

    Keep up the great work. Your AdwareMedic app is invaluable. I’ve recommended it to many of my clients that have been hit with adware.

  • Manfred says:

    A big thank you for maintaining and updating this site for the past 4 years Thomas, and a happy new year to you!

  • Patrick Mele says:

    Happy New Year Thomas R. and thanks for the updates you new link in http://www.etresoft.com/software has been a blessing and much needed extra support for us novices! Keep up the good work

  • TED says:

    I almost never received hits on my two UTMs. Sophos UTM and Zyxel/Kaspersky with Mac malware and Adware. In the last 3 months I have a 5 adware and 2 OSX malware kills at the UTM. It doesn’t help having a 15 year old daughter surfing. Oh…. Here is a story…..

    I check my gateway every month with SheildsUp from GRC dot com. I just happened use my daughters iPad3. It came up with a different IP and a whole bunch of ports open and closed( not stealthed) SO I am like, What the $#$@. I then go to my computer (iMac) and all is well with my same IP and all green stealthed ports. I then go back to my daughters iPad and scan again……now it has a different IP and ports open again. I reboot and scan again…..now a different IP and open ports. I have a load of VPN proxy servers going on my daughters iPad and drilling through 2 UTMS!! My daughter uses the Chrome browser. SO I opened up Safari and 10 tabs showed up with 1/2 of them going to Russian sites that she never opened. She never uses Safari.

    I asked her if she knew whats going on here. She said about 2 months ago she downloaded a service that pays you money to watch ads and get paid…//She said she checked it out and the service was safe when she Goggled to do research on them before downloading the app. (not on the app store which I drilled into her never to do) Duh!!

    Needless to say, I did not want to connect any of my computers to this infected iPad to wipe. I ended up doing a reset on the iPad and then went into a guest user on my least used Mac to wipe and reinstall iOS on the iPad. I scanned every Mac in the house with Avast for Mac, Sophos for Mac, and a Kaspersky Live CD.

  • Dan McNamara says:

    Thanks for getting rid of my Mackeeper Malware, I just made a donation. Am not very tech savvy with computers but managed
    to clean my Mac with AdwareMedic…nothing else worked…this did and I’m very grateful.

  • William Adams says:

    Using AdwareMedic, I was able to remove the searchbar.safariextz adware from my daughter’s MacBook — thank you.

    Since then, she has somehow managed to have deleted pretty much every document in her user account — this was accompanied by Safari bogging down and flashing in a ventian blind effect — could these things be related? I managed to fix Safari by deleting all of the preferences for it in her user account (an admin account which she made seems to still be affected, but my user account on the machine works okay) — is anything further needed to fix the machine? ClamxAv didn’t find anything.

    We’re trying to determine if we should spend $89 on Disk Drill Pro to recover the files (sans file names)

  • melissa says:

    Happy New Year!

    I’ve managed to “lock up” my main admin account (I can open a safari-only guest profile). I was in the process of deleting malware files – when I tried to “empty trash,” the process wouldn’t complete and my computer froze. Like a dork, I don’t have a backup, but my question is – is that my only solution, to reinstall and start from fresh 🙁 ?

    Thank you.

    • Thomas says:

      It’s impossible to say what the right solution would be without more details. We’d have to know what files you were deleting at the time, in particular.

    • Rick says:

      Your harddisk or SSD is probably still intact. So booting from external harddrive or start your Mac in Target Disk Mode connected to another Mac could still allow you ta make a backup.

  • Kristyna says:

    Thomas,
    Thank you so much…! After I absolutely naively downloaded
    Couple of apps, thinking nothing can happen, annoying adds
    started to appear and it was getting worse.
    I am so happy to have found your website where
    not only you explain what is happening, you solved the problem
    as well. Adware Medic has cleaned what was necessary and
    everything is back to normal now.
    Please carry on to keep us ‘dummies’ brighter 🙂

  • thomas says:

    Happy new year!
    I have a question. That last week a window pops up in my screen sometimes and want me to fill inn my admin password to complete install( I think it asks about that or upgrade) of something called COMPLETE or COMPLETES, what is this?

    -Thomas, Norway.

  • Vicky says:

    Hi Thomas,
    I discovered this site just a few hours ago as I was trying to find out why I kept having the problems that Thomas mentioned above.
    Just wanted to say, thank you very much for creating this website. I had no idea that adware existed and I’ve always assumed that MacBooks were immune to viruses… well, until now. ‘:)
    Thank you for the advices and guides, I have learnt so much in just a few hours of time.
    Please stay fit and healthy 😀

  • John says:

    I am new to Mac and somehow got some adware that says “FlashMall”. I can’t seem to get rid of it. now I see “ad by PJs-4.2” pop ups. Help. since I am new to Mac, I am definitely not savvy with it yet so will likely need advice in baby bites . Thanks

  • Susan says:

    Thomas, I have a teacher who has been hit by Hot Deals. She downloaded a malware removal program to try to remove it. She thought it was gone, but not so. Doesn’t seem to show up any more in Firefox, but still doing it in Chrome. Are you familiar with this annoyance? Will AdwareMedic get rid of it for good?

  • Phil says:

    Hi, many thanks for the continual monitoring and updates of the state of Mac malware in the wild! I was wondering if you have commented on the bootkit that exploits using thunderbolt? The article can be found here: http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/

    Cheers!

    • Thomas says:

      I haven’t had the time to comment on that, but there have been some excellent comments already made. I’ll probably try to write something shortly.

    • Al Varnell says:

      A few quick notes until Thomas has time to compose something.
      – No threats are known to exist. Proof-of-Concept only.
      – Requires physical access to your computer and time to reboot it.
      – Don’t accept TB devices from strangers.
      – No known way to monitor against such an attack and known way to remove an infection.
      – Apple is said to be working on a fix or fixes.

  • John says:

    As a general rule, is it relatively safe to say that you shouldn’t get infected with any current adware/malware if you don’t provide an administrator password when executing an app?

    As an example, a family member briefly ran the SoundCloud Downloader app (http://black-burn.ch) as it was well reviewed both on Cnet’s Download.com and MacUpdate websites. The download was made directly from the developer’s site. However, GateKeeper had to be bypassed to execute the app, and the app did not appear to work.

    We moved the app to the trash and ran the tmutil compare command in the Terminal to compare the latest Time Machine backup with a current system snapshot. Nothing seems terribly amiss, and there doesn’t seem to be any worrying processes in Activity Monitor. No administrator password was ever provided.

    In a situation like this, is it fair to assume the machine is safe?

    • Thomas says:

      It is not a safe assumption that you’re not infected if there was no password request. There are ways to infect your machine without asking for an admin password. So it’s difficult to say whether the machine may be safe or not, especially since SoundCloud Downloader has evidently been involved in illegal file sharing activities. You could try scanning the computer with ClamXav, but even scanning with anti-virus software cannot guarantee your Mac’s cleanliness.

      • John says:

        SoundCloud isn’t a file sharing service in any way but I agree that the developer definitely wasn’t honoring all the Sound Cloud terms of use.

        However, would you tend to trust the tmutil compare command as a reasonably good indicator of what’s changed on your system? This compares the latest Time Machine backup with the current state of your system. There didn’t seem to be anything worrying in there, only things like new application preference files and so forth. It seems that you would have to be a very sophisticated malware author to install new executables on the system but hide them from detection in this manner, but I suppose it’s a possibility.

        • Thomas says:

          The tmutil command is one good way to see what has changed, if you have recent Time Machine backups of the volume in question. If not, you could try this:

          sudo find / -type f -ctime 0 > ~/Desktop/modifiedToday.txt

          This will dump a list of all files that have been modified in the last 24 hours into a file on your desktop.

  • Trevor says:

    I’m very new to Mac and really don’t know much about computers at all. My PC desktop I use to have got so many viruses is stopped turning on all together. If you could manage to get it on good luck getting it to shut off. The AV360 virus sent 27 trojan viruses into it in less than a minute before I unplugged it.
    So now this Mac, I downloaded Java oracle onto my Mac mini and 2 other downloads entered with it. Installer and MacKeeper. I deleted them from finder but still had problems.
    A chat site gave me your information and awesomely enough the background ads stopped and the corrupted videos have stopped.
    The problem I am still having is the finder and Chrome icon always stay active. It never did this before unless I was using them. So I figure there is something still left behind.
    What should I do???

    • Thomas says:

      I’m not sure what you mean by those icons “staying active.” Be aware that the Finder is always running, even when you’re not specifically using it.

  • Jack says:

    Thanks so much for the site and for AdwareMedic. The ace IT guy at work recommended it–and for good reason. It cleaned out the Conduit and Trovi infestations quickly and easily. My Mac is back to normal. Donation made!

  • Ed Gallaher says:

    Thomas – THANK YOU, THANK YOU, THANK YOU!

    I had an annoying, but apparently (?) minor problem with Genieo, indicated by a behavior I haven’t seen mentioned on your site. I recently upgraded my mid-2010 Macbook Pro with a Samsung SSD (love it!), and I’ve been testing the start-up and shut-down speeds on a regular basis. I began noticing a brief flash of a dialog box during the shutdown, indicating that an installation would be aborted. Most often this flash lasted literally for less than a second, so I couldn’t do any further investigation, but occasionally it would remain open longer. I finally found some evidence to connect it to Genieo, which was totally unknown to me.

    Needless to say, the thought of an unknown ‘installer’ running constantly in the background was not a real confidence booster!

    I found a pdf I had saved months ago via Evernote, which led me back back to your site for further information. I downloaded AdwareMedic.app and had it all cleared up in 20 minutes! I also followed your suggestion for ClamXav. It is currently scanning my home_folder, and has moved two files into quarantine.

    —->> What I really want to thank you for is the time and effort you put into sorting all this out, and your ability and dedication to providing us with crystal clear, articulate, and highly reliable information. Priceless!

    I’ve been using computers since my early days with machine- and assembly-language on 6502 processors, graduating ASAP to the ‘sophisticated’ Commodore PET (cassette-tape mass storage; 16-, 32-, 64-K RAM, although some was reserved for the OS and unavailable to the user). My career, however, has been in biomedical research. I am good at this stuff, but I also have a life beyond the 1’s and 0’s.

    What I am -very- good at is recognizing clear thinking, rigorous attention to detail, and excellent communications skills. You hit the bulls-eye in every category! (I like to think I am equally adept at recognizing condescension, bloviation, and B.S. Ain’t none of that here!)

    You helped me solve a relatively minor problem. But much more valuable is my discovery of a go-to source or Mac Security. I’ll be making a donation, and I’ll recommend your site to others.

    ejg

  • Ed Gallaher says:

    Thomas –

    I even like your hex-dump wallpaper — brings back memories!

  • Charles Lenington says:

    Is this a malware site?

    feedshare[dot]flipora[dot]com/new/home.html

    I was trying to look at something and it insisted that i install this program. It appears to be a adware program.

    • Thomas says:

      That is flagged as a known phishing site on PhishTank, and should not be trusted. It would not surprise me in the least if they are distributing adware.

  • Darren Kehrer says:

    Thomas, I know Apple released updates for the last 3 OS versions, but does that mean it doesn’t affect Snow Leopard or Lion? Or is the best defense just to turn off automatic time updates? I still have mine set to Apple’s time servers.

    How serious is it? I see Apple forum users under SL saying turn this off immediately.

    https://support.apple.com/en-us/HT6601

  • JMM says:

    A huge thanks for your insights and advice, though so far I never came across a Mac with any adware on it in the while. What sort of user behavior is usually causing an infection?

  • Darren Kehrer says:

    Sorry, I went back through and read some of the comments above, which answered most of my questions. I turned the automatic checking off until I can get updated to Yosemite..
    Would leaving it on and set to check apple’s time servers be risky?

    • Thomas says:

      No, the NTP issue was fixed by a security update back in December.

      • Darren Kehrer says:

        HI Thomas, I should have stated more clearly, I’m still running Snow Leopard. If I understand correctly from Apple’s website, only Yosemite, Mavericks, and Mountain Lion were patched… Did the that particular bug not affect the earlier systems?

  • Manfred says:

    Hi Thomas,
    are you planning on posting a 2015 edition of the antivirus testing round you published in 2013 and 2014?
    Cheers,

    Manfred.

    • Thomas says:

      No, those tests were routinely misinterpreted. I can’t count how many people who would mention to me how I “recommended” Avast, or something similar, based on those results. And since anti-virus software really doesn’t protect against Mac malware all that well in general, especially considering Mac OS X usually has you covered just as well, and since nothing really does a good job with adware, it just doesn’t make a lot of sense to repeat these measurements.

  • Deb says:

    Hello Thomas,

    Just a quick note to say a big Thank You. Today, for the second time in six months, I was stupid enough to click on an interesting looking video that had been shared on Facebook, and ended up downloading some malware disguised as a flash player update. I can’t believe I fell for it twice. A quick Google search led me to Adwaremedic. The first time I downloaded it (six months ago), I was fooled by MacKeeper and ended up downloading that program. Links I’ve found via Google today are still being hijacked by MacKeeper but I had learned my lesson last time, so managed to find and download again the genuine Adwaremedic. You obviously spend an awful lot of time trying to help people like me, and I, for one, am very grateful. I have made a donation today.

  • Sarah says:

    Today A pop up titled National Security Agency ..Central Security service popped up on my computer and will not go away.. no matter how many times I try to close and restart my computer every time I open Safari their it is. i have tried Adware Medic adn it says no adware Found. What can i do? It tells me I have to pay 300 dollars.. I know its a scam but it wont go away I cant use safari.

  • David says:

    You’re the best ! We got rid of the adware in 5 minutes !

    Thank you

  • Graphic Designer Trouble says:

    Hey!

    I have a Macbook Pro with Yosemite. As I am a graphic designer I by mistake went to an unknown site and downloaded a vector which was about 300MB. After that I started experiencing these pop-ups every time I would click a link in any website. A Box on the bottom right hand side of the window would come up with Russian Text on it as well as 2 new pop-up windows out of which one is adultyum[dot]info; I have gone crazy searching on the net how to remove this trojan/adware/malware. I even downloaded Avast Anti Virus as well as Adware Medic and nothing was detected. I followed your step by step list on how to malware and was unsuccessful. I have deleted a lot of files from various folders on my Mac and yet it is there. What do I do? The adult site popping up is really bothering me and the other banners and pop-ups are slowing down Safari. Please help!

  • Ralph says:

    Just ran Adware Medic on a new MacBook I bought 3 months ago and was ready to throw in garage. Adware Medic fixed all my problems in first attempt- WOW- I could not believe it was solved that easily. I got continuons pop-pus before, could not control my homepage and could not open many programs / Everything was solide in 1 minutes.

  • ronny de decker says:

    thanks Thomas, again for adware medic , it saved my mac , and i do not do a shutdown without using it !

This post is more than 90 days old and has been locked. No further comments are allowed.