My Mac Malware Guide has, for some time, made the claim that a properly up-to-date Mac OS X system cannot be infected by any known malware. This was true at one point, with some provisos, when that text was originally written. However, recent cases of malware that has failed to be blocked by the XProtect anti-malware system in Mac OS X prompted me to do a re-evaluation of this statement. What I found was profoundly disappointing, leaving me wishing that I could take those words back.
The signs of trouble came in the fall of 2013, when the Icefog malware appeared. I had a copy of Icefog in-hand within 24 hours of the announcement of its discovery, and submitted it to Apple immediately. It was not until two full weeks later that XProtect was finally updated to protect against Icefog.
Fast-forward to today. A new Bitcoin-stealing trojan called CoinThief was discovered on February 9, nearly a month ago. Three days later, all four of the known variants of CoinThief were detected by an XProtect update. On the 14th, however, I announced discovery of a fifth variant of CoinThief, which was older than the other four and which was not detected by XProtect. That day, I also submitted this variant of CoinThief to Apple.
Today, nearly three weeks later, this variant of CoinThief is still undetected by XProtect. This was verified by trying to open the trojan on a test system, running a fully up-to-date copy of Mac OS 10.9.2. Okay, I can hear a potential criticism… this variant of CoinThief is much older than the others, apparently dating back to early 2013. It may no longer be in circulation. Plus, Apple’s security team has had a lot on their plates with the recent “gotofail” bug and the discovery of a vulnerability in iOS. These are fairly weak excuses, though. Besides which, this is just the tip of the iceberg, which prompted me to start looking to see what’s hidden from immediate view.
I dug through my malware collection and put together a folder full of fully intact trojans – installers, apps, etc, all of which would infect a Mac if allowed to open. The question I was interested in answering was simple: on my fully up-to-date 10.9.2 test system, which of these would actually still open?
What I discovered was greatly disturbing. 8 samples, from 5 different families of malware, some dating back to mid-2012, all were allowed to open without interference by XProtect! 7 of these samples required me to bypass Gatekeeper, as they were not signed apps. (One of these, I had submitted to Apple in March of 2013, one year ago!) However, once Gatekeeper was bypassed, they were allowed to run just fine. One – a Safari extension pretending to be Flash Player – opened with no more than the standard “are you sure you want to install this” alert that is given for any other Safari extension.
Of course, my next task as soon as I post this will be to submit all these samples to Apple. However, my hopes are not high after the recent failures with Icefog and CoinThief.
All Mac malware at this point either relies on vulnerabilities in third-party software (like Java, Flash or Microsoft Office) that have been patched for some time, or it relies on tricking the user into opening it. This means that a knowledgeable user who is cautious about what he/she downloads, and from where, should still be pretty safe at this time. However, the line between a safe site and an unsafe one is becoming ever more blurred, as can be seen with the example of popular sites like Softonic and Download.com injecting adware into downloads found on their sites. Unfortunately, it may be time to advise that the average Mac user start using some kind of third-party anti-virus software, rather than relying on Apple to protect them.
March 5, 2014 @ 2:11 pm EST: I got a little careless with the signed samples (KitM, Janicab and LaoShu)… the clock on my test system was set to yesterday. Although I wouldn’t have thought such a small time error would make a difference, it seems that it does. When I corrected the clock on my test system, the signed apps no longer open. This doesn’t affect the other 8 samples, of course. To avoid confusion, I have removed those inaccuracies.
Still, it’s a bit concerning that something as minor as a clock being off by 24 hours or so could cause an invalid certificate to validate! I don’t really know enough about the technical details of certificates under-the-hood to know whether this is a problem with Apple’s implementation, or if it’s just an inherent problem with certificates.
March 12, 2014: Here it is, one week after I supplied all these samples to Apple, and still no updates to XProtect. This is very disappointing.