OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Proof-of-concept Mac OS X virus announced

Published June 4th, 2013 at 3:41 PM EDT , modified June 4th, 2013 at 3:41 PM EDT

In 2006, a malware researcher going by the name JPanic created a proof-of-concept virus capable of infecting Windows and Linux machines called Capzloq Tekniq. JPanic has now updated this proof-of-concept, and as part of the update, it is now capable of infecting Macs.

First, let’s examine exactly what it means to call this a “proof-of-concept,” or “PoC” as it’s frequently abbreviated. A PoC is not actually real malware, it’s just a demonstration of what real malware could do. It’s usually something created by a researcher who is probing at a potential vulnerability, trying to see what he/she can do. It only becomes a PoC, of course, when the attempt is successful. A PoC does not include a malicious payload, it only contains the code necessary to make the PoC work and no more.

Sometimes, a PoC will pave the way for real malware, following in that researcher’s footsteps. Other times, whatever vulnerability the PoC relies on will be fixed before any real malware appears. Such things have been seen in the Mac world before. Things like Inqtana, OSX.Exploit.Launchd, Macarena and AsTHT all were PoC’s that never became more than that. Whether this will be another case like those or whether it will herald the first real, “in the wild” Mac OS X virus, only time will tell.

As to how this new PoC, which Intego is calling Clapzok.A, works, it is a classic virus by the definition of the word. A virus is a class of malware that replicates itself by injecting code into other applications. In this case, the virus appends itself to the end of an executable file and modifies a particular part of the executable so that the malicious code runs when the app is launched. When an infected app is opened, the virus code then searches for more uninfected binaries to insert itself into. Since it is just a PoC, that’s where the virus code stops, but a malicious virus based on Clapzok could easily do all manner of other nasty things at that point.

Fortunately, there are a couple of major limitations to how this virus operates. First, it can only infect 32-bit applications. This limits its effectiveness fairly significantly, as most apps these days are 64-bit. But there are exceptions, such as Apple’s own Pages and Numbers, the latest versions of which are 32-bit applications.

More importantly, though, is the increasing focus on code signing. Apps that are code signed have an attached cryptographic signature, identifying the creator of the application and providing a way to verify that the app’s code has not been tampered with. This means that if a Clapzok virus were able to infect a 32-bit application, the system would prevent that application from running (warning the user that it was damaged) if it’s a code signed app. By default, the Gatekeeper security feature of Mac OS X 10.8 (aka Mountain Lion) only allows applications that have been code signed to run. In order to run an app that isn’t code signed, the user would have to intentionally bypass this security.

These two limitations mean that, even if a malicious variant of Clapzok does appear in the wild, it will be extremely limited in what it can infect on a modern Mac. Further, the modifications it makes to executable files are apparently extremely easy for anti-virus software to detect. Many may, in fact, already detect the modifications made by Clapzok. So at this point, there’s certainly no need to panic. However, this is something that everyone should keep a very close eye on!

Tags: , , , , ,

7 Comments

  • Someone says:

    I assume that the iWork suite of apps (Pages, Numbers, and Keynote) is code-signed (by Apple themselves)? So, Clapzok would not be able to do much damage to these apps?

    • Thomas says:

      That’s correct.

      • Someone says:

        And, have AV defs been updated to catch this thing? Or does it not matter?

        • Thomas says:

          Intego has added it, but I don’t know about anyone else. It’s still kind of moot at this point, since there isn’t any real malware in the wild yet based on this.

          • Someone says:

            What do you mean by moot? I know the definition, but there are multiple definitions of the word and more than one could apply.

          • Thomas says:

            I mean that it really doesn’t matter yet, since there’s nothing to be detected. That could change at any point, of course, and anti-virus software that has added detection of this particular technique will be ahead of the curve. But, due to the numerous limitations that this malware would have to operate under, I think it’s somewhat unlikely that it will ever be seen in the wild.

          • Someone says:

            Thank you 🙂

This post is more than 90 days old and has been locked. No further comments are allowed.