We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Time to re-evaluate safety of Mac OS X

Published March 5th, 2014 at 11:07 AM EST , modified March 12th, 2014 at 11:27 AM EDT

My Mac Malware Guide has, for some time, made the claim that a properly up-to-date Mac OS X system cannot be infected by any known malware. This was true at one point, with some provisos, when that text was originally written. However, recent cases of malware that has failed to be blocked by the XProtect anti-malware system in Mac OS X prompted me to do a re-evaluation of this statement. What I found was profoundly disappointing, leaving me wishing that I could take those words back.

The signs of trouble came in the fall of 2013, when the Icefog malware appeared. I had a copy of Icefog in-hand within 24 hours of the announcement of its discovery, and submitted it to Apple immediately. It was not until two full weeks later that XProtect was finally updated to protect against Icefog.

Fast-forward to today. A new Bitcoin-stealing trojan called CoinThief was discovered on February 9, nearly a month ago. Three days later, all four of the known variants of CoinThief were detected by an XProtect update. On the 14th, however, I announced discovery of a fifth variant of CoinThief, which was older than the other four and which was not detected by XProtect. That day, I also submitted this variant of CoinThief to Apple.

Today, nearly three weeks later, this variant of CoinThief is still undetected by XProtect. This was verified by trying to open the trojan on a test system, running a fully up-to-date copy of Mac OS 10.9.2. Okay, I can hear a potential criticism… this variant of CoinThief is much older than the others, apparently dating back to early 2013. It may no longer be in circulation. Plus, Apple’s security team has had a lot on their plates with the recent “gotofail” bug and the discovery of a vulnerability in iOS. These are fairly weak excuses, though. Besides which, this is just the tip of the iceberg, which prompted me to start looking to see what’s hidden from immediate view.

Yontoo installerI dug through my malware collection and put together a folder full of fully intact trojans – installers, apps, etc, all of which would infect a Mac if allowed to open. The question I was interested in answering was simple: on my fully up-to-date 10.9.2 test system, which of these would actually still open?

Screen Shot 2013-08-23 at 10.21.12 AMWhat I discovered was greatly disturbing. 8 samples, from 5 different families of malware, some dating back to mid-2012, all were allowed to open without interference by XProtect! 7 of these samples required me to bypass Gatekeeper, as they were not signed apps. (One of these, I had submitted to Apple in March of 2013, one year ago!) However, once Gatekeeper was bypassed, they were allowed to run just fine. One – a Safari extension pretending to be Flash Player – opened with no more than the standard “are you sure you want to install this” alert that is given for any other Safari extension.

Of course, my next task as soon as I post this will be to submit all these samples to Apple. However, my hopes are not high after the recent failures with Icefog and CoinThief.

All Mac malware at this point either relies on vulnerabilities in third-party software (like Java, Flash or Microsoft Office) that have been patched for some time, or it relies on tricking the user into opening it. This means that a knowledgeable user who is cautious about what he/she downloads, and from where, should still be pretty safe at this time. However, the line between a safe site and an unsafe one is becoming ever more blurred, as can be seen with the example of popular sites like Softonic and injecting adware into downloads found on their sites. Unfortunately, it may be time to advise that the average Mac user start using some kind of third-party anti-virus software, rather than relying on Apple to protect them.


March 5, 2014 @ 2:11 pm EST: I got a little careless with the signed samples (KitM, Janicab and LaoShu)… the clock on my test system was set to yesterday. Although I wouldn’t have thought such a small time error would make a difference, it seems that it does. When I corrected the clock on my test system, the signed apps no longer open. This doesn’t affect the other 8 samples, of course. To avoid confusion, I have removed those inaccuracies.

Still, it’s a bit concerning that something as minor as a clock being off by 24 hours or so could cause an invalid certificate to validate! I don’t really know enough about the technical details of certificates under-the-hood to know whether this is a problem with Apple’s implementation, or if it’s just an inherent problem with certificates.

March 12, 2014: Here it is, one week after I supplied all these samples to Apple, and still no updates to XProtect. This is very disappointing.

Tags: , , , , ,


  • John Fallon says:

    I wonder if Apple has no dedicated security people. On a related note, I see the security updates for lion and mountain lion came out at the same time as 10.9.2; and they all came out days after the gotofail hole was patched in IOS; leaving us exposed for four days. The willingness to commit resources to quality and security seems a bit weak.

    What anti-virus do you like these days? And not one from the App Store, of course.

    • Al says:

      >…not one from the App Store, of course.

      Why do you say that? Admittedly, they have some limitations as far as their ability to provide services other than a simple scan, but some from the AppStore did very well in Thomas’ testing earlier this year. For instance, VirusBarrier Express is presumed to be as good as VirusBarrier and is at the top of the list.

    • Thomas says:

      I’ve got my recommendations in my Mac Malware Guide. They’ve been updated fairly recently, and I see no reason to avoid one from the App Store, unless you want one with active, on-access scanning.

  • Jay says:

    There have been a few factors that have had me doubting Apple for a while. I won’t list them all but recently the gotofail, background monitoring vulnerability and the fact that iOS was patched and OS X was left dangling in the wind left a mark with me.
    Did iOS get the patch because it was discovered and fixed ASAP and did Apple forget to check OS X for the same bug? Was Apple aware of the OS X bug as well but did iOS get priority because of some recent government bodies that switched to all iOS? Or was it just lazyness because 10.9.2 was on the way out to final release anyway? I guess we’ll never know. Taking this, what you say about XProtect and other things into account I don’t think Apple can be trusted as we once did thinking they have our interests and safety at heart.

    Apple has dedicated security teams but as with most companies, the resources and budgets for these teams are way smaller than they should be. This is a problem everywhere you look. Microsoft being one of the exceptions actually as (even though their OS still &%#$@ :P) their security teams are very impressive. They had to learn the hard way over the course of many years. I just hope Apple doesn’t feel the need to re-invent the wheel on this and focus on security sooner, not once the reputation is damaged to the point it will haunt them forever.

  • John Fallon says:

    Apart from the on access scanning issue, the App Store approval process seems to slow updates down; i.e. with Clamxav. I do get the sand boxing theory. When I upgraded one of our iMac’s to Mavericks, the intercheck component of the Sophos AV started spiking CPU usage for hours. I uninstalled it, but I do need something unobtrusive running in the background. Some people in the house click on things. Perhaps a clean Sophos install will work.

    • Jay says:

      This happened for me several times, updating Sophos to V9 fixed those issues though. Even though it ran more threads the overall CPU and RAM impact was lower than V8.

  • John Fallon says:

    I see that Intego no longer has any products in the Mac App store.

    • Thomas says:

      Hmm, I see that as well… no more VirusBarrier Express?! That’s not good. That was easily the best anti-virus software in the App Store. Hopefully this is a temporary issue, and not a discontinuation of the software.

  • Melissa says:

    Thomas, I was wondering if you could comment on some rumors about Snow Leopard and Apple security updates. Word on the net is that Apple stopped supporting Snow Leopard in late February leaving many Snow Leopard users vulnerable to potential security issues. A Google search on the issue is less than helpful. While a few reputable news sources mention this issue, it has not been widely covered at this point (which leads me to question whether this is a rumor or indeed fact). Several searches on the Apple Support community pages turned up little in the way of a response to my inquiry, and I haven’t seen you post anything here (I rely on your site for up-to-date news on everything Mac). So, does this sound right? Has Apple stopped supporting Snow Leopard?

    Note: While I recognize that upgrading “outdated” operating systems is necessary, I must admit I’m apprehensive about switching to Mavericks in light of the recent security issues (which I learned of thanks to you!). I’d like to keep working on Snow Leopard, but only if I’m protected with regular security updates.

    *My apologies for commenting on an older thread

This post is more than 90 days old and has been locked. No further comments are allowed.