Malware On Apple

Toto, I’ve a feeling we’re not in Kansas anymore

Mac fans and Apple marketing used to say Macs were immune to computer viruses. That was never entirely true, but it was mostly true. Users of Apple products really had fewer virus and malware issues.

But the landscape has evolved. Apple security incidents have gradually increased. In early February this year, 2022, the Microsoft 365 Defender Threat Intelligence Team, Microsoft’s crack computer security group, posted an analysis of a Mac trojan, a malicious software that looks innocent. The malware is surprisingly sophisticated. As it has grown in the wild, it has continually grown more malicious. This report on the Mac trojan signals the new world of Apple security.

Don’t be naïve. Everything in tech is touched by marketing. Microsoft fired this shot to convince system administrators that connecting Apple devices to Microsoft server systems can make Apples safer. You can take that claim for whatever a competitor’s claim is ever worth. The report is reliable, but it goes down best with a grain of salt.

Apple has left the farm in Kansas. It’s time to take Apple viruses and malware seriously.

History and Relationship with the Past

From the late 1980s on, Apple equipment was strong in niches like education and graphic design, but Microsoft was orders of magnitude more popular in typical homes and businesses, mostly because tons of Windows compatible software ran on cheap generic PCs from competing hardware manufacturers like Lenovo, Dell, and HP.

Apple focuses on user-friendly, high-end, premium products. They released the first commercial graphic all-in-on computer, the Macintosh, and followed it up with a string of top-shelf innovative products like the iPod, iPhone, and iPad as they continually improved their line of premium desk and laptop computers. This winning strategy eventually made them the most profitable company on earth.

Microsoft, on the other hand, has striven for a wide variety and high volume of useful products on competitive generic hardware. Clearly not a losing strategy: they became the second most profitable company on earth.

Security Through Obscurity

For years, choosing quality over quantity indirectly improved Apple’s reputation for security. Until recently, breaking into an Apple product was not an attractive project for most hackers.

Breaking into a computer system is easier than it ought to be, but it still requires time, effort, and risk. Given a choice between developing a technique for penetrating a Microsoft Windows system and an Apple system, hackers regularly chose Microsoft because the large Microsoft user base increased the chance of finding a juicy victim.

Security types call this “security by obscurity.” However, avoiding attention to avoid attack no longer helps after the victim engages an attacker’s attention.

In the last decade, Apple’s enormous success has blown away its obscurity. Now hackers see juicy Apple targets and are out to snag them.

Unix Roots

Microsoft has cleaned up its act considerably in the last decade, but early on, they had a dismissive attitude toward security. Windows developers and their predecessor DOS developers assumed that a personal computer was a standalone appliance like a toaster or a steam iron.

Securing a standalone PC meant locking the door to the office, chaining PCs to desks, and locking their cases. In those days, a physical hard drive was thought more valuable than the data it contained.

Microsoft took a long time to recognize that a PC connected to a network requires a different kind of security.

Meanwhile, the rising tide of hackers grew into a dark industry devoted to raping and pillaging Windows installations. Eventually, Microsoft realized they had to do something, and they have, but they’ve played a lot of catch-up.

Apple developers may have been slightly more aware of the dangers, but their “security by obscurity” cloak obscured impending threats.

Even so, Apple made a sound engineering decision a few years ago: instead of continuing to develop their proprietary standalone operating system, they adopted a variant of Unix, the open-source operating system long favored by academic, engineering, and enterprise developers. The popular open-source operating system, Linux, is also a Unix variant.

Disclosure: I am a dyed-in-wool and unreconstructed Unix programmer.

Unlike Windows, whose roots are in stand-alone PCs, Unix was designed for multiuser computers, and, more significantly, heavily used in colleges and universities as a teaching tool. AT&T developed Unix and then offered it as a royalty-free product to educational institutions for a small administrative fee. In those days, almost all software included source code. Universities were not allowed to distribute the source code or their work built on Unix, but they retained rights. Consequently, Unix was widely adopted by university computer science departments. This was a boon to Unix security.

I was one of the computer rats who hung out in the Western Washington University computer center in the middle of the night studying Unix and trying to break into the university multiuser system. We weren’t criminals, just inquisitive and rambunctious college students. While Windows and DOS basked in single user isolation, my cohort in university computer science programs all over the world pored over source code and beat the hell out of Unix. We learned a lot, and our archenemies, the sys admins, often other students, also learned. The upshot was Unix security systems, both code and administrative practices, were scrutinized and hardened.

When Apple made the momentous decision to replace their proprietary operating system, they became the beneficiary of all the prodding and testing my friends did in the 1980s and 90s. By adopting Unix, Apple acquired an operating system that had security pounded into its foundations—a much better position than the Windows security features bolted onto a gradually hardening insecure foundation.

So. Yes. Apple products are inherently more secure than Windows. But not much. And possibly not any longer. Microsoft, by no means a cluster of idiots, has worked hard to secure their products.

Keep in mind that secure is always a relative statement. When a professional says a system is secure, it’s a form of bluster that braces their self-confidence. A system may be more secure than others, but it’s only harder to break, not unbreakable.

Apple’s operating system is harder to hack into than older versions of Windows, but Windows today is orders of magnitude more secure than Windows of a few years ago. At the same time, Apple’s sharp engineers have only recently stepped into the target zone. They have their own catch-up game to play.

Scope

The Mac trojan Microsoft reported on began as a basic data theft exploit in late 2020. Apparently, the exploit begins like most hacking ventures: with an email that tricks an insider into letting a miscreant in. The exploit became more sophisticated over time. When the malware was first installed, it only transmitted basic system information to a master server. Over the next year, new capabilities were gradually added to the basic exploit and the malicious bot (the trojan acting as a robot under hacker remote control) started downloading installable applications.

Macs have mechanisms for preventing installation of untrusted software. The bot gained the capability to circumvent the protection. Then it began collecting and exporting more information and running code with root privilege, which is the highest level of privilege in a Unix system. For self-defense, the bot began removing and renaming the files it installed to thwart antimalware utilities that search for characteristic files to detect malware. It also started injecting ads into webpages.

I’m not going further into the details of the Mac trojan. Go to the Microsoft site, or take a look at this list of macOS malwares.

Counter Moves

I recommend that all Apple users begin to follow the basic rules of computer hygiene if they don’t already. Follow them carefully and the chances that you will run into trouble will shrink drastically. These are the rules I follow for myself. The last time I was hacked, knock on wood, I was running Windows XP.

The Rules

One

Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way with the skills of a con artist, not computer skills or knowledge. For example, some clever hacker impersonates your boss on the phone and asks you to email a list of employee usernames and passwords to an odd address. Clearly a dangerous request. Check it out before you comply.

Or someone claiming to be your favorite niece calls from Waco asking you to give her access to your Amazon account because she’s in a jam. Or you get a phone call from Apple asking for your account password. Don’t get rooked by liars and imposters.

These cons are called “social engineering.” Their intent is to trick you into opening the door to a hacker.

Two

Avoid dodgy websites. You know which sites. The ones that appeal to base instincts or offer something too good to be true. Super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.

Click on one of those kind of web sites and you can lose more than your time and money; you could also infect your computer with nasty malware that will hurt for months to come if the infection is not promptly detected and removed.

Three

Be careful with downloads and installs. The simplest and most effective way to compromise your computer, laptop, tablet, or phone is to install an application that promises to entertain or perform useful work, but also opens your device to exploitation. During an install, your computer is a patient on the operating table whose heart is in the hands of a surgeon. If the surgeon is a crook, your computer is defenseless.

To protect yourself, get your apps from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. Before you install, check the reviews and the reputation of the developer on the network. Avoid being the first to install a new app. Always download from secure (HTTPS) sites.

Get your hardware drivers directly from your operating system and device manufacturer sites. If you can’t avoid a third party site, research them thoroughly. I often go to Toms Hardware for driver information.

Four

Scan regularly for malware. Apple now has malware scanning (antivirus) built in. In addition, third party anti-malware tools are available for Apple. Almost all are effective when used properly.

Anti-malware tools are fiercely competitive, and the malware landscape changes daily. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans.

Choose a malware scanner with a solid reputation. These scanners are uniquely well-positioned to mess with your device and steal data. Choose a well-reviewed scanner from a reliable source. Some popular scanners have been accused of questionable practices.

When you have chosen a scanner you trust, accept updates and run scans often.

Five

Keep your operating system and apps patched. Hackers are always looking for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Turn away the invaders before they get in.

Automatic updates may be annoying, but the benefits outweigh the trouble. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that happens less as the sources get better at patching, and a botched patch is usually far less damaging than a successful attack.

Six

Use strong passwords. Password cracking is more sophisticated today than when the old rules were written. Long (sixteen characters or more) random passwords are still difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. I like memorable nonsense phrases like ‘MyPetRockSaysHi!’.

A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the worst breaches in recent years have been based on duplicated passwords.

Current opinion is now that changing passwords frequently is counterproductive because it leads to weaker and duplicated passwords. A strong password that has never been revealed or compromised does not ever need to be changed.

Multi-factor authentication (MFA) is now common. Use it in addition to a password. Multi-factor authentication is harder to hack than the strongest password. For example, sites and devices that request a fingerprint or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low.

The strongest multi-factor systems use an app generated token, like a 5-character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.

The Future

More secure platforms are possible in the future because the many platforms of today were naively designed without much thought to the potential for abuse.

Bitter experience has burned off the naiveté. Computer security will always be a challenge because computing systems are maddeningly complex. Developers and designers will never be able to foresee every security flaw.

In the early days of our current computing platforms, software developers did not think much about security. The goal was to build a network to interconnect systems and make them reachable, not put up barriers to access. In retrospect, that was jaw-droppingly naive. The hackers of today still take advantage of that naiveté.

Fortunately, the industry is wiser now.  With new attitudes, improvement is possible.


I must credit my Whatcom County Library System friend, Neil McKay and computer communications expert, Steve Stroh, for their substantial help.