{"id":17690,"date":"2012-10-16T22:25:55","date_gmt":"2012-10-17T02:25:55","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-08-08T16:59:40","modified_gmt":"2021-08-08T20:59:40","slug":"a-history-of-mac-malware-part-2","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/a-history-of-mac-malware-part-2\/","title":{"rendered":"A History of Mac Malware: Part 2"},"content":{"rendered":"

\"A<\/a>Graham Cluley<\/strong><\/a> at Sophos<\/a> recently wrote<\/a> an excellent history of Apple Macintosh<\/strong> malware. He points out that Mac malware is a subject that raises strong emotions. There are some who believe that the problem is over-hyped and others who believe that the malware problem on Macs is underestimated by the Apple-loving community. The author writes that hopefully, this short history will go some way to present the facts and encourage sensible debate. (rb- We have just taken on a new customer which is 85% Mac and 15% PC. I have had this very conversation with my Apple certified tech who does the field support.)<\/em><\/p>\n

Click here<\/a> to read part 1 of the History of Mac Malware.<\/em> Click here<\/a> to read my recent series commemorating the 25th anniversary of the computer virus.<\/em><\/p>\n

\"Sophos<\/a>Big changes to the Mac malware scene arrived with the release of Mac OS X – a whole new version of the operating system which would mean that much of the old malware would no longer run. All future, Mac-specific malware would have to be written with a new OS in mind.<\/p>\n

2004<\/strong> – The Renepo script worm<\/a> (also known as “Opener”) attempted to disable Mac OS X security including the Mac OS X firewall. The author reports that the Renepo worm would download and install hacker tools for password-sniffing and cracking, make key system directories world-writable, and create an admin-level user for hackers to later abuse.<\/p>\n

\"Renepo<\/a>In 2004, hackers also wrote a proof-of-concept program called Amphimix which demonstrated how executable code could be disguised as an MP3 music file on an\u00a0Apple<\/a> (AAPL<\/a>) Mac. Amphimix appeared to been written as a proof-of-concept highlighting a vulnerability in Apple’s<\/a> software.<\/p>\n

2006 – <\/strong>The first virus for Mac OS X was discovered in 2006. OSX\/Leap-A<\/a> was designed to use the Apple<\/a> iChat<\/a> instant messaging system to spread itself to other users. As such, it was comparable to an email or instant messaging worm on the Windows platform.<\/p>\n

\"iChat\"<\/a>The author concludes that it was correct to call OSX\/Leap-A a virus or a worm. It was not correct to call OSX\/Leap-A a Trojan horse<\/a>. Not that that stopped many in the Mac community claiming it wasn’t a real virus.<\/p>\n

2007 – <\/strong> Sophos discovered an OpenOffice<\/a> multi-platform macro worm capable of running on Windows, Linux, and Mac computers<\/a>. The\u00a0BadBunny<\/a> worm dropped Ruby script viruses on Mac OS X systems and displayed an indecent JPEG image of a man wearing a rabbit costume.<\/p>\n

\"BadBunny<\/a>The first financial malware for Mac appeared\u00a0in 2007. The OSX\/RSPlug<\/a>-A Trojan horse was first detected <\/a>by researchers at Intego<\/a>. Mac users infected themselves by downloading and running a fake codec that claimed to help users view pornographic videos. Once on a victim\u2019s Mac, RSPlug changed that machine\u2019s DNS settings so that, while browsing the web, users would redirect to phishing sites or sites containing advertisements for other pornographic sites.<\/p>\n

According<\/a> to Kasperskey’s<\/a> Threat Post<\/em><\/a>, RSPlug\u2019s various incarnations are all forms of the DNSChanger malware. DNSChanger featured prominently as the target of the FBI\u2019s 2011 take-down of the malware network, dubbed Operation Ghost Click<\/a>.<\/p>\n

2008<\/strong> – Apple malware became more sophisticated in 2008. Cybercriminals targeted Mac and PC users in equal measure, by planting poisoned ads on TV-related websites. If accessed via an Apple Mac, surfers would be attacked by a piece of Macintosh scareware called MacSweeper<\/a>. Close relatives of MacSweeper including Imunizator<\/a>, claimed to find privacy issues on the user’s computer.<\/p>\n

The author details the growing sophistication of Mac malware in 2008.<\/p>\n