Vicente Diaz, Senior Security Analyst, Global Research & Analysis Team, Kaspersky Lab

Kaspersky Security for Mac Launch Event, Moscow, 14-16, May 2012

Mac OS X Malware: From Myth to Mainstream

Mac OS X: security from a user´s perspective

Wait a minute…

Recipe for an infection:

1.Vulnerability

2.Exploit

3.Attack vector

Or

4.Fooling the user

The cybercriminals’ checklist

Mac OS X vulnerabilities in the past…

And even more vulnerabilities now

2008 2009 2010 2011 2012*0

50

100

150

200

250

300

350

400

450

Advisories

Vulnerabilities

Source: Apple Security Updates: http://support.apple.com/kb/HT1222

Apple’s management of Mac OS X vulnerabilities

32 days

20 days

48 days

The cybercriminals’ checklist

Recipe for an infection:

1. Vulnerability

2. Exploit

3. Attack vector

Or

4.Fooling the user

Mac OS X’s pre-installed protection measures

ASLR Stack protection XProtect

2005

OSX 10.4 Tiger

No No Only warnings

2007

OSX 10.5 Leopard

Buggy - useless

Optional Only warnings

2009

OSX 10.6 Snow Leopard

Buggy - useless

OS compiled with protection

Enhanced

2011

OSX 10.7 Lion

Fully implemented

OS compiled with protection

Enhanced

Introducing … Xprotect (aka File Quarantine)

Live Demo

The future of Mac OS X protection

The cybercriminals’ checklist

Recipe for an infection:

1. Vulnerability

2. Exploit

3. Attack vector

Or

4. Fooling the user

Attack vectors

Compromised websites

Black Hat SEO

Targeted attacks

The cybercriminals’ checklist

Recipe for an infection:

1. Vulnerability

2. Exploit

3. Attack Vector

Or

4. Fooling the user

If what you say is true…show me the malware

Mac OS X malware over time

2008 2010

20112009

Scareware

DNSChanger

Remote control

FakeAV

Mac OS X’s malware evolution

Source: Kaspersky Lab

2003

.08

2005

.08

2005

.10

2005

.12

2006

.03

2006

.11

2007

.01

2008

.01

2008

.06

2008

.11

2009

.05

2009

.10

2009

.12

2010

.02

2010

.04

2010

.10

2010

.12

2011

.05

2011

.08

2011

.10

2011

.12

2012

.02

2012

.04

0

50

100

150

200

250

300

Case Study 1: Flashback

Flashback attack method

Flashback attack vector

Main infection vector: Hacked WordPress sites

Late February to early March: between 30,000 and 100,000 sites were hacked

Depending on OS and browser, victims are redirected to an exploit

85% of hacked sites were based in the U.S.

Traffic hired from partner program associated with the rr.nu gang

Geographical distribution of infected Mac OS X computers

Case Study 2: SabPub

Advanced Persistent Threat targeting MAC OS X users

Doc files from 2010, rearmed with new exploits

CVE-2009-0563 – targets Office

CVE-2012-0507 – targets Java

The “10th March Stamnet”

Installs backdoor on victim´s machine

APT is currently ACTIVE

What has changed?

Mac OS X’s growth in market share

Call to action: Apple’s security update process

• Allow Oracle to patch Mac OS X vulnerabilities in Java directly, rather than issuing your own security updates.

• Implement automatic security updates for user systems

• Respond faster to new security vulnerabilities to minimize window of exploitation

Conclusions & predictions for users

• The myth of Mac OS X being invulnerable to malware has been shattered

• Use AV software and proper security practices to protect yourself

• Mac OS X mass-malware attacks will increase. This will include drive-by downloads and Mac OS X-based botnets

• Expect cross-platform exploit kits with Mac OS X-specific exploits

• Apple is pushing for a more controlled ecosystem (GateKeeper) but this will be a cat-and-mouse game.

Thank You

Vicente Diaz, Senior Security Analyst, Global Research & Analysis Team, Kaspersky Lab

@trompi

Kaspersky Security for Mac Launch Event, Moscow, 14-16, May 2012