A client shows that Macs are not as safe as you think

A common misconception among Mac users is that their Apple products are immune from malware and security issues often seen in Microsoft products. A decade ago, this was pretty much true. Mac OS had a streamlined approach to security that was difficult to crack, but more importantly, Apple users were massively dwarfed by Microsoft and weren’t worth the time to target. Hackers wanted the easy score, not something they actually had to work at. Unfortunately, many Mac users still believe they’re impervious to threats, but they are ignoring two major changes in the computer landscape.

1) After years of abuse, and rightfully so, Microsoft has now surpassed Apple in terms of protection. Since the Windows Vista introduction in 2007, their OS has employed ”address space layout randomisation (ASLR) which is implemented so as to obscure most of what an attacker needs to conduct, for example, shell code injection attacks.” Despite acquiring ASLR in 2007, Mac OS has yet to implement this same degree of protection.

2) Apple has seen fabulous growth in the personal computer market. In 2003, Apple had just 2.06% of the desktop computer market. Just five years later, that number was at 14% and has now diversified further with the advent of the hugely popular iPhone and iPad. Not surprisingly, Mac OS malware has grown in excess of 200% in the last three years!

Unfortunately, many companies are ignorant to this environmental shift and still assume their Macs are as secure as ever. Take for instance an advertising agency we recently consulted with. This agency employs over 50 individuals and boasts several Fortune 500 accounts. Like many ad firms, Macs are their computer of choice.

Recently, one of their biggest clients had a security breach that originated from the agency office. The agency and client shared a portal where they frequently transferred images, files and documents. Besieged by a nasty piece of malware, the portal was rendered unusable.

What the agency didn’t realize is their Mac computers were hosting Windows-based malware. While the malware had zero effect on their Mac computers, it ran amok on the client’s Microsoft desktops after it was unknowingly transferred through the portal. This issue is prevalent in many Mac environments. According to Sophos, “A 100,000 strong snapshot of the millions of Mac computers which have recently downloaded Sophos’s free Mac anti-virus software, revealed that 20% of Mac computers were carrying one or more instances of Windows malware.”

Needless to say, if the agency realized that their fleet of Mac computers weren’t secure and at the very least invested in Sophos’ free Mac anti-virus software, this entire scenario would have never happened. If you are a Mac user or your company runs a Mac-based operation, please do us all a favor and download the aforementioned free anti-virus software. And if you really want to make sure all your bases are covered, give us a buzz and we’ll set you up with a free security review as well.

Sophos Apple Resources:

Download Sophos’ free Mac anti-virus software.

1 in 5 Macs has malware on it. Does yours?

Are Macs safer than PCs?

 

Mac Backdoor Trojan embedded inside Boobytrapped Word Documents

This is a repost of a blog entry initially reported by Sophos’ Graham Cluley at the award-winning Naked Security blog. Sophos is a Platinum Partner of RJS Smart Security.

The folks at AlienVault discovered an interesting new Mac malware attack this week.

A backdoor Trojan horse, which would allow a remote hacker to access your Mac computer without your knowledge and potentially snoop on your files and activity, has been discovered hidden inside a boobytrapped Word document.

The targeted attack relies upon a critical security vulnerability discovered in Microsoft Word back in 2009, which allowed remote code execution (MS09-027).

In a nutshell, if you open the boobytrapped Word document, a Trojan horse gets dropped onto your Mac opening a backdoor for remote hackers. Furthermore, a decoy document called file.doc is also dumped onto your drive.

Dropped decoy Word document

The nature of the decoy document, which claims to be about Human Rights abuses in Tibet by the Chinese, is sure to raise some eyebrows.

Inevitably there will be speculation that this attack is related to ‘Ghostnet’, the alleged campaign by China to spy via the internet on pro-Tibet organisations, including the Tibetan government-in-exile and the private office of the Dalai Lama.

If that’s the case, then it would seem that ‘Ghostnet’ is now targeting Mac users inside organisations sympathetic to Tibet and banned Chinese groups.

And don’t be fooled into thinking that you are protected by Mac OS X itself, which will ask for an administrator’s username and password to install software. You won’t see any prompt for credentials when this malware installs, as it is a userland Trojan.

Neither the /tmp/ nor /$HOME/Library/LaunchAgents folders on Mac OS X require root privileges – meaning that software applications can run in userland with no difficulties, and even open up network sockets to transfer data.

Mac malware hex dump

Sophos anti-virus products detect the malformed Word documents asTroj/DocOSXDr-A and the Mac backdoor Trojan horse as OSX/Bckdr-RLG. The servers that the malware attempts to communicate with have been categorised by Sophos as malware repositories since at least 2009.

Once again, Mac users need to remember to not be complacent about the security of their computers. Although there is much less malware for Mac than there is for Windows, that is going to be no compensation if you happen to be targeted by an attack like this.

If you’re not already doing so, run anti-virus software on your Macs. If you’re a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.