The Anti-virus Times

Tuesday, April 13, 2021

With the release of macOS Big Sur and the new M1 processor from Apple, our developers, testers and analysts had to work hard to make our anti-virus modules compatible with the new operating system. While beta testing for Dr.Web 12.5 for macOS is going full throttle and programmers worldwide are searching for sophisticated solutions to make their programs operational on the basis of the new architecture, let's remember a very interesting event that took place nearly 10 years ago.

Spring 2012 became really significant for the whole IT industry. Hundreds of thousands of computers running macOS, which at that time was still regarded by many as completely invulnerable to malware, turned out to be compromised by BackDoor.Flashback. Thus was formed the largest botnet in history consisting of Macs.

For many macOS users that development was a real eye-opener. It is still believed that this closed operating system is reliably protected against all kinds of trojans and viruses, and its relatively low popularity only contributes to its overall security. But leading up to that moment, virus writers had already long turned their attention to this operating system, so the incident with Flashback was only a matter of time.

As is often the case, the root cause of such a mass infection was a vulnerability that had not been closed in time. A trojan took advantage of exploits that leveraged a specific Java vulnerability to infect computers. The infection process was unobtrusive: it was enough for users only to visit a specific website containing a malicious applet; and the vulnerable Java version had to have been installed in the system.

The first Flashback botnet domains were registered on March 25, 2012. On March 27, Doctor Web's virus experts analysed a trojan sample that had caused an infection and studied algorithms used to generate the control server addresses. After that, our company conducted its own study, which threw light on the actual extent of the epidemic.

To calculate the size of the botnet, we used the sinkhole method, which redirects bot traffic, and that made it possible to intercept messages containing unique numbers of infected computers. A simple analysis of the data stunned many experts: at the peak, the number of botnet nodes (infected Macs) exceeded 800,000.

The prospect of giving their favourite computer away to hackers did not bode well for users. Upon receiving the corresponding commands from the control server, Flashback downloaded and ran any executable file on an infected device. Thus, the botnet operators could carry out DDoS attacks, steal users’ personal data, carry out phishing attacks, and, in general, they had a very wide range of actions they could take with the infected Macs.

Now let's examine the figures. In those years, according to leading experts, among desktops, macOS’s market share was about 6%. In less than 10 years, that share has grown to 16.5%, and virus writers have become more active, too. What current threats can macOS’s numerous users encounter?

The emergence of new types of malicious and unwanted software for macOS became one of 2020’s key trends. In the past year, our virus analysts discovered several significant threats, including active encryption ransomware known as ThiefQuest, numerous spyware programs, and rootkits which are able to hide running processes.

Also, our analysts studied the first trojan advertising module designed specifically for new Apple CPUs. It is notable in that it is able to resist debugging and determine that it is functioning in a virtual environment. Its primary function is to demonstrate annoying ads, banners, and pop-ups—something users hardly expect from systems running macOS.

We also examined more dangerous malware such as Mac.Trojan.SilverSparrow.1. Users who download software from untrusted sources are at risk as this trojan can be disguised as any program. Infection occurs without the user noticing and looks like a regular program installation. When the trojan is opened with the help of a standard installer, it pretends to be a "good" program and asks users for the permissions it needs to work. By granting these permissions, users compromise their systems. The main malicious feature is a payload that is locally assembled by the trojan. Thus, the trojan affixes several malicious scripts in the system, which then run in the operating system. These scripts collect personal data and spy on users.

#anti_virus #botnet #virus_writer #history #trojan