There were two separate news items this week that together show MacOS X has finally become an attractive platform for malware makers. The first was reported by several news sites: pirated copies of iWork were found to contain malware. From the advisory:
The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password (in older versions of Mac OS X, 10.5.1 or earlier, there will be no password request). This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.
While it’s not exactly new for pirated software to contain unexpected extras, it appears to be new for Mac applications. Also new is the fact that this is a fairly sophisticated trojan, using a downloader component and a centralized command-and-control server. In other words, someone has at long last created some real malware for MacOS X.
As predicted earlier, the malware uses social engineering to trick a user into installing it. No matter how good your operating system is secured, it is very hard to protect users from themselves. This gets scarier when combined with this weeks other Mac security news: researchers have found a way to hide malicious code within a legitimate process, making it extremely hard to detect that your machine is infected.
The in-memory injection approach allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised.
“The importance is it makes forensics much harder,” Miller wrote in an email to The Register. “In the past, you could rely on seeing the trail of the bad guy on the disk, even if they tried cleaning up and deleting their files. This provides a practical method to eliminate that evidence.”
This might be a good time to have a look at antivirus software for your Mac!