A look back at 12 years of Mac malware
Published January 1st, 2013 at 10:32 PM EDT , modified January 1st, 2013 at 10:32 PM EDT
It has been 12 years since the advent of Mac OS X. There had been some malware for older Mac systems before that point, but none of those worked on Mac OS X. This “reset the clock” on the Mac with respect to malware. Further, the new Unix base of Mac OS X promised greater security than older versions of the Mac OS. So how has that promise stacked up at this point?
Initially, malware remained fairly rare. The only malware in existence in 2001 belonged to the one specific family that actually managed to survive the transition to Mac OS X: Microsoft Office macro “viruses.” These became fairly prevalent among Microsoft Office users for a while, though they were never particularly dangerous.
It wasn’t until 2004 that the first truly new Mac OS X malware appeared. However, even then, malware remained nothing more than juvenile pranks or tentative poking at newly-discovered vulnerabilities that were soon closed in response. The first widespread malware didn’t appear until late in 2007, when the RSPlug malware appeared. Also known as DNS Changer, this malware affected machines up until late in 2011, when the gang behind it was apprehended and the malicious servers it used were eventually shut down.
In 2009, another widespread trojan appeared, masquerading at first as a “pirated” copy of Apple’s iWork software and later as other stolen software. It became fairly widespread, but since it really only affected people who were trying to illegally download stolen software, it was not considered to be a very significant threat by many. Most, including me, considered it to be a good lesson in appropriate online behavior.
It wasn’t until 2011 that malware started to become truly dangerous. First there were the initial probings into the Mac world by the Blackhole developers, who are now marketing their malware kit in the crime world with a great degree of success. Next appeared the MacDefender family of malware, which used hacked web sites to tell users that they were infected with malware and tricked them into installing it to “remove” the malware. This malware was so pervasive that it is the only malware that I have ever encountered “in the wild,” and not just once. I personally managed to find it not just once, but three times, and the first time I wasn’t even looking for it. MacDefender faded into obscurity before the end of the year, but in late 2011 the same hackers behind MacDefender brought us the first variants of Flashback, which at the time masqueraded as an Adobe Flash installer. All of this malware was entirely financially-motivated.
In 2012, Mac malware went through another transition. First, in February of 2012, Flashback transformed from a simple trojan into something far more dangerous. It took advantage of Java vulnerabilities to install itself as a “drive-by download” from hacked web sites. No user interaction was required, and although some variants did ask for an administrative password, users who were suspicious and did not supply that password were infected anyway through different means. Once Flashback’s technique became public knowledge, a flurry of new malware appeared that took advantage of the same vulnerabilities. Although those vulnerabilities were closed shortly after Flashback began using them, many people do not update their systems properly, and as a result, new malware continued to take advantage of those vulnerabilities as late as the end of November, nearly a full year later. Malware of other types also proliferated in 2012, but most of the malware from 2012 was highly-targeted. More than 1/3 of all of the malware from 2012 was used to attack specific groups in Asia, mostly Tibetan human rights groups and supporters of the Dalai Lama.
Overall, just by looking at the numbers, there is certainly cause for concern. As you can see from a chart of malware appearance by year that I created from my list of known malware, of all the Mac malware that has appeared over the last 12 years, almost 1/3 appeared in 2012, with 2011 in second place with 1/6 of appearances. If this trend continues, Mac users will need to take security far more seriously than they do now. Worse, the hackers behind the MacDefender and Flashback malware families – two of the most successful and prevalent malware programs on the Mac to-date – are still on the loose, and are undoubtedly working on their next big project as I write this.
On the plus side, spikes in the malware count have happened before. In particular, the 2006 spike seen in the graph above can be attributed to the discovery of several vulnerabilities that were exploited by multiple malware programs before those bugs were fixed. 2012 saw a very similar situation: several vulnerabilities in Java were exploited by a number of copycat malware programs following Flashback’s success. That could have caused an artificial spike in the numbers, and it’s entirely possible that 2013 will see a much lower malware appearance rate with those vulnerabilities closed and Apple distancing itself from Java.
In addition, it’s important to keep in mind that numbers don’t tell the whole story. For example, one might look at the data for 2006 and conclude that that was a very dangerous year for Mac users. In reality, however, most of the malware that appeared in 2006 was quite rare and not particularly dangerous. Several were only released as proof-of-concept malware, and never found “in the wild,” infecting real-world computers.
As of today, all Mac malware is either extinct or cannot infect a properly-updated machine. Although there are situations that can lead to infection, they require dangerous behavior on the user’s part, such as not updating their systems or downloading software from bad sources, such as through most torrent applications. Right now, anti-virus software is still not necessary for most users. Will that change in 2013? It’s too soon to say. It’s certainly evident that the Mac is becoming a tempting target for malware developers, but Apple’s recent focus on security suggests to me that there probably won’t be much to worry about in the near future, barring the discovery of another vulnerability.