Malware for OS X: Full Chronicle

According to Kaspersky Lab, the number of malicious programs targeting Apple products is nearing 1800. In the first eight months of 2014 alone, researchers have found some 25 new families of malware for OS X.

The number of malicious files for OS X

The number of malicious files for OS X

The author and editorial board would like to thank Mikhail Kuzin from Kaspersky Lab for additional information on OSX.Ventir.

Of course, it was influenced by the fact that, since 2008, the share of computers running this OS almost doubled by jumping from 4.9 to 9.3%. The key difference between the evolution of malware for this platform and malicious programs targeting Windows is that there was no so-called “infancy” period. I mean there was some amateurish lamer stuff, but not any mass dominance of Trojans created as a “kitchen-table” effort or “just for fun”. I will briefly describe some instances of the past few years.

Distribution of OS by desktop systems

Distribution of OS by desktop systems

Renepo aka Opener (October 2004)

Malicious bash script with a backdoor and spyware. Required root privileges in order to work. Was able to spread through USB drives. Downloaded John The Ripper, a password cracker, and tried to crack passwords collected on the computer. Blocked the built-in firewall and opened the port to listen for commands from a remote host.

Leap (February 2006)

Distributed via iChat messenger. After infecting a computer, it was sending itself to all found contacts as latestpics.tgz, an archive, and, once unpacked, was disguised as a JPEG picture. Worked only with root privileges.

RSPlug aka Jahlav (October 2007)

In fact, this was an implementation of DNSChanger, a Trojan, for Mac platform. The infection occurred when a user visited some malicious porn sites. The attempt to view the video was followed by a message requiring to download and install missing codecs to the system. Malicious files were downloaded as DWG virtual disk image and, again, the installation required root privileges. Subsequently, the malicious program substituted DNS server and all traffic was redirected to phishing servers used by hackers. The user was flooded with advertising, but it was only half of the problem. All credentials also ended up in the hands of bad guys. DNSChanger family has its roots in Zlob family, which, in turn, is of Russian origin and is associated with the activities of infamous Russian Business Network.

MacSweeper (January 2008)

First representative of rogue software for Mac OS. Tried to clean the computer from hell knows what and demanded money for it. Designed by an obscure firm called “KiVVi Software” and distributed through their web site with installers of other applications. Also had its own web site, where the entire section about was taken from the web site of Symantec. As they say, “an offense committed with great cynicism”.

MacSweeper interface

MacSweeper interface

Tored (April 2009)

E-mail worm. Written in RealBasic, used its own implementation of SMTP to send copies of itself to everyone found in address book. Contained some errors and, as a result, was unable to function in some cases. Inserted the following line in the subject field of the message: “For Mac OS X!:(If you are not on Mac please transfer this mail to a Mac and sorry for our fault :)”, hoping that Windows users would forward this message to someone else.

First Wave

As you can see, all of these instances were not particularly frightening. This is true, but everything was still to come…


In March 2012, Kaspersky Lab published information about a botnet that included some 600 thousand Mac computers. All of them were infected with a Trojan dubbed FlashFake. This name was chosen because it was masquerading as the installer of Adobe Flash Player. The first versions of FlashFake were discovered in September 2011. FlashFake used DGA to communicate with its command servers.

The main feature of FlashFake was that it did no longer require any action by a Mac user, except visiting the web site with malicious redirects. Previously, the malicious programs were masquerading as installation files and, for their successful work, the user had to enter a password, which substantially reduced the risk of infection. The first version of FlashFake also was well on the beaten track, but the second, which appeared in February 2012, began to use for its installation the vulnerabilities of Java virtual machine CVE-2011-3544 and CVE-2008-5353.

So how did the infection happen? In Google search results alone, there were about four million Web pages containing redirects to a malicious JAR file. In the case of its successful launch, the loader of FlashFake located in the JAR file would contact the command and control center and download two modules. One of them was the main module responsible for further interaction with C&C and updates, while the second was used for embedding into the browser. The latest versions of FlashFake have been noted for the search of their command and control centers via Twitter.

After exploiting as much as they could the computing power of unsuspecting users, the unidentified attackers closed down their shop in May of 2012. This is when the command and control centers stopped their operation. The profit was generated by driving up the traffic to the web sites (advertising revenue) and manipulating search results (using “forbidden” methods of Black SEO to promote web sites). This has shaken somewhat the faith of Mac users in their “secure” platform.


The entire year of 2012 passed under the motto “More Good and Diverse Trojans for Macs in Tibet”. The first sign was Revir/Imuler family (according to F-Secure classification), its double name can be explained as follows: Revir is a dropper and Imuler is a backdoor (Dr.Web calls it Muxler) installed by the dropper.

The methods used for distributing Revir were rather primitive but effective. The infection was targeted and focused. In fact, these were APT attacks. Revir.A was an executable file that masqueraded as PDF. Revir.B, a variation, was secretly installing Imuler.A (just like Revir.A), but it was masquerading as JPG picture. Revir.C also disguised itself as a picture, but it was placed in the archive, which also included many real pictures of Irina Shayk, a Russian model. For its part, an archive with Revir.D and another set of pictures downloaded Imuler.B.

It was assumed that the distribution of these threats was linked to Chinese-Tibetan conflict and aimed against various militant organizations fighting for the independence of Tibet.


The Crisis string was contained within the code of another malware detected by Intego in July 2012 on VirusTotal, a well-known web site. Crisis was a cross-platform Trojan and could install itself on computers running Windows and those running Mac OS X. The computer was becoming infected after the launch of malicious Java applet called AdobeFlashPlayer.jar, which had a digital signature created by using a self-signed certificate allegedly owned by VeriSign. Depending on the target platform, an installation module for Win or Mac was extracted from Java applet, saved to the disk and then run.

It is worth noting that the Crisis did not use any vulnerability exploits. This was quite strange, since the Mac version had on board a rootkit to hide files and processes, and you cannot install a rootkit without root privileges.

Many antivirus companies have different names for Crisis: Symantec uses the name given by the “author”, Kaspersky Lab calls this malware Morcut, and Dr. Web calls it DaVinci, because Crisis is part of Remote Control System DaVinci developed by Hacking Team, an Italian company. Hacking Team positioned its product as a legal spyware designed for use by governments and law enforcement agencies of different countries. Over time, the Italians rebranded it and, now, RCS is called Galileo.

A researcher of inner workings of Mac OS X known as reverser made a detailed analysis of the Crisis version for Mac and concluded that the skills of developers leave much to be desired. Despite an extensive spying functionality, this malware does not include any new ideas, it is an example of massive borrowing of third-party designs and is written in “Hindu” style. Many of its things could have been done better and more efficiently.

Reverser made another interesting observation: apparently, all detected instances of Crisis relate to 2012, despite the fact that they have been found in 2013 and 2014.


Initially, HackBack was discovered on a MacBook of Angolan activist who attended the Freedom Forum in Oslo, a human rights conference. Ironically, one of the issues discussed at the conference was the protection against surveillance by government agencies.

The most interesting thing in the HackBack that it was signed by Apple Developer ID, a certificate issued by Apple to a certain Rajinder Kumar. For that reason, the second name of HackBack is KitM (Kumar in the Mac).

HackBack was used for directed attacks from December 2012 to February 2013 and was distributed through phishing e-mails with ZIP archives. HackBack installers hidden in these archives were Mach-O executable files, whose icons have been replaced with icons of images, videos, PDF and Microsoft Word documents.

Main functionality: collecting files found on computer, creating screenshots, compressing them into a ZIP archive and uploading to remote server.


The first real virus for Mac (and not only for it) was detected in 2013. It was a conceptual design illustrating the possibility of infecting Windows, Linux and Mac platforms. Based on the source code developed in 2006 by a certain JPanic, this malware had a jawbreaking name CAPZLOQ TEKNIQ v1.0. So we can say that Clapzok.A is the version number two. It was written in Assembler language.

The spread of this virus is limited by many factors. First of all, it infects only the files with 32-bit architecture. In addition, many files are digitally signed, so there is no point in infecting them, because the security system of OS X will simply not allow to launch such a file.

These Days

In general, we are seeing the emergence of the following trends: use of Java and Adobe Flash vulnerabilities for installation, code signing, and wide distribution of spyware used for targeted attacks on users of Apple products.

In 2014, the number of new families of malicious programs for Mac has become almost the same as their total number for all previous years.


This malware represents interest because of all the media fuss about it. Its media-hyped name is Careto (meaning “mask” in Spanish) or The Mask. In 2014, Kaspersky Lab has published a report on yet another advanced cyber campaign. The advanced features of this campaign included the use of malicious programs for different platforms, including Windows, Linux, and OS X. The modules targeting Windows were called dinner.jpg, waiter.jpg, chef.jpg, hence the name – the Appetite.

Please subscribe to read full article

1 year

for only $300

With subscription you are free to read all of the materials of
Read more about the project

Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.