History of Mac Malware
The subject that fan boys of each side love to argue about. Mac
malware. The fact is that malware for Mac is real and it continues to
grow as a problem. In 2012 Apple removed the statements “It doesn’t get
PC viruses” and “A Mac isn’t susceptible to the thousands of viruses
plaguing Windows-based computers.” I would like to shed light on the
malware from beginning to now in hopes that it will bring an
understanding of why security is needed on all operating systems.
1982 – The first threat that occurred was the Elk Cloner (this
however did not actually affect the Mac) which would cause the Apple II
to boot up with a poem:
Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it’s Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!
There were a few different malware families that came out but being as
they are using an operating system that is not really used I won’t go
into great detail. In 1987 nVIR virus began to infect Macintosh
computers. In 1988 HyperCard viruses started to gain traction. HyperCard
was software created by Apple to execute scripts immediately on
opening. MDef was discovered in 1990. MDef infected application and
system files on the Mac. In 1995 Microsoft released a virus that would
infect both PC and Mac users via Microsoft Word called Concept. In 1996
Laroux, the first Excel macro virus was found but didn’t actually do
anything to Macs until Excel ’98 was released. In 1998 Both AutoStart
9805 and Sevendust were discovered.
2004-Present – This brings us into the modern operating system we all
know and love OS X. Also the time frame where threats are created that
can still affect systems in use today.
2004 – Renepo was found. It had the ability to disable a system
firewall, and it would try to copy itself to
2004– Amphimix a program which is also a MP3 file. When launched it
displays a dialog box which reads “Yep, this is an application. (So what
is your iTunes playing now?)” It then loads itself into iTunes as an
MP3 file called “Wild Laugh”, playing four seconds laughter.
2006 – Leap is widely considered to be the original Mac Trojan. Leap
used iChat to spread itself; forwarding itself as a latestpics.tgz file
to the contacts on the machine. Inside the Gzipped Tar File (.tgz) was
an executable file masked as a JPEG. When executed, it infected all
2006 – Inqtana was the second worm for Mac OSX. The worm propagated through a vulnerability in unpatched OSX systems.
2008 was a big year for Mac malware… Apple published an advisory to use
antivirus software. They removed the statement from its website after
being up for about two weeks.
2008 – BadBunny is a multi-platform worm written in several scripting
languages and distributed as an OpenOffice document containing a macro.
It spreads itself by dropping script files that affect the behavior of
popular IRC (Internet Relay Chat) programs, causing it to send the worm
to other users.
2008 – RSPlug is a Trojan that changed DNS to send users to malicious
servers. It originally spread as a video codec that was downloaded from
various porn websites.
2008 – AppleScript.THT tries to disable security software, steal user’s
passwords, turn on file sharing, take screenshots of the desktop, and
take a photo of the user via the built-in camera. The malware exploits a
vulnerability with the Apple Remote Desktop Agent, which allows it to
run as root.
2008 – MacSweeper, Mac’s first ‘rogue’ application (a fake antivirus
misleading users by reporting infections that doesn’t exists). When the
infected user tried to remove the “infections”, MacSweeper asked to
provide credit card details and pay $39.99 for a “lifetime subscription
I won’t lie, before I got into threat research, I ended up with this on my Mac…
2008 – Hovdy tried to install itself to /Library/Caches. It disabled
syslog/system updates, stole password hashes, open ports in the
firewall, disabled security software, installed LogKext keylogger and
started web server, VNC, and SSH. It also tried to get root access by
way of ARDAgent vulnerability.
2009 – Iservice was discovered in a pirated version of iWork ’09. It
copied itself to /usr/bin/iWorkServices and tried to execute a HTTP
request. Updated variants were later found in a pirated versions of many
high use programs.
August 28, 2009 – Apple released an anti-malware tool called XProtect,at
release it could protect a Mac against only two threats (RSPlug and
2010 – HEllRTS (aka HellRaiser) is a Trojan that allows control of a
computer by a remote user. The remote user has the ability to transfer
files, pop up chat messages, display pictures, and even restart or shut
down the infected machine.
2010 – Boonana, a Trojan that spread via social media and email
disguised as a video. It runs as a Java applet, which downloads its
installer to the machine. After installed it starts running in the
background and communicating with a variety of servers such as command
and control servers.
2011 – MacDefender, another rogue like MacSweeper that installs itself
into the /Application folder and wants you to pay them for the
“infections” to be removed from your mac.
2011/2012 – Flashback was disguised as a Flash player download and
targets a Java vulnerability on Mac OS X. The system is infected after
code causes an applet containing an exploit to load. The Flashback
malware was the largest attack to date, hitting more than 600,000 Mac
2013 – Lamadai, a backdoor Trojan, targeted NGOs (Non-Government
Organizations) and exploited a Java vulnerability to drop further
2013 – Hackback spied on victims and was designed to take a list of
certain file types, find all files matching those types, compress them
into a zip located in /tmp/ and upload them to a remote server.
2014 – LaoShu went viral via spam emails posing as a notification from
FedEx. It contacts a remote server sending system information, files,
and screenshots. It is important to note that it is signed with a valid
Apple developer ID certificate.
2014 – CoinThief is designed to steal Bitcoins from infected machines,
and is disguised as legitimate apps. The source code was on Github for a
while under an app named StealthBit.
It’s worth mentioning that these have been the main threats seen on
the Mac and not all of them. There are many smaller variants and proof
of concepts that are not listed. Also, that I didn’t include any adware
variants such as Genieo or VSearch on here, but I did write about in my
last blog. Even after seeing all of these there will still be those that
refuse to believe that their mac is vulnerable to attack, but trust me
it will only get worse from here. Apple is increasing their market share
and with that comes an opportunity for malware writers to make more
We give credit to Devin Byrd for the content of this article and want
to warn you that MAC’s are ABSOLUTELY vulnerable to Malware and
Everyone, both Windows and MAC users should use a good
Anti-Virus/Internet Security Software Program if searching the Internet.
If you don’t, you WILL get a virus and possibly lose the functionality
of your Computer and the files/photographs that it stored.
When this happens, you can call Nerdcore computers Solutions to the rescue and the majority of times we can reverse the damage.
Please periodically back-up your files and photos on either an external hard drive or a thumbdrive.
Whenever the nerdcore team performs a repair to a Computer, we
also perform a complete “Optimization” which increases the performance
of your Computer to be better than it was when it was brand new.
The nerdcore team