A troubling trajectory of malware and ransomware targeting OS X and iOS
March 30, 2016
Shah Sheikh (1294 articles)
Share

A troubling trajectory of malware and ransomware targeting OS X and iOS

In recent years, we’ve seen attitudes toward computer security shift from “let’s wait and see” to “protect yourselves at all costs.” And while security has been thrust center stage in all arenas, from healthcare to ecommerce to highereducation, there are still entities becoming compromised to greater degrees every few months. Even President Obama is stepping up US efforts to combat cyberattacks with his recent appointment of a new Chair of the Commission on Enhancing National Cybersecurity.

For over a decade, Apple users believed that they were safe because Macs don’t get viruses. And while arguably this belief was once somewhat accurate, there have been many security compromises for this to hold any truth whatsoever.

What’s the truth?

OS X is vulnerable, as are all computing devices. While some are more at risk than others, the fact remains that given the right combination of vulnerable software paired with malicious code and a growing base of potential targets, this is fertile ground for someone wishing to compromise your data or worse—hold it ransom.

As recently as March 4, 2016 a piece of malware named KeRanger detected by researchers at Palo Alto Networks successfully targeted OS X systems. Classified as ransomware, the primary aim of this malicious code is to create a key pair certificate on a remote command and control server and use the public key to encrypt the data on your Mac. Once the process is complete, a note is automatically created and saved to the computer informing you (the user) that your data is inaccessible and will remain so until the ransom is paid in Bitcoins. Once this is done, the private key will be released for download, allowing you to decrypt your precious data.

While this type of attack has been gaining traction and getting more sophisticated over the last few years on Windows-based computers, not only is this alarming trend becoming more sophisticated, but this type of infection marks the second time in less than two years that ransomware targeted OS X. The first go around was named FileCoder, though it was not fully functional. With KeRanger, however, the virus writers got things right. And if history with Windows systems is any indication, the floodgates have been opened.

Ransomware is just one part of a multipronged problem affecting OS X security. As evidenced through the delivery of the KeRanger payload, Trojan horses are still a major delivery method for infections, as are scripted attacks from infected websites that hone in on vulnerabilities that have yet to be patched by vendors. These zero-day vulnerabilities are exploited through vehicles for delivery of infection, such as Adobe Flash or Java. Sometimes even a properly formatted website is all that’s needed to infect a device. Depending on the payload, it may copy your keystrokes and report them back to someone looking for passwords to social media sites and other websites.

Malware such as backdoors may give rise to remote access to your devices from users unknown over the internet, allowing them to take control of your computer and use it as part of an attack on a network. And let’s not forget the main driver behind security breaches in the first place: money. The same types of attacks are being used to mine banking account details to be amassed and later used for credit card fraud or outright theft of funds.

The numbers don’t lie

According to Kaspersky Labs, since 2003 when the first OS X malware threat was detected, malware has been on the rise. However, from 2010 through 2014 malware targeting OS X has increased 3,600% (Figure A). This is due in no small part to the growing market share that Apple has steadily continued to receive as Apple computers and mobile device adoption permeates into enterprises and our personal lives.

Figure A

applesecuritykasperskylabsfiga.jpg
Image: Kaspersky Labs

And how does iOS fair? With its often-cited “walled garden” to keep apps, data, and security tightly knit, it’s technically more secure than OS X, but that doesn’t mean it isn’t susceptible to compromises in security either.

Vulnerability in encrypted iMessage service

The recently released iOS 9.3 update patches a security vulnerability that allows unauthorized third parties to intercept files sent through the encrypted iMessage service and effectively decrypt them due to a bug in the cryptographic implementation of the service’s security. This bug was found by a team of researchers at John Hopkins University represents the latest issue affecting the iPhone and iPad platforms.

First major iOS malware outbreak

About six months ago, iOS was the subject of the first major malware outbreak since its release. Affecting an estimated hundreds of millions of devices, XcodeGhost was the name given to the malicious code found in a number of apps hosted in the Apple App Store, which used a tampered version of Xcode to stealthily steal confidential data from iOS devices; the data could later be used to target individuals for Apple IDs and iCloud credentials.

Discovered by iOS developers in China, the targeting of Xcode effectively side-stepped many of Apple’s checks and balances for its App Store (such as digital signatures) by passing on the malicious code to the apps created by third parties complied with the compromised Xcode and passing it off as a legitimate application.

Trojan exploits FairPlay DRM software

And just a couple of weeks ago Palo Alto Networks detected a Trojan that exploits Apple’s FairPlay DRM software used to ensure apps installed on iOS have been paid for and not side-loaded by software pirates. The attack has been around for several years, but now it has been weaponized as a method of spreading malware. Using a man-in-the-middle attack, the device is tricked into believing the installed app is verified and is allowed to be installed on the iOS-based device. The app in question has been modified and may use the malicious code to spy on users and/or root out private information.

Most alarming is that the attack affects both jailbroken and non-jailbroken devices. Furthermore, infected apps may be installed without the user’s authorization, making the process largely undetectable until it has already occurred.

Even after Apple detected this issue and deleted the questionable apps, the attack method requires that the application existed at least once on the App Store. After that, even when deleted, the process may be recreated to install the app in the future, which poses a glaring threat, as subsequent attacks will no doubt grow in sophistication to allow for greater threats to expose data.

The best way to mitigate threats

While tools exist to mitigate some of these risks, the greatest tool and best advantage in the security realm is—and will continue to be—knowledge, especially using best practices when on the internet and social media sites. Be mindful of public Wi-Fi hotspots and the data you transmit over them. Enable built-in security features, and follow best practices at all times.

The problem with the security model is that those looking to cause damage only need to be successful once, while those looking to prevent it must consistently be successful or else we’ve failed.

Source | TechRepublic