The rise and fall of the flawed argument for Mac security

I remember a time not long ago, while shopping at Best Buy, when I overheard an Apple fan boy explaining to a potential convert the benefits of Mac over Windows machines. It was the usual list of: they are more stable, they just work, no blue screen of death and of course, you don’t need antivirus software because Mac’s don’t get viruses.

That last one has never really been true as anyone who has worked in the computer security field will tell you, but Mac malware was uncommon enough that it seemed true to the average person.

Fast forward March 2016 and things have changed. There are a number of serious Mac related malware threats. One of the big ones was Morcut, discovered in 2012 which can install without user interaction, survive multiple reboots and has rootkit capabilities if the Mac is running under a user with root privileges. Then there was Icefog in 2013; which is a trojan capable of taking complete control of the victim’s Mac. Then in 2014 Mask / Careto was used in targeted attacks against corporate ad government targets. We also had Coin Thief which steals Bitcoins from infected machines and this month we have the KeRanger ransomware being used against Mac’s for the first time.

The preceding list is by no means exhaustive. Honestly, I could write an entire article only listing threats that Mac users face every day. What’s different now is that these types of problems are becoming more frequent. We really shouldn’t be surprised by this, after all Mac’s have been slowly chipping away at PC market share and of course criminals are going to go where the victims go.

Another interesting aspect to the increase in Mac malware is that a significant percentage of the infections seem to be at least partially targeted. Meaning that the person or group that launched the attack was trying to infect a specific user, organization or group’s computers. One of the theories as to why this is a trend is related to the fact that Apple products are often seen as a status device because of their higher cost and the strength of the Apple brand. Therefore, a lot of wealthily and influential people use Apple products. It makes sense from the point of view of criminal organizations to target these types of users.

KeRanger is also unique not just because it is the first case of ransomware on a Mac, but also because of the attack vector used to infect it’s targets. Apparently, criminals broke into the web server for Transmission, a popular BitTorrent client that runs on Macs. The intruders replaced the legitimate copy of Transmission with a trojan version that when installed gained local privileges and installed KeRanger. This was discovered quickly, but it is not clear at this time how many computers were infected.

I believe the lesson to be learned here is that Mac’s are not impervious to malware. This will only get worse as more people switch from PC’s to Mac’s because criminals will always follow the money. The argument that it’s way too difficult to get malware onto Mac’s isn’t going to cut it anymore. When asked why he robbed banks, the criminal Willie Sutton replied, “Because that’s where the money is.”

Visit the Transmission team website for more information about KeRanger and to update to version 2.92 which has been cleared by the Transmission development team.