Wednesday, November 07, 2007

Mac OS X Trojan Horse - Wolf in Sheep's Clothing?

Recently, a Mac OS X Trojan Horse was spotted in the wild. Pretty much everyone reported on it. But the best analysis I've seen is at SecuriTeam.

This is not a new type of attack. There is no new vulnerability exploited. This is not a novel attack, such as a driver exploit. This does not use some new social engineering technique or distribution method. This is not the first instance of organized crime (presumably) attempting to make money from exploiting systems. So why is everybody making a big deal about the new malware? People are making a big deal about this one because of what it is not: a Microsoft attack.

This new Trojan Horse is the first one to take an established commercial malware framework to the Apple platform. For years, these fake codecs have troubled the Windows platform, making untold amounts of money for their creators. They hijack the user's Internet experience and target people inexperienced with computers. But until now, the relatively simple task of adapting these programs for the decade old operating system has been left undone. I believe that there are two reasons for this shift.

The number of people using Apple computers (and therefore OS X) has exploded over the last year and a half. I am currently sitting at a coffee shop and an informal survey shows that there are 12 Macs and only 6 PCs (including, unfortunately, mine). While this is an atypical distribution of hardware, it underscores the point. I know that most of these have been purchased within the last year and a half because they are almost all running on the Intel platform.

As the proportion of Mac users increases, the community is bound to decrease in computer experience. For the last few years, Apple has had a loyal core of customers who are technologically savvy and educated about proper use and maintenance of their machines. However, the recent adopters are typically more casual computer users. This statistic is based on anecdotal evidence, but it seems that most other observers have drawn the same conclusion.

These two trends, increased install base and decreased expertise, will continue upward as computer activities become increasingly platform independent. As more and more services are moved to a Web based format, the importance of a single operating system will diminish. However, malware will continue to exploit the underlying system resources because this is a viable source of income.

Criminal organizations' involvement in computer based crime has drastically risen in prevalence and sophistication over the last few years and there is no reason to believe that this will change. Just like with any money-making organization, these enterprises wish to maximize their revenue streams by exploiting new markets. In order to grow, new resources must be acquired. It appears that Apple computers have been firmly identified as a new resource for criminals.

And like any other emerging market, what is pioneered by one group will quickly be followed by other players. In other words, other criminal organizations will follow suit and develop their software for the OS X operating system to compete with this group's product offering. Eventually, this market segment will become more mature with a high percentage of organized criminals developing for both Windows and OS X platforms the way that other software makers do. What used to be a hobbiest market will be filled by mature product offerings.

If there is nothing new about a piece of malware, it should not be a big deal. But this one is a big deal that many people will only recognize too late. This Trojan Horse is something new precisely because it's just business as usual.

3 comments:

  1. Thanks so much Beau...you really helped me with my Security trends research. God bless you.
    Love the photo- you are a hottie.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. The last guy was spamming a commercial anti-virus product - that doesn't run on OS X! Shame on him.

    ReplyDelete