A few years ago, Apple stated that Macs don’t get malware, but that turned out to be PR disaster for them as Macs definitely can get infected by malware and ransomware. In addition, they can be compromised and used as part of bot networks. Let’s look at these in more detail with some examples:
A botnet is a network of computers acting as semi-autonomous “robots” which respond to commands sent to them by the hackers who control them. The majority of computers tend to be Windows but that isn’t surprising given that Windows accounts for around 80% of the world’s computers. However Macs are not immune. A few years ago, the iWorm botnet ensnared 18500 Macs. How do the botmasters come to control such large numbers of computers? The answer is via malware. Generally botmasters don’t care about who owns the device, and it’s more important to them to have as many Machines available to them as possible. Malicious emails are a popular way to encourage people to install the malware, but if an infected computer is able to travel across the network it can infect other computers without any user interaction.
What do they do with botnets?
Once a hacker has control of a botnet, they can use it for many different purposes. Sending spam, stealing data, sending out more emails with malware to grow the botnet – these are common practice. More malicious activities could include “DDOS” attacks – Distributed Denial of Service – designed to take down a website or service by flooding it with so many requests that it crashes.
There are many ways to monetise their botnets (after all, money is usually the end goal). One example might be advertising fraud, where the malware on the computer is instructed to take over the browser and send it to a particular website, where the ad will be displayed, and then the advertiser will be charged for the number of times the ad is shown.
Botnets are also frequently rented out to other attackers, so botmasters can make enormous amounts of money by doing nothing at all!
Wouldn’t I know if my computer was doing all these things?
The hackers don’t want to draw attention to what they’ve done, so they will often try to use your computer as little as possible. After all, if they have thousands or tens of thousands of computers enslaved, they only need each one to do a small amount. If each computer sent out just a few emails every hour, that would quickly add up to millions of spam emails. So very often you won’t even notice any changes on your computer at all.
Command and Control (C&C)
C&C is how the hackers instruct their networks what to do. There are many ways, and they are constantly coming up with new inventive ways to accomplish it. A basic method is for the computer to periodically “phone home” to a particular server to get instructions, but modern research means its easy to identify that server and shut it down. A common method is to use https to get their instructions from a website, so it would like normal web traffic and is harder to identify. Another method is to use P2P (peer to peer) networks so that the infected computer takes a much more complicated route through other computers rather talking directly to the C&C, which makes it harder again to trace. Social media is yet another method, where the botmasters can hide their commands in a specially created social media post, and instruct the infected Machines to check a particular twitter feed for example.
What about Gatekeeper
Recent version of OSX included a feature called Gatekeeper. You can see this when you try to open certain files and are presented with the “xxx can’t be opened because it is from an unidentified developer”. In System Preferences you can go into the Security and Privacy settings and see that there are two settings for “Allow apps downloaded from” – Mac App Store or Mac App Store and identified developers. Earlier versions before Sierra had a third option “anywhere” which effectively turned Gatekeeper off but that option has now been hidden.
Gatekeeper helps but has some shortcomings:
- It only verifies an application the first time it runs by checking its certificate amongst other checks
- It only verifies applications with the quarantine flag. If this flag is not set, Gatekeeper allows the application to run.
- There are many legitimate applications that a Mac user may wish to run, where the developer didn’t have the budget (or couldn’t be bothered) to get formally registered as an authorised developer to get a valid certificate so their application will always get stopped.
Other reasons Mac’s are attractive targets
- Mac users very often login as an admin account, so if it is compromised the hacker already has full control of the system
- A lot of Mac users do not run any anti-malware protection
- Many Mac users don’t upgrade their operating system, or install patches
- There is a perception that if someone can afford a Mac they have money to steal
- Compromised Macs are worth more to bad guys than windows Machines
Remember, even if the malware won’t run on the Mac, it doesn’t mean the Mac can’t be used to transmit the malware!
What can I do to protect my Mac?
Luckily its easy to add some really good protection to your Mac to protect your computer and most importantly your data, from the bad guys. Sophos Endpoint is easy to install and runs in the background to prevent malware from reaching your mac, and also to prevent it being spread further.