white paper on the history and future of malware and how it can affect the
Apple Mac OS X platform. This document is also available in academic white paper format as a PDF file . Click here to downloaded (1.2 megs).
document discusses the technologies used in malware. These include viruses, Trojans and worms. The specific intention is to bring forth detailed discussion on how
this affects the Apple Mac OS X platform. The document outlines a potential
framework for a Mac OS X malware suite. The document closes with
recommendations on what Apple Inc, and users of Mac OS X can do to defend
against such technology.
paper was created to outline the results of research performed by the
MacForensicsLab.com research and development team. These
results are presented to the public in order to raise awareness of the
situation and to prompt the relevant responsible parties to address the issues
MacForensicsLab.com staff and SubRosaSoft.com Inc consider it important to
bring such discussions out into the public and welcomes all opportunities to
discuss the paper on firstname.lastname@example.org.
Inc. and all third parties discussed in this
paper do not endorse this content and they did not cooperate in the
production of this paper. All trademarks contained within this paper remain the
property of their respective owners with all rights reserved.
2008 SubRosaSoft.com Inc, all rights are reserved.
Malware – The History And Future
The Use Of A System Outside Of Its Design
In the early days of
computing the term hacker was used to describe those with a deep understanding
of the core functionalities that comprised a
computer system. These hackers were able to apply this understanding to enable
computers to perform in a manner which was previously unimaginable. Therefore,
these hackers were a fundamental catalyst for the change and growth of modern
computer systems and the Internet.
The term has been degraded
over time to be generally limited to someone who targets system security and
ways to get around it. In modern times it has come to include people using
tools they did not produce in order to cause damage or nuisance to computer
The Study And Creation Of Malware
The academic world of
computer science has been at the forefront of the discussion and definition of
malware since the first virus was discovered. Universities became
perhaps the first victims of malware and consequently the first defenders against them.
Some notable academics in
the early days include:
1980 Jürgen Kraus, a computer
science student at the University of Dortmund, wrote his master's thesis on
Selbstreproduktion bei Programmen, [Program Self-Reproduction]. This thesis is
the first study to show that certain programs can display behavior similar to
that of a biological virus.
Professor Len Adleman, of USC, employs the term virus to describe
self-copying programs when discussing them with Fred Cohen, his computer
1981 - 82
a student at Texas A&M University, writes several self-reproducing programs
for Apple II disks, naming them Virus 1, Virus 2 and Virus 3.
Computer Inc. had a very strong presence in the academic community throughout
the early personal computing era. The use of the Apple platform in the
development of malware is an extension of its overwhelming presence in the
Hax0r – The Growth Of The Script Kiddy Generation
home computer use grew, a new generation of hackers arose. These young hackers
represented a fundamental change in ability, ideology and intent from their
predecessors. The new generation of hackers is referred to as script kiddies.
The name script kiddies is a descriptive term, popularized by the original hacking core, as a means to reflect their general disdain of
the new generation’s lack of understanding of the
core concepts of computing and their inability to create tools of their own.
Computer Inc. was given the historic honor of
being the first computer to bring virus technology into the home when
Richard Skrenta wrote Elk Cloner in 1982. This program attached itself to the
Apple DOS operating system of the time and
spread via floppy disks.
[Figure 1 – The message shown on every 50th boot on disks infected by Elk
Prior To The Mac
story of the early years of Apple Computer Inc. and the relationship between
the founders Steve Jobs and Steve Wozniak cannot easily be told without
including hacking and underground technology. From the days of the BlueBox, a
device designed to fool the telephone systems of AT&T into providing free
long distance phone calls, through the creation of the first commercial home
computer in a garage in what later became known as Silicon Valley.
Inc. and the modern high tech lifestyle
we all enjoy today were founded by (so-called)
old school hackers.
Figure 2 – This blue box, on display at the Computer History Museum was
previously owned by co-founder of Apple Computer Inc.  Steve Wozniak. Steve
once used this to impersonate Henry Kissinger in a prank call to the Vatican
City. The Pope was reportedly asleep. 
Mac Classic operating system (any version prior to version 10, Mac OS X)
enjoyed a long life and a wide user base from the initial release in 1984 to
the first desktop version of Mac OS X in March of 2001. This operating system
revolutionized the way we work with personal computers offering many of the
user interface concepts taken for granted today.
the lifetime of Mac OS Classic many varieties of malware were developed to take
advantage of the user base including some very notorious viruses such as nVir
in 1987. The nVir author(s) released the source code for their work resulting
in a large proliferation of derivatives causing wide and varied effects in the
wide spread introduction of viruses for Mac OS at this time brought forth the
corresponding large number of anti-malware tools that are still
around today. These tools scan for code found within known viruses and eradicating them when found.
Apple Computer Inc. made changes to the operating system to stop some of
the methods used by viruses on Mac. Perhaps the most notable change was to stop
autorun, a technology still present on Microsoft Windows that will
automatically execute programs when a disk is inserted.
Mac OS X (Including Mac OS X 10.5 Leopard)
successful, and most plausible, malware attacks on Mac OS X have occurred in
the last 2 years with the last quarter of 2007 being particularly prolific.
Market penetration and overall sales of the Mac OS X system have directly
mirrored development of malware, a phenomenon also demonstrated with other
operating systems such as Microsoft Windows. Based on this data there is no
reason to believe the trend will not continue as Apple continues to increase
their market share.
concept of the economy of scale has historically meant that malware authors
have not previously considered the Mac a viable target. This protection is
being eroded by the increase in size of the Mac user base.
analyst Chris Christiansen is warning Mac users of the growing threat.
Mac users take security too lightly. In fact, most are quite proud of the fact
that they don't run any security at all," Christiansen said. "That's
an open door; at some point it will be exploited."
users, your days of worry-free web surfing could be numbers. A Mac internet
security and privacy software maker has discovered what is believed to be the
first professionally crafted in-the-wild malware targeting the Mac Operating
A Change In Culture
century has seen significant changes in the hacking community with an overall
trend away from the technology enthusiast to the organized crime rings
committing mass fraud and global extortion on the global digital marketplace.
This change in culture has brought with it many changes in focus for the modern
is now being used to steal information, and thus property, from a user’s
system. These types of attacks range from simply extracting the requisite
personal information to assist in identity theft – to more complicated
attacks known as phishing – whereby
the malware pretends to be a trusted service such as a bank or service provider
in order to steal from an external resource.
Hackers Create a New Online Crime Economy” (http://www.cio.com/article/135500/)
DDOS – Distributed Denial Of Service
crime groups are using malware in order to extort payment from system owners
and operators. Large collections of infected systems can be used to cause
servers and systems to become inoperable by flooding their connections with
traffic, thus cutting off desirable traffic, or by overwhelming a systems
armies capable of toppling big sites, some say” (http://www.msnbc.msn.com/id/6436834/)
criminals use malware to convert innocent users’ systems into virtual soldiers in their army of computers. These armies are
called bots, bot networks, or bot nets, and can sometimes number into the tens
of thousands . This is generally done without the user being aware they
have joined into the network of bots.
Global Cyber Terror
century has seen the rise in state-funded cyberterrorism. There has
become a very high potential for cyberterrorism to impact our economy and our
society in ways that are difficult to define.
Gift from the Islamic Faithful Network – Mujahedeen Secrets 2 Program” (http://blogs.csoonline.com/node/590)
Malware – The Definition
What Defines A
A virus is a piece of
software that attaches itself to another program (the host) then uses the
ability of the host program to self-replicate. Stephen Hawking once said that a
virus should count officially as a form of life adding  “I think it says
something about human nature that the only new form of life we have created so
far is purely destructive. We’ve created life in our own image.”
The name for this variety
of malware is derived from the Latin word for toxin. The medical community
defines a virus is an infectious agent that is unable to replicate or grow
outside of a host cell.
A computer virus will
generally execute when the host program is executed. The first priority is to
look for additional hosts and to copy itself into them. The second priority is
often, but not always, to execute its payload. Payloads vary heavily from the harmless
to full cyber terrorism and have historically included such functions as
erasing the entire system, stealing personal information, or simply declaring
their existence (digital graffiti).
The primary requirement of
a virus is a host program into which it can write itself. The
Mac OS X platform makes little or no effort to protect the main applications on
the system (in fact, as discussed later, it actually makes it easy through the use of the bundle architecture.)
What Defines A Trojan
Trojan, or more accurately “Trojan Horse”, is a piece of software that contains
a hidden payload. The word 'Trojan horse' is generally attributed to Daniel
Edwards of the NSA. He is given credit for identifying the attack form in
the report "Computer Security Technology Planning Study".
name for this variety of malware is derived from the Greek legend where
Odysseus had a giant hollow wooden horse and hid his soldiers inside. The
people of Troy believing it to be a gift brought the horse inside their city
and their defenses.
What They Do
computing terms the concept is identical to the legend. The malware is able to
enter the users system and bypass security measures be pretending to be
something the user wants. Once the user executes the malware on their computer
the hidden payload can perform the function desired by the malware author.
Macs Are Vulnerable
definition of a Trojan makes defense very difficult. The weakness in any system
defense starts with the user and a Trojan defines its attack by exploiting that
versions of Mac OS X had little or no protection against a Trojan attack. The
effect a Trojan could have on the system was limited to the user’s
data and the applications installed on that computer.
10.5 Leopard introduces new sandboxing technology to show a dialog box to the
user before running any new program downloaded from the Internet. Software
downloaded from the Internet, both from the mail and from browser
applications, is marked as suspicious and will not
be executed until the user clicks on a confirmation dialog box to explicitly allow
it to run.
extended this paradigm to sandbox all applications, not just ones
downloaded from the internet.
commercial software vendors (such as Symantec, McAfee,
and Intego) offer varying technologies to assist in this area. More information
can be found at the companies’ respective
What Defines A
A computer worm is similar
to a virus in that it is self-replicating, but different in that it does not
require a host program to exist. The first computer worm was defined and
produced by researchers Jon A. Hupp and John F. Shoch at Xerox PARC in 1978. The worm was created to search a network to
find idle processors so that they could share the processing load of large
operations across an entire network, but was “self-limited” to their own
network to avoid accidental global expansion.
What They Do
with other forms of malware the worm matches many of the characteristics of its
biological equivalent. A worm will work its way through a network of computers
and resources leaving a copy of itself wherever possible to assist in the
Macs Are Vulnerable
combined with Trojan and virus technologies, worms
can infect entire Mac OS X networks. For example if an initial victim is
attacked using a Trojan which infects them with a virus that reproduces the
worms throughout their system, thus threatening the entire network. These
worms, when executed by automated or viral functions, can be used to reinitiate
the Trojan attack on other users’ Mac OS X Address Book,
and the unprotected Applications folder.
Malware – How It Can Affect Mac OS X
current Apple Mac OS X environment has some strengths and weaknesses. It has
become an abnormally biased situation in that the strengths are very strong and
the weaknesses are becoming increasingly obvious.
of Apple Mac OS X have been encouraged by media advertising to believe their
systems have never been exposed to malware. This culture has grown to a point
where many users believe their systems are invulnerable to malware and always
Inc,. Television Advertisement - “I
run Mac OS 10 so I don’t have to worry about your spyware and viruses”
attitudes behind this complacency include;
- You need a system pass to infect my Mac.
- There are no malware problems on a Mac.
- Macs are immune to malware.
result of these ill-founded beliefs is a complacency that
seriously compromises the ability of the user to make informed decisions when
dealing with a malware threat. This complacency can potentially
nullify the effectiveness of the new sandboxing technology in OS X 10.5
file extension is designed to tell the system and the user what kind of file
they are dealing with. Some examples of system extensions are .exe (a Windows
executable program), .app (a Mac OS X executable bundle), and .jpg (a common digital photo format).
Microsoft Windows and Mac OS X offer the ability to hide the extension from the
user. This is often used to disguise the true nature of file from the user. If
this hiding is combined with a less technically-oriented
user (the majority of all users) then a Trojan can exploit this to hide its own
The Bundle Architecture
What It Is
on the Mac OS X system are structured using an architecture called a “bundle”.
A bundle is a special folder that pretends to be a single file. The advantage
of this, for programmers, is that it allows multiple resources
to be contained in one single folder that is, from the users’ perspective, indivisible.
should be noted at this point that Apple Inc. also
use the bundle format for many of their pro tools to save documents.
use these special folders to allow certain resources to be treated as part of
the program without the risk of those being separated from the main executable
code of a program. Some examples are:
- Multiple executables for different platforms such as Classic Mac OS, PowerPC or
- Multiple language files so that a single copy of the application bundle can be
used in different countries and appear in the native language of that country.
- Graphics, buttons, and media resources used within the application.
- Help files, manuals, etc.
user is presented with an object that looks like (for example):
[figure 3 – iTunes.app as it appears to the user]
underlying bundle appears to the operating system as follows:
[figure 4 – iTunes.app as it appears to the operating system]
How This Assists Malware
structure of the bundle architecture makes it easier to piggyback executable code within an existing trusted application by simply renaming the
existing executable iTunes found in the MacOS subfolder and
inserting a second executable into the MacOS folder with the original’s
the user executes the bundle (in this case iTunes.app) the virus code would
execute instead. The virus would then launch the renamed iTunes executable so
that the user would not be aware they had run the wrong program.
OS X also makes use of the bundle architecture for storage of user documents in
many modern applications such as iMovie, iDVD, and the many pro tools. These
bundles typically have their file extension marked invisible so it is possible
to disguise an executable program as a data “file” for such a tool. These
bundles can open both their own malware code as well as the desired real
application whilst conserving the look and feel of the real data.
technology makes the process of creating a virus easier since the bundle
architecture greatly assists the process of installing multiple executables
into one “program”. Reproduction is greatly simplified since the same architecture
is used on most OS X applications.
Unprotected Application Folder
What It Is
UNIX systems protect their key executables by using file permissions and
storing them inside protected folders (such as /usr/bin).
Mac OS X systems maintain
their operating system files in the same protected method that traditional UNIX
systems use. The programs (commonly known as Applications)
that a user relies upon and considers part of their system such as iTunes, iChat, Keynote, etc. are stored
unprotected inside a folder called “/Applications”. Any program running on a
Mac OS X system can write to this folder and to most of the contents therein.
How This Assists Malware
common applications running on your Mac can
be modified, either by replacing the core executable of that program or adding piggyback executables (viruses) without leaving an obvious trace due to the nature of the
Centralized Open Address Book
What It Is
Mac OS X user enjoys the convenience of the Address Book. This centralized
database keeps track of all other contacts the user communicates with including
their instant messaging addresses, email addresses, phone numbers, physical
addresses, etc. The database is open to access from all programs running on the
Mac OS X computer.
running on the Mac OS X system can read, write and delete addresses from this
database at will.
Addresses that are deleted are not actually removed from the database. Instead
they are marked for deletion so that the computer can notify other devices such
as cellphones, iPods, and PDAs that the user wants that address deleted.
How This Assists Malware
worm known as “ILOVEYOU”, the “Love Bug worm”, or “VBS/Loveletter” started
arriving in email boxes with an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs” on May
4th, 2000 . This worm spread itself by interrogating users’ contacts and emailing copies of itself to everyone it found. On its journey it
is estimated that it infected 10% of all internet-connected
personal computers and caused more than 5 billion dollars in damage.
“ILOVEYOU” worm only infected computers running Microsoft Windows but the
mechanisms for dissemination exist on Mac OS X:
user base believing themselves safe
- Available open database of contacts
- Ability to write to the Applications
implemented a user-controlled system that sandboxes new applications and warns
users they are about to run a new application. Apple recently introduced
similar technology. It should be noted however that the user is already
complicit with the operation at this point so should not be considered a
reliable security measure.
Anatomy Of A Mac OS X Malware Suite
the purposes of this discussion this section will be limited to descriptions of
malware that does not have a “payload”. No attempt will be made to damage a
users’ system or gain any resources. All
technologies will focus on the delivery mechanism that could be used to attack
Mac OS X (and other) users. The aim and purpose here is to outline how a suite
might work so that recommendations can be received on how to stop such a suite
from being successful. The reader is invited to contact Apple Inc.,
and/or SubRosaSoft.com Inc. with suggestions.
Initial infection (First Wave) - The Trojan Attack
a successful infection there would be two goals required by the malware author.
First the infection should distance the author from the first wave victims while simultaneously making that first infection as wide as possible.
consideration in the production of a Trojan horse would be placed on making the
user want to accept the Trojan.
Latin epic poem “The Aeneid”  describes events between the time of “Homer’s
Iliad” and “Homer’s Odyssey” surrounding the Trojan War. This legendary war
between the cities of Sparta and Troy had resulted in a deadlock whereby the
defenses of the city were equal to the challenge of the attacking army. The
attacking leader, Odysseus, needed to create a gift the defending leader would
voluntarily accept inside the city defenses. Realizing the men of troy revered
the horse he had a mighty wooden horse made large enough to allow his soldiers
to hide inside it and left it at the gate of the city.
not trust the horse, Trojans. Whatever it is, I fear the Greeks even when they
bring gifts.” (Virgil, Aeneid, Book 2, circa 19 BC)
from the Greeks towards me hath sped well. So now I find that ancient proverb
true, Foe’s gifts are no gifts: profit bring they none” (Sophocles 496 –
406 BC, Ajax)
computing terms this same ruse would be used.
creation of a helpful freeware tool containing a version of a virus that will
infect once then lay dormant to a later date can be hosted on a public site
then advertised using one of the many freeware distribution sites such as http://www.VersionTracker.com or http://www.Downloads.com.
keeping with the primary consideration of this step a malware author would
leverage public popularity of fashionable technologies of the time, make a
small but helpful enhancement for that technology, and then distribute that
tool for free. For example, a small freeware utility that assists in the
management of SMS text messages on an iPhone.
malware author’s intent is not to fully disseminate the malware suite but to
get a wide enough secondary infection wave ready on a time-delayed
basis. This methodology follows the concept of the “sleeper cell” as defined in
the Al Qaeda training manual . The virus contained within this Trojan
would infect only the system where the Trojan was executed and make a copy of
the virus component into all of the unprotected application bundles on that
system. This virus would then sit in a dormant state, execute then quit without
further action, until a predetermined later date.
malware author would ensure that once the Trojan has completed its own initial
infection that the Trojan application itself self-inoculates
to cover the source of the second (main) deployment wave.
the main wave of attack is initiated the author should repost and allow for
dissemination of a vaccinated version of the Trojan. At this point the number
of suspect applications have been greatly increased while simultaneously
removing base suspicion from the originating Trojan. Many of the newly infected
applications (hereinafter called the second wave Trojans)
are, in fact commonly trusted
applications such as the Apple tools and third-party
tools found on most computers.)
attack infrastructure delivers a ready supply chain for the second wave in much
the same way as the Ho Chi Minh Trail  provided for the North Vietnamese. It
does so by forming a relatively complex web of available infection points that
the malware author can control. It also provides for a significant level of
overlap and duplication should any one conduit be closed.
Reproduction (Second Wave)
malware author’s goal for the second wave is to greatly increase the number of
infections. This wave would be repeated on a fixed schedule until the desired
infection ratios have been achieved and the desired payload can be implemented.
second wave would not proceed until sufficient time has passsed from
the first wave. This time could be determined remotely by having the virus
check an online source for a code to proceed. This approach would give the most
flexibility, but also offers the highest risk of discovery. Checking system
date and time and waiting for a
predetermined moment could also determine this time. This approach would give
the most protection from discovery, but also offers the least flexibility.
malware author would use the users’ data to
prepare ammunition for the second wave. This would contain packages made from
their own data that are disguised using the bundle architecture. It might also
contain sample programs from the users’ machines that are determined to be small freeware downloads newly infected by the
malware code. Because these payloads are prepared on the users’ own machines they would not trigger the sandbox
protection code found in OS X 10.5 when executed on the users’ machines.
that the malware author is sufficiently distanced from the second wave Trojans,
the primary consideration moves to mass production of malware. Traditionally
this was achieved by at least two separate methods. In
this case the malware author uses both methods together and separately for
- The Virus Approach – The malware should look for attached devices and
network volumes and infect every available application bundle with its own
- The Worm Approach – The malware should send copies of itself to as many
available recipients as possible.
virus approach would cause the malware to immediately deploy copies of the
pre-prepared payloads onto any removable media or network storage device.
first application to trigger itself would make use of the open address book
database to find potential candidates to send a copy of itself to. Special
attention would be made to indicators that the potential recipient is a Mac
user such as the content of the headers for incoming emails in the victim’s
inbox. The malware author would benefit from the inherent trust of the
secondary wave victim for the first wave victim.
final dissemination would be done in such a way so as to temporarily self-inoculate
the application responsible and to carefully feed the outgoing mail to stop
from flooding the victim’s connection and alerting them. Alternatively it might
be done in a massive full frontal attack in the manner performed by the
ILOVEYOU virus. This remains the prerogative of the malware author, and our
responsibility as an industry, to defend against.
has been discussed in this section of the document covers the three main
definitions of malware and documents how each can apply to Mac OS X.
- The Trojan Attack – Pretending to be a gift while hiding
- The Computer Virus – Self replicating programs dependent on a host
- Digital Worms – Producing and disseminating copies directly without a
is this author’s hope that this will open learned discussion of the topic. It
is in no way intended as a manual on how to create such a suite of malware
technologies. SubRosaSoft.com Inc. would
like to take this opportunity to point out that the dissemination of malware is
not only immoral, but also illegal. Please refer to Title 18 U.S.C. § 1030
“Fraud and related activity in connection with computers”  for more
For Apple, Inc.
Control The Bundle Architecture
might consider implementing a mechanism whereby a bundle cannot contain more
than one executable for any given “Contents” subfolder. This would reduce the
ability of malware authors to piggyback their code inside an otherwise legitimate
may also wish to discuss disallowing multiple extensions inside a .app bundle.
This would reduce the ability of malware authors to disguise executable bundles
as data files for their pro tools.
Control Access To The Address Book
paper recommends Apple should contemplate a similar system to the keychain
whereby the address book can be locked/unlocked and access to the address book
can be restricted to certain applications.
Control Write Access To The Applications Folder And Subfolders Found
may think about making it the default behavior for the system to require admin
access to write to this very important folder. Furthermore Apple should make an
interface that is easy, obvious, and non-technical to turn this access control
on or off.
Extend The OS X 10.5 Leopard Sand Box Concept
might consider extending the built in security functions found in OS X 10.5 to
include executable code that is created locally rather than the current
restriction to download content only. This would slow down the reproduction of
code that has already been authorized by the user.
For Mac OS X users
Read the security
guidelines from Apple Inc. found at http://images.apple.com/macosx/pdf/MacOSX_Leopard_Security_TB.pdf
determine the validity and source of any executables you wish to install and
run on your Mac OS X computer.
and utilize third-party utilities to monitor for
malware activity. Care should be made to avoid programs that specifically rely
on scans for known malware as these tools do not offer protection until it is
potentially too late.
the tools to consider include:
 Jesdanun ,Anick. Computer Viruses Turn
 Anderson, James P. (1972), Computer Security Technology Planning Study
 Wozniak, S. G.; Smith, G. (2006), iWoz: From Computer Geek to
Cult Icon: How I Invented the Personal Computer, Co-Founded Apple, and Had Fun
Doing It. W. W. Norton &
Company. ISBN 0-393-06143-4.
 Hawking, Professor Stephen W. (1994), The Cambridge Lectures
 Virgil, (19 B.C.), Aenid, Book 2, Translated by John Dryden, http://classics.mit.edu/Virgil/aeneid.html
 US Southern
District Court, US New York City Attorney’s Office, entered as evidence in
Africa embassy bombings. Retrieved November 17, 2007, Al-Qaeda training manual http://www.fas.org/irp/world/para/aqmanual.pdf
Support Systems, Inc. (2001), Hunting the sleepers, http://www.metatempo.com/huntingthesleepers.pdf
John. (1998), The Blood Road: The Ho Chi Minh Trail and the Vietnam War, New
York: John Wiley and Sons
Advisory. (2000), CA-2000-04 Love Letter Worm, http://www.cert.org/advisories/CA-2000-04.html
Honeypot Project & Research Alliance. (2005), Know your Enemy: Tracking
Botnets. Using honeynets to learn more about Bots. http://www.honeynet.org/papers/bots/
University Law School, Legal Information Institute. US Code: Title 18 > Part
I > Chapter 47 > § 1030. Fraud and related activity in connection with