Macintosh Malware: Mac OS X Security Flaws

A research paper titled “Malware on Mac OS X,” authored by Marko Kostyrko from MacForensicLabs, has outlined some serious security flaws found in Apple’s OS X Leopard (10.5.2) operating system.

A combination of user complacency, hidden extensions, the bundle architecture, unprotected application folders, and centralized open address book are some of dangerously easy targets for malicious code.

The magic triangle of flaws could result in serious security issues for any Mac user leading to unwanted consequences. According to the paper:

The primary requirement of a virus is a host program into which it can write itself. The Mac OS X platform makes little or no effort to protect the main applications on the system.

Here are some of the notes we took while reviewing Mr. Kostyrko’s research about the problems and security flaws facing Apple’s Mac OS X:

I. Complacency
Users of Apple Mac OS X have been encouraged by media advertising to believe their systems have never been exposed to malware. This culture has grown to a point where many users believe their systems are invulnerable to malware and always will be…. The result of these ill-founded beliefs is a complacency that seriously compromises the ability of the user to make informed decisions when dealing with a malware threat. This complacency can potentially nullify the effectiveness of the new sandboxing technology in OS X 10.5 Leopard.

II. Hidden Extensions
Both Microsoft Windows and Mac OS X offer the ability to hide the extension from the user. This is often used to disguise the true nature of file from the user. If this hiding is combined with a less technically-oriented user (the majority of all users) then a Trojan can exploit this to hide its own true nature.

III. The Bundle Architecture
Applications on the Mac OS X system are structured using an architecture called a “bundle”. A bundle is a special folder that pretends to be a single file. The advantage of this, for programmers, is that it allows multiple resources to be contained in one single folder that is, from the users’ perspective, indivisible…. The structure of the bundle architecture makes it easier to piggyback executable code within an existing trusted application… Mac OS X also makes use of the bundle architecture for storage of user documents in many modern applications such as iMovie, iDVD, and the many pro tools. These bundles typically have their file extension marked invisible so it is possible to disguise an executable program as a data “file” for such a tool. These bundles can open both their own malware code as well as the desired real application whilst conserving the look and feel of the real data. This technology makes the process of creating a virus easier since the bundle architecture greatly assists the process of installing multiple executables into one “program”. Reproduction is greatly simplified since the same architecture is used on most OS X applications.

IV. Unprotected Application Folder
Traditional UNIX systems protect their key executables by using file permissions and storing them inside protected folders (such as /usr/bin). Mac OS X systems maintain their operating system files in the same protected method that traditional UNIX systems use. The programs (commonly known as Applications) that a user relies upon and considers part of their system such as iTunes, iChat, Keynote, etc. are stored unprotected inside a folder called “/Applications”. Any program running on a Mac OS X system. can write to this folder and to most of the contents therein. Most common applications running on your Mac can be modified, either by replacing the core executable of that program or adding piggyback executables (viruses) without leaving an obvious trace due to the nature of the bundle architecture.

V. Centralized Open Address Book
A Mac OS X user enjoys the convenience of the Address Book. This centralized database keeps track of all other contacts the user communicates with including their instant messaging addresses, email addresses, phone numbers, physical addresses, etc. The database is open to access from all programs running on the Mac OS X computer.Programs running on the Mac OS X system can read, write and delete addresses from this database at will.

The mechanisms for dissemination of dangerous worms and viruses exist on Mac OS X:

1. A user base believing themselves safe,
2. Available open database of contacts,
3. Ability to write to the Application.

The three main definitions of malware and how each can apply to Mac OS X:

1. The Trojan Attack – Pretending to be a gift while hiding an intruder,
2. The Computer Virus – Self replicating programs dependent on a host,
3. Digital Worms – Producing and disseminating copies directly without a host.

Full report is available at Mac Forensic Labs web site.