The Expert's View with Jeremy Kirk

Next-Generation Technologies & Secure Development

Mac Malware: Still No Need to Panic

Eleanor and Keydnap Infections Most Likely Scant
Mac Malware: Still No Need to Panic

Security vendors are warning of two new types of malware for Apple computers that could have serious security impacts if inadvertently installed, but users who've kept Apple's default security configurations should be safe.

See Also: Identity Security Clinic

Even relatively mundane Mac malware tends to get attention since Apple computers are rarely targeted, compared to the daily onslaught of Windows malware. For many hackers, compromising computers is simply a numbers game, and Windows malware usually provides more result for the effort.

Enter Eleanor

Even so, multiple security firms - including Bitdefender, ESET and Malwarebytes - have begun sounding warnings over a new OS X backdoor dubbed Eleanor. ESET says the malware was seeded inside a fake software program, EasyDoc Converter, which purports to be a file-conversion application.

It's only the second piece of Mac malware to be found thus far this year, Thomas Reed of Malwarebytes writes in a blog post. The first was KeRanger, which is believed to be the first ransomware program to target Apple (see Alert: Ransomware Targets Macs).

Once on a Mac, Eleanor fires up a local web server. It also assigns each infected machine to a hidden Tor website. The attacker then can browse and control the infected computer through a web-based control panel. Hidden websites, signified by the ".onion" domain, offer more anonymity and are harder to trace to a specific hosting provider.

With Eleanor implanted, an attacker essentially has full control of the machine and can execute commands, turn on the webcam and send emails.

Eleanor does not have a digital certificate signed by Apple, which is good. That means if users have Apple's Gatekeeper set to only allow the installation of applications from the Mac App Store and identified developers - the default setting in OS X - it would be blocked.

Although security researchers have shown Gatekeeper can be fooled, it generally will block applications lacking a digital signature or ones that haven't been approved by Apple if it is configured to only allow downloads from the Mac App Store.

"In all, although this is a nasty bit of malware, the good news is that it's awfully easy to remove," writes Reed of Malwarebytes. "Further, the fact that it was disguised as a file converter meant to convert two relatively obscure file formats, coupled with the lack of any code signature, means that its distribution was probably fairly limited."

EasyDoc Converter was hosted on MacUpdate, a marketplace for Mac-compatible applications. EasyDoc Converter had user ratings that date back two years ago, Reed writes, but the malware only went live in April.

"I suspect that the real EasyDoc Converter may have been abandoned by its developer and somehow obtained by malware authors," he writes.

Keydnap Targets Keychain

Eleanor's appearance was quickly followed up by the third piece of Mac malware to appear so far this year. ESET calls it Keydnap, and it targets the Mac keychain, which is a very sensitive application.

That's because the keychain serves as a Mac's password manager, storing everything from router passwords to application and VPN passwords. It appears that Keydnap borrows proof-of-concept code published on GitHub, according to ESET malware researcher Marc-Etienne M. Léveillé. That code, written in October 2011 by Juuso Salonen, looks for master keys for the keychain in order to decrypt files.

Keydnap also seems to rely on social engineering. "When two new processes are created within two seconds, Keydnap will spawn a window asking for the user's credentials, exactly like the one OS X users usually see when an application requires admin privileges," Léveillé writes. "If the victim falls for this and enters their credentials, the backdoor will henceforth run as root, and the content of the victim's keychain will be exfiltrated."

The malware also uses Tor hidden services to communicate with its command-and-control server. ESET writes Keydnap may be distributed through spam messages or offered as a download on untrusted websites. The company is unsure how many people may have been infected. Keydnap does not have a digital certificate, so Gatekeeper will stop it.

Apple Products Increasingly Targeted

While Mac users are targeted less by malware than Windows users, Mac aficionados should remain vigilant. For years, Apple portrayed its OS as being immune from the problems Windows users experienced. But as a 2015 study from Carbon Black showed, hackers are increasingly writing malware for Macs: Five times more malware was found in 2015 than in the previous five years combined.

But it's important to not panic. Even a five-time rise in the quantity of Mac malware represents, well, only a relatively small number of malicious applications. And security experts say both pieces of malware are easy to remove, provided they're detected.

Accordingly, it's not a bad idea to run anti-virus software, which can nix most Mac malware. AV-Test, an independent security software evaluator, just published a report covering 12 anti-virus suites for Macs, four of which are free downloads.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.