On March 24, 2001, Apple Computer released their next generation operating system, Mac OS X. In stark contrast
to their previous OS (Mac OS 9 or earlier), Mac OS X is a UNIX based operating system. Consequently, customers
and editors asked us how many malwares work on Mac OS X We know that one of the most famous backdoor trojans in
Windows, Sub7, is ported on the OS (and NAV for Mac OS X can detect it). In this paper I will explain other existing
Introducing Mac OS X
The core of the system is called Darwin and it is based on an open source project. Darwin integrates Mach 3.0 kernel
and an operating system service based on BSD UNIX. This document does not explain the Mac OS X system in detail.
Please see the following site for more information.
I investigated Mac OS 10.2 + Developer CD. This is a brief introduction of the environment.
Mach 3.0 kernel
BSD 4.4 Lite
Java 2 Standard Edition 1.3.1
several BSD UNIX commands/development tools
UNIX malware overview
Symantec has currently detected over 100 malicious programs that work on UNIX. Almost all malwares are Zoo (that
is not reported from customers/end users).
I have classified them into three categories: binary, script, and Java. In this document I will only explain binary
and script malwares, because Java is "write once, run anywhere", even on Mac OS X :).
In contrast to the Windows platform, not that many binary malwares work on UNIX. Most binary malwares only work
on Linux on an Intel platform. Fortunately, they cannot work on Mac OS X for the following reasons:
First, the CPU for Macintosh is not the same as the Intel platform. Currently, Mac OS X only
runs on Macintosh computers that use a Motorola/IBM PowerPC G3 or G4 processor. For the same reason, binary malwares
do not work on Linux for PowerPC.
The second reason binary malwares do not work on Mac OS X is the executable format. Commonly,
the "Executable and Linking Format (ELF)" is used on UNIX. Of course Linux for PowerPC uses it too, but
Mac OS X kernel can only understand the "Mach-O" binary format and does not support ELF. Mach-O is completely
different from ELF. Its structure can be found by using "otool" from the command line.
Possibilities of binary malwares
Malwares may work properly on Mac OS X if they are re-compiled for the OS. Apple has released a GNU C++ compiler
and linker, GCC, for Mac OS X. If a user installs developer tools from Apple, the user can compile numerous source
codes such as GNU software. So, only three commands are required:
This is the same as on other UNIX and, therefore, provides another possibility for binary
malwares to work on Mac OS X. If someone inserts a malicious code into the source and the user downloads and compiles
it on Mac OS X, it is likely to work
properly on the OS. We can remember the case when a trojan code was inserted into OpenSSH (for more information
on this, see http://www.cert.org/advisories/CA-2002-24.html).
There are three types of script malwares: shell, perl, and PHP script.
The default shell on Mac OS X is tcsh and it is based on C shell. As other common UNIX tools, B shell is ported
as /bin/sh. Therefore, common shell script can run on Mac OS X. As I mentioned above, many common UNIX tools are
ported, even the "shutdown" command, but not all. If the shell script uses a command that is not ported
on the OS, the script cannot run properly.
Perl is also installed as /usr/bin/perl or /usr/bin/perl5.6.0. Perl script can work properly with the correct path
PHP is a widely used server side script and it is not enabled by default on the OS. However the component is installed
and only requires modifying a /etc/httpd.conf file.
Simple viruses, such as UNIX.Gobleen and UNIX.Gift, work easily.
- search target
- open target
- insert virus or overwrite by virus
- write target
- close target
- search again
No special techniques or approaches are applied that are of interest to us.
The "mail" command
Some malwares use the "mail" command to spread or to send information from an infected system to
a hacker, such as UNIX.Penguin, UNIX.LoveLetter, and UNIX.Psite. However, these do not work properly on Mac OS
X. The "mail" command exists but it cannot be run by default. To use the mail command on Terminal, the
Sendmail configuration needs to be modified (you know it is very difficult!). Therefore, we do not need to consider
these malware types.
Malware for specific environments
- UNIX.Abuser is an exploit of game on Linux.
- UNIX.Bash drops ELF for Linux.
- UNIX.Capdrop drops the C source code and compiles it on an infected system. The source code
needs to be compiled on Linux.
- Many PHP malwares (but not all) contain fixed strings like "C:\Windows". Of course
they only affect Windows.
- UNIX.Psite needs X Window System but Mac OS X does not have it by default.
These malwares do all not work on Mac OS X.
Mac OS X uses NetInfo for managing user and group accounts, email configurations, NFS, printers, computers, and
other resources. This is almost the same concept as Active Directory or NIS and it is the one significant difference
from other UNIX. Using some of these resources requires using NetInfo manager or NetInfo tools from the command
Some trojans attempt to add new services for hackers. Some files require being modified the
same as other UNIX instead of using NetInfo.
Fortunately, almost all malwares for UNIX are Zoo and are rarely found, even if we want to. In addition, not many
UNIX malwares can work on Mac OS X. The OS has inherited "Stability and Power" from UNIX, as Apple has
On the other hand, the OS has also taken over negative characteristics from UNIX. They are;
-Securities are difficult to manage for the user
-The same malwares may work as on other UNIX
Obviously, we need to be more wary in terms of security issues on this OS than on Mac OS
9 or earlier.