A common myth often regaled around the office water cooler is that Macs do not become infected with viruses. This was partly spread by a 2009 Apple advertising campaign that formed part of the “Get a Mac” campaign. One of the key selling points of this campaign was that Macs did not suffer from the “thousands” of viruses (now commonly referred to as "malware"), which plagued Microsoft computers. Over time, it was proven that Macs were not exposed to the multitude of malware strains that targeted Windows systems. The reasons for this are the following:
- Small market share. There is some truth to the “security through obscurity” argument. Many virus writers are motivated by the power they can command and money they can make by seizing control of large numbers of computers. That puts a financial premium on Windows malware, since, globally, there are far more Windows computers than those running Mac OS.
- With Unix-based file systems and kernel, Mac Operating Systems are harder to infect with self-replicating programs. Windows allows users to develop and run executable code outside their own protected memory space, whereas Mac OS X does not.
The myth that Macs are in some ways invulnerable, and come with built-in anti-malware 'force fields', is not true. Macs are affected by malware and have been for most of their existence. One of the first malware infections to become popularised, ElkCloner, affected Apple computers rather than the MS-DOS computers of the time. Security research firms are annually discovering malware targeting Macs on a more frequent basis.
With the surge in popularity of cryptocurrencies such as Bitcoin, Ethereum, and many others utilizing blockchain technology, a new type of malware has risen in conjunction with cryptocurrencies. These new malware strains are called 'crypto miners' and some have been infecting Macs.
What exactly are Crypto Miners?
Currently, there are two ways you can get cryptocurrencies. The first is to buy them and the second is to mine them. There have been instances of hacks targeting the wallets of cryptocurrency buyers. These often rely on hackers exploiting vulnerabilities within wallets on websites or servers. Crypto miners rely on mining the actual currency. A crypto miner, sometimes referred to as a 'crypto jacker', can be defined as malware that uses CPU power of the target device to mine cryptocurrency, with the profits returned to the wallet of the attacker.
Use and popularity of crypto miners and crypto jackers has become so widespread that researchers believe that they are fast becoming more popular than the use of ransomware by cyber criminals. Security researchers have stated that activity generated by Crypto Miners was the most detected network event in devices connected to home routers in 2017. This ascent of malware use is considerable. In October 2017, prevalence of Crypto Miner detections peaked at 116,361 events, with many of those detections occurring in Japan, India, Taiwan, the U.S., and Australia. To understand the appeal of Crypto Miners to cybercriminals, one needs to understand the financial motivation. In February 2018, it was reported that one operation that installed malware on servers running Jenkins (automation software designed for web development) mined roughly 3.4 million worth of Monero. That is essentially, a considerable sum by any standards. Monero is a popular choice for criminals to mine because of its increased privacy and anonymity features. This situation is further made problematic by the availability of applications such as Coinhive, which allows owners of websites to mine currency when visitors visit their webpage. These applications are abused by cyber criminals to maliciously mine for maximum profit.
Crypto Miners present very real Dangers
Besides the ethical issues and issues of the illegality of crypto miners, these types of malware can provide real problems. Problems that can result in major financial loss for the victims, be they individuals or companies. In February of this year, Metro reported that a two-floor apartment building in Artem, near Vladivostok, went up in flames. The fire was caused by a resident illegally using the apartment blocks' electricity to mine Bitcoin. It is believed that a power surge caused the circuits to overheat, fail, and result in a fire that gutted the apartment building. Fortunately, in this instance, nobody lost their life. The above example did not involve a Crypto Miner but it is not outside the realms of possibility one could cause such an event.
As the miner uses devices' CPU resources (a smartphone, tablet, or personal computer), it causes an extra load upon the chipset. At the very least, this will increase the power consumption of the device. The device will also become noticeably slower. While the CPU can handle increased loads for short periods, running at 100% for extended periods can cause a critical failure. In a recent article, security researchers at Radiflow, a company that specializes in securing critical infrastructure, noticed miners infecting industrial control systems. The researchers feared such miners would inevitably have a severe impact on systems. In the same article, Marco Cardacci, a consultant for the firm RedTeam Security, which specializes in industrial control, said:
The major concern is that industrial control systems require high processor availability, and any impact to that can cause serious safety concerns. Such systems control things like power grids and dam wall, a catastrophic failure in those instances could be disastrous.
The above is a nightmare scenario, but Crypto Miners can easily cause major failures on the devices we use daily. Russian security firm Kaspersky reported detecting mobile malware that mines Monero, bombards users with unwanted ads, and can even be used to launch denial of service attacks. After two days of testing an infected device, it showed physical trauma: the overworked battery swelled up, damaging the phone’s outer shell. Some cyber criminals want their miners to run for as long as possible and evade detection. They are thus programmed to operate when CPU cycles are not being utilized on other task. Not all malware authors are as cunning. A hacker who simply copies code in the hope of striking it rich could drive a CPU incredibly hard for an extended period of time, thus placing the CPU at risk of catastrophic failure. This will result in the CPU or the entire device being replaced at obvious expense to the victim.
How to detect if your Mac is infected
As mentioned above, Macs are not invulnerable to malware infections, or indeed, Crypto Miners. Security researchers recently reported on a miner being distributed via MacUpdate. The miner was called OSX.CreativeUpdate was designed to hide in the background and use the computer’s CPU to mine Monero. The malware was spread by hacking the MacUpdate site, which was distributing maliciously-modified copies of Firefox, OnyX, and other applications.
It is inevitable that these now popular malware strains will evolve and change in the near future. They will have different key identifiers and some will develop even more cunning ways to avoid detection. That does not mean that they cannot be detected. One of the key indicators that your Mac may be infected, is CPU usage. This can be checked by simply opening a resource monitor on your computer to check if CPU usage is abnormally high. On a Mac, a resource monitor can be found in the Activity Monitor that comes with the operating system.
The following could be indicators of infection:
- If you see a spike in CPU usage when visiting a particular website that should not otherwise be taxing the processor.
- If you have all programs closed but CPU usage is still very high, then you may have a crypto mining malware problem.
- It is hard to say what “normal” CPU usage looks like, since computer processing power and the applications people run vary considerably. Nevertheless, a sudden, elevated level of CPU usage would indicate an abnormal increase in demand for processing power and possible infection.
The above are examples of measures you can easily adopt to prevent such infections from occurring, or at least to allow you to detect them. Researchers at IBM have recently detected more sophisticated malicious miners. These are delivered through infected image files or by clicking on links leading to a malicious site. Such attacks tend to target enterprise networks, which have far more CPUs and resources on offer to the attacker. As with their less sophisticated cousins, however, they can be detected by monitoring CPU usage. For these more sophisticated strains, there are methods to help remove them if your system has been infected. There are excellent third-party applications designed for the detection and removal of Crypto Miners such as Combo Cleaner.
Crypto Miners not the only Malware infecting Macs
While much of the above article addresses the understanding and detection of Crypto Miners, it is not only these strains of malware that can infect a Mac. While miners are predicted to be the dominant malware trend of this year, that nefarious title was held by ransomware for the previous year. Ransomware can be defined as a malicious program that seeks to encrypt data so that users cannot access their files. Once files are encrypted, a ransom note is delivered, instructing how payment must be made to decrypt the data. The data is effectively taken from victims until they pay a ransom. Payment is often required in Bitcoin or other cryptocurrencies of cyber criminals' choice. A recent strain of ransomware seen to infect Macs was discovered in 2017. Called McRansom (not an original name), it was by no means the most sophisticated of ransomware. It could only encrypt a maximum of 128 files. The danger it posed was due to how poorly it was designed. In encrypting the files, it also 'mangled' them, so when the victim paid a 700 USD ransom, there was still no guarantee that the files could be accessed. Another variant called KeRanger was discovered in 2016. It affected some 7,000 Mac users and was distributed via a compromised Transmission installer.
Adware is another type of very prevalent malware that can infect Macs. This is software designed to display advertisements, usually within a web browser. It can do this by either disguising itself as legitimate, or piggybacks on another program in order to be installed. Once the system is infected, the adware changes the way the browser behaves by injecting ads into web pages, causing pop-up windows or tabs to open, and changing the homepage or search engine settings. This is done to funnel advertising dollars away from companies who pay for online ads, and into their own accounts. This is incredibly frustrating for the victims. To this extent, Mac users are advised to make sure browser pop-up blockers are activated to help prevent further infections.
It would be great if Macs were invulnerable to all types of malware infection. Unfortunately, they are not. It is vital that users educate themselves as to the threats they face - this greatly helps prevent your day been spoiled by a cyber criminal. Unfortunately, some are incredibly cunning and you might not be able to detect that you have a problem until it is too late. Programs such as Combo Cleaner are an extra measure of defense recommended for Mac users. The company specializes in the detection and removal of malware that targets Mac OS. They also have a dedicated team of researchers who work continually to detect future threats before they become your problem.