Apple Keeps Malware Info from Antivirus Firms: Researcher

  • MORE

Is Apple keeping crucial information about malware attacks hidden from antivirus firms? One prominent security researcher thinks it might be.

image

Patrick Wardle, about whose discoveries we've written many times on Tom's Guide, last month analyzed a new strain of Mac malware called Windshift. He noticed that Apple had revoked the digital certificate that let the malware install on Macs. That's good.

But when Wardle checked VirusTotal, an online repository of known malware, only two of some 60-odd antivirus malware-detection engines could spot Windshift. None of the malware engines spotted three other Windshift variants.

To Wardle, this could only mean one thing: Apple found malware without telling antivirus companies about it. That's bad, because anyone who was already infected might never have found out. In the antivirus world, you're supposed to share such information ASAP to maintain herd immunity.

"Does this mean Apple isn't sharing valuable malware/threat-intel with AV-community, preventing the creation of widespread AV signatures that can protect end-users?!" Wardle asked in his blog posting. "Yes."

MORE: Best Mac Antivirus Software

Windshift seems to target specific individuals in the Middle East as part of a state-sponsored espionage campaign. It was first disclosed by DarkMatter researcher Taha Karim at the Hack in the Box GSEC conference in Singapore last August.

The malware infects Macs from malicious websites in a multistage process, the last step of which, like most Mac malware, involves fooling the user into letting the malware install.

To make that deception easier, Windshift presents itself as various Microsoft Office for Mac documents, complete with pretty Office icons. The version Karim detailed, and which Wardle initially looked at, pretends to be a compressed PowerPoint presentation called Meeting_Agenda.zip.

On Dec. 20, Wardle searched for that file on VirusTotal and found a match among the millions of samples of suspicious software uploaded to the site. The VirusTotal sample had a "hash," or mathematical summary of its code, by which you can identify the malware.

Wardle ran the hash through VirusTotal's collection of antivirus malware engines and found that only the Kaspersky and ZoneAlarm engines detected it. The rest let it go by, meaning they didn't know about it.

He then searched for hashes that were similar and found three more that presented themselves as zipped Word files. No antivirus engines detected those. (Many more antivirus engines detect them today, thanks to Wardle's blog posting.)

Yet on Dec. 20, Apple had already revoked the digital signature required for the malware to install on Macs using default security settings. In other words, Apple seemed to have known about the malware before the antivirus companies did, but did not appear to have told the antivirus companies.

This might not seem like a big deal to the average computer user, but it is. In order for software makers and antivirus companies to properly defend users against malware, everyone needs to be on the same page. It's standard operating practice for all involved to share information as soon as possible -- and Wardle implied that Apple wasn't playing fair.

The malware-detection issue "highlights that traditional AV struggles with new/APT malware on macOS ... but also Apple's hubris," Wardle told Ars Technica's Dan Goodin. "We've seen them do this before :( It's disheartening, and somebody needs to call them out on it."

Tom's Guide has reached out to Apple for comment, and we will update this story when we receive a response.