News Releases3 min read

Mac OS X Malware at All-Time High, Research Shows

Bit9 + Carbon Black analysis finds 5 times more malware in 2015 than prior 5 years combined

WALTHAM, Mass.—Oct. 14, 2015—Mac OS X malware is at an all-time high, according to a new report from the Bit9® + Carbon Black® Threat Research Team.

A 10-week analysis conducted by Bit9 + Carbon Black demonstrated the unprecedented growth in OS X malware. In 2015 alone, the number of OS X malware samples has been five times greater than in 2010, 2011, 2012, 2013 and 2014 combined, the research found.

The Bit9 + Carbon Black Threat Research Team collected more than 1,400 unique OS X malware samples. The samples were aggregated from the team’s independent research efforts, open sources, experience from incident response engagements involving OS X, peer research, black lists, and a contagio malware dump, among other sources.

“Macs have been largely ignored by malware, until recently,” said Mike Sconzo, Bit9 + Carbon Black’s senior threat researcher. “Evidence of a more malicious OS X marketplace is clearly compounding and we confidently expect Mac OS X malware attacks to accelerate in the coming months.”

For its analysis, the Bit9 + Carbon Black Threat Research Team utilized a custom-built sandbox to quickly identify common actions performed by malware, such as file creations and network communications. This enabled the team to look at command-and-control infrastructure as well as artifacts left as part of the malware execution.

As the team tracked the malware, it found some interesting behavior. Most notably:

  • Typical UNIX persistence mechanisms were not frequently seen in the OS X malware analyzed. For example, the team’s analysis found that mechanisms such as adding cron jobs and “trojaning” startup locations such as rc.common weren’t typically used; instead, malware authors are choosing to use Mac OS X-specific mechanisms.
  • Malware authors are seizing the opportunity to strike on the OS X platform, meaning there’s more malware out there but the result of this transition has been “less sophistication” in the malware.
  • The Bit9 + Carbon Black Threat Research Team identified that the vast majority of OS X malware leveraged one of just seven persistence techniques to remain active on a system. The seven methods are outlined in the report.

The report presented several detection mechanisms that both enterprise users and consumers can use to better understand OS X malware and its behavior. Download the full report here.

“Assuming their machines were ‘safe’ from malware and cyber attacks, many enterprises and consumers have failed to implement the same safeguards and controls on OS X devices as they have for Windows machines,” Sconzo said. “As threats against OS X have increased, this security gap has left many organizations and consumers exposed and unable to identify or stop infections.”

About Bit9 + Carbon Black
Bit9 + Carbon Black is the market leader in Next-Generation Endpoint Security. We have sold more licenses, have more experience, and more customers than any other NGES company because our solution is the most effective way to prevent, detect and respond to advanced threats that target users, servers, and fixed-function devices. That’s why more than 60 MSSP and IR leaders, including Dell SecureWorks, EY, Optiv and Solutionary, have chosen our technology as a key component of their security offerings, and 25 of the Fortune 100 rely on us as a critical element of their advanced threat defense and compliance strategies. By the end of 2015, we expect to achieve $70M+ in annual revenue, 70 percent growth, 7 million+ software licenses sold, and almost 2,000 customers worldwide. We were voted Best Endpoint Protection by security professionals in the SANS Institute’s Best of 2014 Awards, and a 2015 SANS survey found that 68 percent of IR professionals are using or evaluating Carbon Black.

Bit9 and Carbon Black are registered trademarks of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.