iHoneyClient - discovery and analysis of malware for Mac OS X
|Wolfgang Kastner , Christian Platzer
Over the last few years, Apple's operating system OS X has steadily increased its user base. Today, an estimated 7.5\% of all computers worldwide are running OS X. One reason for this advancement is the platform's questionable reputation of being inherently safe.
However, the growing popularity of Apple computers has called criminals to attention. An increasing number of malware families is specifically targeting OS X. While there is a substantial body of research and tools dealing with malware on Windows and, more recently, Android systems, OS X has received little attention from security researchers so far. To amend this shortcoming, I implemented iHoneyClient, a tool to discover and analyze Mac malware. iHoneyClient offers a high-interaction client honeypot based on OS X that simulates an end user browsing the web on an Apple computer. The honeypot is able to examine the threat a website poses to OS X users. In addition, I built a dynamic analysis sandbox based on iHoneyClient. With this sandbox it is possible to execute Mac malware samples in an isolated environment and monitor their behavior.
I used iHoneyClient to evaluate over 6,000 blacklisted URLs to estimate how widespread malware for OS X is today. Furthermore, I used the dynamic analysis environment to analyze 174 malware samples. The combined results give an overview of the current state of OS X malware.
While several advanced malware families for OS X exist, it is highly unlikely to become infected by simply browsing the web.