Does Apple conceal crucial information regarding malware attacks from antivirus companies? According to a prominent security researcher, it may be.
Patrick Wardle, whose discoveries we have written extensively about in Tom’s Guide, analyzed a new strain of Mac malware called Windshift last month. Apple had revoked the digital certificate that allowed the malware to install on Macs. That is satisfactory.
However, when Wardle checked VirusTotal, an online database of known malware, only two of some sixty antivirus malware-detection engines were able to detect Windshift. None of the malware engines detected three additional variants of Windshift.
This could only mean one thing to Wardle: Apple discovered malware without informing antivirus companies. This is unfortunate because anyone who was already infected may never have known. In the world of antivirus software, such information should be shared immediately to maintain herd immunity.
“Does this imply that Apple is not sharing valuable malware/threat information with the AV community, thereby preventing the creation of widespread AV signatures that can protect end-users?” Wardle inquired in his blog entry. “Yes.”
As part of a state-sponsored espionage campaign, Windshift seems to target specific individuals in the Middle East. DarkMatter researcher Taha Karim first disclosed it at the Hack in the Box GSEC conference in Singapore last August.
The malware infects Macs via malicious websites in a multistage process, with the final step, as with most Mac malware, consisting of tricking the user into allowing the malware to install.
Windshift presents itself as various Microsoft Office for Mac documents, complete with pretty Office icons, to facilitate this deception. The version described by Karim and initially examined by Wardle pretends to be a PowerPoint presentation named Meeting Agenda.zip.
Wardle searched for the file on VirusTotal on December 20 and found a match among the millions of malicious software samples uploaded to the website. By examining the sample’s “hash,” or mathematical summary of its code, you can identify the malware.
Only the Kaspersky and ZoneAlarm engines detected the hash when Wardle ran it through VirusTotal’s collection of antivirus malware engines. The rest ignored it, meaning they were unaware of it.
He then searched for similar hashes and discovered three more that appeared as compressed Word files. No antivirus software detected them. (Many more antivirus engines now detect them as a result of Wardle’s blog entry.)
Apple had already revoked the digital signature necessary for the malware to install on Macs with default security settings on December 20. In other words, Apple appeared to have been aware of the malware before the antivirus companies but did not appear to inform them.
This may not seem significant to the average computer user, but it is. Software developers and antivirus companies must be on the same page to effectively protect users from malware. Standard operating procedure dictates that all parties share information as quickly as possible, and Wardle implied that Apple wasn’t playing fair.
The malware-detection issue “highlights that traditional antivirus software struggles with new/APT malware on macOS, as well as Apple’s arrogance,” Wardle told Dan Goodin of Ars Technica. “They have done this before:( It is disheartening, and someone needs to confront them about it.”