The State of Mac Malware

There’s been a lot of buzz recently about the sudden increase in Mac-specific malware cropping up so far this year. First people raved about the fairly tame and unthreatening BlackHole RAT trojan, then Mac users had to watch out for a slightly more crafty but avoidable MACDefender trojan, and now there’s news of a more advanced malware kit (Weyland-Yutani Bot) that has the ability to steal data entered into Firefox (Safari and Chrome currently unaffected, but expected to follow soon). AppleCare has reportedly been receiving a significant number of calls about the MACDefender trojan, and has issued a support document on how to deal with it.

Clearly some change is in the air, but exactly how does it affect normal Mac users? I for one actively look for Mac-based malware (eg. MACDefender), and have never stumbled across it by accident. Maybe I need to surf on the ‘dark side’ of the web more often. I just wanted to give my take on recent events and the state of Mac malware, and why I don’t think there’s any reason to be too worried just yet.

Recent developments

So what exactly are we seeing out there at the moment? All of the recent Mac malware has been trojans, meaning the the user has to manually launch or install the software – and this is a good thing. In many ways, a trojan is no different than much of the other software running on your computer, its functionality just happens to be something undesirable (usually spying or data theft). A trojan does not exploit any vulnerability of the operating system, instead relying on exploiting the users the use them (and this is part of the good news). In the majority of cases a trojan is disguised as something useful, such as a game, or anti-virus. The fake A/V approach has worked very well, as users are often keen to clean up their computer when they’re told that it’s infected. As I highlighted in my post about BlackHole RAT, it’s trivial for anyone with some coding experience to sit down and write a simple trojan (I could write one right now). The other part of the good news is that in the majority of cases, trojans are not self-replicating. So not only does the user have to manually launch or install the malware, but it will generally not spread from the infected computer.

If you browse intelligently, and don’t arbitrarily click ‘Allow’ to unknown Java applets, or run/install random executables in emails and websites, chances are you won’t have any problems with trojans. Even if you go to a malicious website and the MACDefender installer automatically downloads and launches, you can just quit the installer, delete the downloaded file, and that’s the end of it.

If trojans aren’t worrying, what is?

The real worrying threats to one’s computer security are anything that can compromise your system despite your best efforts. One example of this is a specially-crafted file (eg. image, pdf, etc) that, when opened, exploits a vulnerability in the application that opens it. The most dangerous are files that can be hosted on a compromised or malicious website, and that exploits the user’s computer without them knowing it. These are vulnerability-based malware, and they pose a much greater threat. The next step up is a piece of malware that exploits a vulnerability in an application or the underlying operating system in an automated fashion (a worm). This is what happened with Conficker which took advantage of a Windows vulnerability that could be exploited over the network. Worms are far more devious as they tend to spread in an automated fashion without user interaction. Although it hasn’t really happened just yet, attackers could find an exploit in OSX that could be packaged into a full-blown worm.

I don’t find it surprising that we’re seeing a bit more activity in terms of OSX malware. Malware writers are probably testing the waters as the OSX user base continues to grow at a fairly rapid rate. The main reason I’m not worried is because of the primitive nature of the malware we’ve seen so far. As soon as we begin to see exploit-based malware, and it will undoubtedly happen at some point, maybe this near maybe next, then it will be worth revisiting this subject.

Do Mac users really need anti-virus?

This question is not straightforward as the user is ultimately the determining factor. If we look at today as a point in time, I would say no. The reason I’m not comfortable with just saying no, is because it doesn’t offer less experienced users a very good level of future protection. If you’re an experienced user, browse smart and are careful about the files you open, then you’re probably safe for now (as long as you keep your finger on the pulse). That said, your parents or non-computer savvy friends, whilst safe today, will probably need the additional assurance that anti-virus can provide. Either way it’s always worth considering the potential performance impact (however small) that A/V can have on your system.

Anti-virus software vendors have been partly responsible for hyping up the Mac malware threat in recent weeks. I won’t be rushing out to buy A/V anytime soon, especially considering the number of Mac-specific virus definitions can probably be counted on one (maybe two) hands. If you do want A/V, I recommend starting off with a free solution such as Sophos. Intego’s Mac-centric VirusBarrier offers a good quality paid solution (there’s also a free trial).

Don’t get me wrong, proper Mac malware is on its way – it’s inevitable – but based on recent events I wouldn’t go running for the hills just yet. That is all.