Reed Corner Design

Macintosh Malware Guide

Important note: Multiple pieces of malware now exist in the wild that are taking advantage of Java vulnerabilities to install themselves as "drive-by downloads" with no user interaction required. All users of Mac OS X 10.6 and 10.7 should use Software Update to install any available Java updates. If none are available, they are not needed. Unfortunately, users of older systems cannot obtain those Java updates, and are strongly advised to turn off Java in their web browsers immediately!

Table of Contents

  1. Introduction to Macs and Malware
  2. Classes of Malware
  3. Mac Malware
  4. Mac OS X intercepts some malware
  5. Do I need anti-virus software?
  6. How to ensure an intelligent defense
  7. Other Resources
  8. Do I have a virus?

Introduction to Macs and Malware

Before I begin, I feel compelled to inform you that I am not a security professional, employed by a security company. So what qualifies me to comment on this topic? In my years of using a Mac - since 1984 - I have seen much. I have not only used a Mac nearly every day during that time, I have also worked in Mac support several times. I have also done a fair bit of software and web development on the Mac. And I have researched this particular topic extensively, and have even experimented with some Mac malware personally. So, while I may not have the same level of experience as a professional in this field, I do have a wealth of knowledge gathered from years of experience. If you have questions or comments, I welcome your feedback.

Classes of Malware

It is very important to understand that there are, by my definition, two different kinds of malware. One is the virus: malware that is capable of infecting a machine without user interaction. Some people further divide such malware, referring to viruses (programs that must attach to other programs) and worms (programs that spread without needing to attach to other programs). I personally do not find this distinction particularly useful, and will refer to both of these as viruses. Viruses always rely on some vulnerability in the system, as all systems strive to prevent untrusted code from running by itself.

The second kind of malware is called the trojan horse (or just "trojan", for short). This malware is named after the famous wooden horse, filled with soldiers, that the Greeks tricked the Trojans into bringing into their city. Like the Trojan horse of legend, this class of malware relies on tricking the user into downloading, installing and running it. A trojan is only dangerous if it can trick you.

Viruses are, in my eyes, by far the more dangerous kind of malware. They often rely on security holes in the system that can allow the virus to sneak in without your knowledge. A trojan, on the other hand, relies on the user intentionally running it, and thus will not easily make its way onto a careful user's machine.

Mac Malware

Mac Malware Catalog

Almost all of the malware that affects Macs lies firmly in the trojan category. There are a variety of "social exploits" (ie, ways to trick a human) that malware uses to get itself installed, but in the end, a wary user will probably not fall for them. Especially if you review my Macintosh Malware Catalog page, which lists all Mac malware that I am aware of.

For the most part, there's very little to be concerned about. Most are rare, to varying degrees between very and extraordinarily, and half of them either never were or no longer are a threat. Almost all of the ones that are real threats can be handled by anti-malware features in versions of Mac OS X starting with 10.5 (Leopard).

You may see much lengthier lists of malware on the sites of some anti-virus software vendors. In my experience, much of what appears on these lists is ancient... worrying about those things is like losing sleep for fear of dinosaur attacks. There were many more Mac viruses in the days before Mac OS X (though nowhere near the current number of Windows viruses), but none of those viruses can in any way affect a modern Mac.

Unfortunately, developments in early 2012 changed things, with the introduction of the first malware that behaves like a virus: Flashback. Although Flashback began as a trojan that could be easily avoided, in February 2012 it changed to take advantage of a number of Java vulnerabilities. A vulnerable Mac can become infected with Flashback simply by visiting the wrong web site, with no user interaction required.

It is strongly recommended that you disable Java (not JavaScript, which is different) in your web browser. Doing so will protect you entirely from this malware, and you will only have to worry about the trojans. If you cannot disable Java for some reason, I recommend that you keep Java turned on only when you need it, and turn it off when you don't. Having Java turned on during web surfing has become a serious security risk.

Mac OS X intercepts some malware

File quarantine is a feature of Mac OS X introduced in Leopard. It is explained very well in Apple Support article HT3662, but here's the gist of it: when you download a potentially dangerous file using a quarantine-aware application (such as Safari or Mail), that file will be "quarantined." When you try to open it, the OS will warn you and ask if you really want to open it. Obviously, if you see this warning when trying to open something you didn't think was an application - for example, if you thought the file was a song in MP3 format or a picture in JPEG format - you probably shouldn't open it.

In Snow Leopard, quarantine was expanded to also check for trojans. Quarantine now uses a technology Apple has quietly named XProtect to scan downloads for known malware. The list of recognized trojans has been expanded several times from the original two (RSPlug and iServices) included in 10.6.0, and as of Security Update 2011-003, new malware definitions are downloaded daily. If you try to open a quarantined file that is actually a trojan, you will get a very different and scarier warning that tells you the application is malware.

Any of Apple's applications that allow you to download support quarantine. However, results are more mixed with third-party applications. Some will support quarantine and some will not. Especially when using peer-to-peer file sharing programs, which are one of the biggest vectors for malware, I strongly advise testing support for quarantine. Download an application from a trusted source, and if you can open it without a quarantine warning, you know that the program that downloaded it does not support quarantine and could provide malware with a backdoor into your system by letting it sneak past quarantine.

There are many web sites that will tell you how to turn these "annoying" warnings off. I strongly recommend that you do no such thing, as this can also give malware a way to sneak onto your system. Although this system has its flaws - recent variants of known trojans have proven able to slip past quarantine for a day or so, until Apple issues an update for their malware definitions - it is nonetheless an important security feature.

The list of definitions can be found, by those interested in such things, at the following path on a Mac OS X 10.6 or 10.7 system:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

If you choose Go -> Go To Folder in the Finder and paste that path into the window, that will take you there. Getting inside the CoreTypes.bundle "file" manually may be a stumper, otherwise, for those who don't know the trick.

Do I need anti-virus software?

There is no simple yes or no answer to this question. The answer will depend on many factors, the biggest of which is your own opinions on security. However, I do have some recommendations. Before we get to those, we need to examine some basic facts about anti-virus (AV) software.

Perhaps the biggest fact that often gets swept under the rug is that no AV software catches 100% of all viruses. Recent studies have shown that AV software recognizes at best 90% of all malware.

An an example, I have two variants of the Flashback trojan in my collection, one discovered on September 28, 2011 and one on October 8, 2011. At the time of this writing (Jan. 29, 2012), those trojans are only recognized by 36% and 51% of all AV engines that VirusTotal can scan with. If you are relying on AV software to protect yourself against this malware, you may be completely vulnerable.

Another important thing to know is that no AV software is capable of intercepting a brand-new virus. When a new virus appears, that virus must become widespread enough to be noticed by the companies publishing AV software. Then they must find a copy of the virus, examine it and add it to the list of virus definitions used by their software. And, of course, none of that does you any good until you actually download the update, which doesn't happen immediately. This means that, even if a particular AV program worked with 100% efficiency, it still would be completely useless for a period of time after the introduction of a new virus. In the case of the MacDefender outbreak, frequent name changes and minor tweaks to the "packaging" kept the MacDefender trojan variants one step ahead of all anti-virus software, for a day at a time here and there.

Trojans also make extensive use of what is called "social engineering". Much like phishing scams and other online fraud, they are often carefully designed to use fear, greed, lust and other emotions to fool you into doing what they want. The MacDefender trojans are a perfect example: a malicious JavaScript injected into a legitimate site redirects you to a page that tries to fool you into thinking viruses have been detected on your machine, and from there fools you into downloading and installing "anti-virus software". In reality, that software is a trojan that will do its best to make you think you've got real viruses (even faking some symptoms), all while pestering you to buy the software to remove them. If you "buy" the software, you have given the criminals your credit card number.

Because of all this, blind usage of AV software can often make one more susceptible to infection by the right malware. If you become complacent, assuming that your AV software will protect you, it is unlikely that you will be as cautious as you should be, and something will eventually slip past your AV software. This is not just a theoretical concern, it has been documented to actually happen. I have personally seen reports from people with AV software who nonetheless got infected with a MacDefender trojan.

This doesn't mean that AV software is worthless, but it does mean that you can't just install it and then do whatever you like in perfect safety, as most people believe. As security experts say, the biggest flaw in a computer's security is between the keyboard and the chair. It is extremely important to be careful and think carefully about what is downloaded. AV software should be thought of more like a safety net to catch anything that slips past an "intelligent defense." (More about this shortly.)

It's pretty much a no-brainer that a Windows machine should have AV software installed. But what about a Mac? Personally, I don't regularly use AV software on any of my Macs. I don't feel at all threatened, and feel that I am able to avoid any malware that currently exists. Even though I have personally encountered MacDefender in the wild a number of times, I am infection-free because I was not fooled! And to protect against malware like Flashback, I don't even have Java installed at all at this point.

However, there are some cases where AV software may be needed right now. For example:

In any of these cases, do some research before installing AV software and be sure to choose a program that is not reviled by other Mac users. Some of the commercial AV packages are renowned for their ability to bring a healthy Mac to its knees. Sophos Anti-Virus for Mac Home Edition is a free and excellent tool to use, and should not cause any problems.

How to ensure an intelligent defense

What exactly is the "intelligent defense" I mentioned previously? Obviously, it means that you have to be cautious about what you download, but what does that mean? How do you know whether you can trust something or not?

The biggest part of an intelligent defense is skepticism. In particular, don't open any application from an unknown source. Okay, I hear you, you're not sure what the difference is between a known and unknown source. The following are examples of an unknown, and possibly untrustworthy, source:

So, how does this compare to things that you can trust? Here are a few examples of trustworthy sources:

The trickiest part of the trusted list is figuring out if a web site is reputable. Remember that a web site's domain name (ie, www.somesite.com) must be registered with a name, address and phone number, making it traceable to someone. A web site without a name, where the address is a string of four numbers, does not have a domain name to make it so easily traceable. Of course, there's nothing to say that a domain name couldn't be registered with false information, so if you aren't sure about the site, try looking for the software in the App Store (found in the Applications folder in Mac OS X 10.6.6 or later) or asking on the Apple Support Communities site. You could also try searching on Google or Yahoo to see if you can find reliable references to the program by some other third party. It would also be a good idea to download a Web of Trust plug-in for your web browser to help identify shady web sites.

When it comes to peer-to-peer file sharing programs, many people use them as a fast way to download legitimate software. However, you ultimately don't know who you're downloading it from. Peer-to-peer networks are one of the biggest sources of illegal software, music and movies on the internet, and as such are also one of the biggest sources of malware. It's easy to be anonymous on a peer-to-peer network, and anonymity is important when doing something illegal, like distributing malware.

I also recommend keeping the download folder used by your web browser empty. When you download something, don't leave it in the download folder indefinitely. If you wish to keep the item, move it to some other location, and if you don't put it straight in the trash. This will help to prevent "sneak" downloads, where a script on a web page will download something onto your machine without your requesting it. It is much easier to notice such a rogue download in an empty download folder than in one that is crowded, and this reduces the chance that you might find it later and open it, wondering what it is.

It is also a good idea to keep Java turned off in your web browser unless you specifically need it. JavaScript could be turned off as well, but this will cripple many sites and won't give you that much real security. Flash is another issue, as there are always Flash-based exploits going around. For this reason - well, and also because I just hate Flash - I always recommend installing ClickToFlash to block unwanted Flash content in your browser. For Safari 5.1, get Marc Hoyois' ClickToFlash extension. For older versions of Safari, use the older ClickToFlash plug-in.

Care should also be taken on open wireless networks (those that do not require passwords to access). You never know who else is on such a network with you. Such a person could send you an unsolicited file via iChat, copy a malicious app into an unsecured public folder if you have file sharing turned on, and any number of other possible exploits. It's also fairly easy for someone with inexpensive hardware and free software to sit there on the same network and watch every packet of data going to and from your machine. The guy at the next table in Panera could be reading your e-mail along with you! The possibility of a hacker using information you're transmitting to get access to your machine and install malware while you're eating your panini is only one of many dangers in such a situation. So, be cautious what you do in such environments. For example, if your e-mail software isn't set to use SSL encryption when it connects, you'd better make sure the username and password on your e-mail doesn't match the username and password of an admin account on your Mac!

There are many other security issues that you would be wise to be aware of. Even the issue of what you do on an open wireless network is only very peripherally related to malware; there are much bigger, and more likely, dangers that don't involve malware at all. In the next section, there are a couple security documents I strongly advise at least skimming through. They are specific to Leopard, but should still be very relevant. With the exception of some security updates and the changes made to quarantine in Snow Leopard, not much has changed since they were written.

Finally, it's very important to maintain a frequently-updated set of backups, just in case you ever do fall victim of malware that erases your hard drive. (See my Mac Backup Guide for more information about backups.)

Other Resources

Here are a few other resources for reading about malware and generally improving security on your Mac:

Do I have a virus?

This is a question I get all the time since I created this guide. If you think you may have malware of some kind affecting your system, see my FAQ on common Mac malware symptoms.

Written April 2010 by Thomas Reed. Updated April 13, 2012 at 10:10 pm EDT.

 

This page and all contents (unless otherwise noted) copyright 2011 by Thomas Reed.
For questions or comments, please contact me.