Macintosh Malware Catalog

These viruses have been around long before Mac OS X, and could infect both Mac and Windows through Microsoft Office products. These viruses were written in a scripting language that allowed automated tasks to run when opening a Word, Excel or PowerPoint file. They were once the most prevalent and dangerous of all Mac viruses, and even played a significant role in the retirement of Disinfectant in the pre-X days. However, the scripting language they relied on was removed from MS Office 2008, and in Office 2004 you would be warned by default when opening a file with a macro.

First seen in early 2004, this AppleScript trojan pretended to be an installer for Microsoft Word 2004, but actually did its best to delete the user's home folder. In my opinion, anyone stupid enough to try to download pirated software got what they deserved with this one. It is extremely unlikely anyone will encounter this malware by now.

This trojan is a shell script that must be intentionally run by someone with root privileges. Once installed, it would open up some backdoors to allow a hacker access to your machine. If this malware can still be found by now, it is certain the hackers behind it are no longer active (or have moved on to other things), so there's nobody waiting to come in the back door!

This malware relied on a vulnerability in Safari that was closed by Security Update 2006-001 almost as soon as it was discovered.

This trojan pretends to be a picture but is actually an application. Although it is a trojan, once launched it will try to spread itself through iChat like a virus. It is extremely unlikely anyone will encounter this malware in the wild at this point. In addition, if you did, quarantine will tip you off that it's not actually a document.

A proof-of-concept virus that was dead before it was ever seen in the wild, thanks to an update to the Mac OS that closed the vulnerability it relied on.

A proof-of-concept virus, which was never actually seen in the wild, this would provide an attacker with root access to your computer... unless you're running Mac OS X 10.4.7 or later, which no longer have the vulnerability it relied on.

Macarena was a proof-of-concept virus. It consisted of source code and instructions on compiling it, meaning that the user would have to compile and run it with full knowledge of what they were doing to become infected. It did not actually do anything other than copy itself, as a demonstration that such things were possible on a Mac. It was never seen as an actual virus in the wild.

This trojan was downloaded by people who visited adult websites and were told they needed to download a "video codec" to view adult videos. The "plugin" that was installed was actually a trojan horse. More recently, RSPlug has been seen masquerading as more innocent things, including a free game, and thus may be easier to fall for now than it was initially. RSPlug changes the DNS server settings (and installs a script to make sure it stays changed). Infected machines will use a malicious DNS server instead, which will redirect requests for certain banking sites, eBay, etc to phishing servers, in an attempt to steal account passwords that can be used to make money. This trojan is protected against by quarantine in Mac OS X 10.6 or later.

This was an AppleScript that used a vulnerability in ARDAgent to take over a computer remotely. This vulnerability was closed soon thereafter by Security Update 2008-005.

Pretending to be a poker game, this trojan will ask for a password using a non-standard interface. (The typical Mac OS account password prompt is the only one you should give your account password to!) It would then use that password to give an attacker remote access to your Mac. As it apparently took advantage of the same vulnerability as AsTHT, which has been fixed, it is no longer a threat.

This is not actually malware, but a hacker tool that can be used to create a backdoor in your system, giving a hacker access. The catch: the hacker must have access to the system already in order to use this tool to create a backdoor. If a hacker has physical access to your machine, you have bigger problems, and it's very unlikely that Lamzev would be the current hacker tool of choice anyway.

Perhaps the most common of all Mac malware, this trojan masquerades as pirated software (initially iWork, as the name would suggest, but later variants pretended to be other programs), typically distributed over peer-to-peer sharing networks. Infected machines become part of a botnet (a group of hijacked computers) and used to attack web sites. This trojan is protected against by quarantine in Mac OS X 10.6 or later.

A trojan that spreads like a virus by attaching itself to e-mail. However, it was quite poorly written and riddled with bugs, so it does not actually do what it was meant to do. It is not considered a threat. Security experts called it "lame."

This trojan was quietly added to the Mac OS X quarantine definitions in Apple's mid-June 2010 release of Mac OS X 10.6.4. It was apparently first seen in the wild in late April as an installer for iPhoto, though Sophos reported at the time that none of their customers had encountered it (as far as they knew). Very little information about this trojan can be found other than what is available from the various Mac anti-virus firms, and that information tends to vary from mildly to seriously biased. In any case, as long as you're not dumb enough to try to download an illegal copy of iPhoto, you're safe whether you've upgraded to 10.6.4 or not.

OpinionSpy, also called Premier Opinion, was announced as spyware by Intego on June 1, 2010. According to Intego, it is distributed with a number of screensavers (all sold by one company, 7art) and one video converter. The full list can be seen here. However, it's poor spyware indeed that warns you that it is installing, tells you it's going to collect your personal information, and then requires you to agree to install it. On March 21, 2011, Apple added it to the Mac OS X quarantine definitions.

Koobface - a malicious Java applet commonly found on social networking sites like Facebook and Twitter - has been around in the Windows world since 2009. Unfortunately, as of October 2010, it has also made its entry into the Mac world. It appears in the browser as a request to view a video, often with the question "Is this you in this video?" Initial reports from Intego indicated that this malware was too buggy to work, but subsequent reports from other security companies reveal that fully functional versions are being encountered in the wild. Worse, this trojan does not require an admin password to install. Although you do have to click the Allow button in an alert that tells you the applet is trying to access your computer, users who are not tech-savvy may assume that it's okay to do so. I highly recommend that you turn off Java (not JavaScript, which is different) if you are afraid you might agree to something you shouldn't.

BlackHole RAT (Remote Administration Tool) is a trojan wannabe for the Mac. It was released in "beta" (meaning it's not finished), and as such has not been seen in the wild. Its capabilities are very limited, though still certainly dangerous, as spelled out by a Sophos blog. As it stands now, though, this trojan has never been wrapped up in some appealing package to trick people into installing it, so it's extremely unlikely most people will ever see it.

MacDefender is a trojan for Macs that is downloaded from fake anti-virus web sites claiming to have detected viruses on your Mac. These sites are reached via malicious JavaScripts that are injected into legitimate web sites and that redirect you to the malicious "anti-virus" site (often called something like Apple Security Center). Clicking a button on the malicious site results in downloading of an installer. On machines where Safari's Open "safe" files after downloading option is turned on, the installer launches automatically, but requires user action to proceed with the installation. Users of Safari are advised to turn this option off immediately. (It is found at the bottom of the General pane of Safari's preferences.) Once installed, this trojan begins opening porn sites in Safari every few minutes, "proving" that there's a virus and fooling people into spending money on the software to "remove" the "virus." For detailed accounts on this virus, see the coverage of MacDefender on Reed Corner Design's Tech News. Numerous variants of MacDefender are currently recognized by XProtect.

Addendum (9/26/2011): Since the folks behind the credit card processing have been caught and put in Russian prison, there have been no more reports of MacDefender infections to my knowledge. For this reason, I'm downgrading the threat level to Low.

This trojan, announced by F-Secure on August 1, 2011, masquerades as a Flash player installer. The program does not actually install Flash, instead making modifications to the /etc/hosts file that can be used to customize DNS lookups. A number of different Google domains are added to that file, mapped to a malicious IP address. Even at the time of discovery, the site at that IP address was functional, but apparently broken, as it did nothing more than display fake Google search results with broken links. By this time, the IP address is non-functional. Although this poses no threat at this time, it is possible a new variant might appear in the future with a new IP address to a fully-functioning malicious web site. Apple has added this definition to their XProtect definitions.

Discovered by F-Secure on September 23, 2011, this two-part trojan pretends to be a PDF file. When opened, Revir.A - which is an application, and not really a PDF file - opens a PDF file to keep the user from catching on, and in the background installs the second part, Imuler.A. This process remains running on your Mac, providing backdoor access through a malicious server that it attempts to contact. At this time, however, that server does nothing. Because of that, there is currently little risk from this trojan, but that could change at any time. For more information, including removal instructions, see More broken Mac malware.

Announced on September 26, 2011 by Intego, this new fake Flash Player installer actually works, unlike BASH/QHost.WB. It disables some network security software, calls home to a malicious server and injects code into other applications. The full implications are still a bit murky, but one thing is sure: if you simply never click links to download Flash Player from any site other than Adobe's site, you'll never become infected. For more information, see my blog coverage of the Flashback trojan.

Update (2/13/2012): On 2/10/2012, Intego announced a version of Flashback that could install itself without user assistance by taking advantage of Java vulnerabilities and a different social exploit. Fortunately, those vulnerabilities have already been patched, so just make sure you have run Software Update and applied any Java updates. Also, read Intego's report to make sure you don't fall for the new social exploit.

On October 28, 2011, Intego announced discovery of a trojan they call DevilRobber. A good description of its actions can be found in Intego's article, and my take on it can be found in my blog post, New DevilRobber trojan. I consider the risk very low, not because this trojan isn't dangerous, but because at this time only people who download pirated software are at risk. Such people deserve what they get, and are of no concern to me, but if you have a child or relative who might download stolen software, do not allow them to use an admin account on your computer.