It looks, on one hand, as it Apple are now alive to the danger that malicious code represents to their users. Reports from beta testers indicate that in the newest version of MacOS Snow Leopard, due for release tomorrow, Apple have included anti-malware technology (although someone needs to tell their marketing department who as previously blogged, are still touting Mac OS as being unaffected by malware new ad called “Surprise“).
In the new version of MacOS, when a user downloads a file that is detected as containing malicious code, the user is notified that the file “could damage your computer” and prompted to delete the offending file.
This recognition of the threat of malware is a new, important and very encouraging step made by the folks over at Infinity Loop.
Although I welcome any attempt by Apple to keep their growing user community safe and secure, the malware detection released with Snow Leopard can only be described as rudimentary at best, files are only scanned at time of download, and even then, only when downloaded by certain applications (such as Safari, iChat or Mail). Malware is detected by way of a static pattern matching file, the file that ships with Snow Leopard contains definitions for only two pieces of malware, OSX_RSPLUG and OSX_KROWI. The update mechanism that is being proposed for these virus patterns is the standard Apple Software Update technology so updates may well be irregular. Rather than the real-time updates necessary to combat today’s sophisticated threats. There appears to be no real-time scan (files are not scanned as they are executed), no central management or reporting.
The RSPlug Trojan (Oct 2007), drops the DNSChanger malware, and Krowi is the piece of malware responsible for the creation of the first OSX botnet and was found hidden in various illegally shared copies of popular Mac applications. No mention then of the Jahlav family of malware so prevalent at the moment. In fact the most recent discovery of a new variant of this was made just this week by Trend Micro’s own Feike Hacquebord and was hiding in supposed pirated copies of Snow Leopard itself.
RSPlug and Jahlav have both been known to pose as video codec installers, a tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign.
These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.