A TREND MICRO BLOG

Aug 27

Apple anti-malware? Snow joke!

Rik Ferguson

Filed under: Mac OS, Opinion, malware | RSS 2.0 | TB | Tags: , , , , | 9 Comments

It looks, on one hand, as it Apple are now alive to the danger that malicious code represents to their users. Reports from beta testers indicate that in the newest version of MacOS Snow Leopard, due for release tomorrow, Apple have included anti-malware technology (although someone needs to tell their marketing department who as previously blogged, are still touting Mac OS as being unaffected by malware new ad called “Surprise“).

Picture courtesy of Intego

Picture courtesy of Intego

 

In the new version of MacOS, when a user downloads a file that is detected as containing malicious code, the user is notified that the file “could damage your computer” and prompted to delete the offending file.

 

This recognition of the threat of malware is a new, important and very encouraging step made by the folks over at Infinity Loop.

 

Although I welcome any attempt by Apple to keep their growing user community safe and secure, the malware detection released with Snow Leopard can only be described as rudimentary at best, files are only scanned at time of download, and even then, only when downloaded by certain applications (such as Safari, iChat or Mail). Malware is detected by way of a static pattern matching file, the file that ships with Snow Leopard contains definitions for only two pieces of malware, OSX_RSPLUG and OSX_KROWI. The update mechanism that is being proposed for these virus patterns is the standard Apple Software Update technology so updates may well be irregular. Rather than the real-time updates necessary to combat today’s sophisticated threats. There appears to be no real-time scan (files are not scanned as they are executed), no central management or reporting.

 

The RSPlug Trojan (Oct 2007), drops the DNSChanger malware, and Krowi is the piece of malware responsible for the creation of the first OSX botnet and was found hidden in various illegally shared copies of popular Mac applications. No mention then of the Jahlav family of malware so prevalent at the moment. In fact the most recent discovery of a new variant of this was made just this week by Trend Micro’s own Feike Hacquebord and was hiding in supposed pirated copies of Snow Leopard itself.

 

RSPlug and Jahlav have both been known to pose as video codec installers, a tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign.

 

These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.


Bookmark
| More

This entry was posted on Thursday, 27. August 2009 and is filed under "Mac OS, Opinion, malware". You can follow any responses to this entry with RSS 2.0. You can leave a response here, or send a trackback from your own site.

9 Comments

  1. Friday, 28. August 2009 um 6:35 pm

    [...] link is being shared on Twitter right now. @rik_ferguson, an influential author, said Apple [...]

  2. Saturday, 29. August 2009 um 3:04 pm

    If this is so laughable, why don’t you immediately get in your seats to develop some anti-virus/malware application for Mac OS? You really should feel some responsibility concerning this, not just stand there like some goofy jokers!

  3. Monday, 31. August 2009 um 10:17 pm

    Hold the phone! I’ve been seeing ads on my TV non-stop about how Mac is the system without all the viruses, trojans, bugs and crashes… this totally changes my world view!

    Or not.

  4. Monday, 31. August 2009 um 11:36 pm

    Hi Pet, Trend Micro have anti malware and safe surfing solutions both for enterprise and consumer available, but I try really hard not to push product on this blog. Thanks for asking though!

    Cheers,
    Rik

  5. Tuesday, 1. September 2009 um 7:30 pm

    Let’s get a couple things straight.

    First, there are still zero viruses for Mac OS X (there were viruses for Mac OS before they switched to unix, but who cares about that now). There are a few trojans (that won’t spread on their own), and Apple is beginning add some protection against them. Even without this and without any other 3rd party anti-virus, Mac OS X is still less likely to become compromised than a Windows machine running internet security software. So adding a buffer in case somebody was dumb enough to download a pirated program that is infected with a trojan to prevent infection can ONLY further the idea that Macs are indeed more secure.

    And second, are you sure that only a few Apps have the protection? That screenshot shows “eject disk image” as an option, not “delete.” If the disk image was just downloaded by a program, it wouldn’t be mounted, and the button would say “delete” instead of “eject.” However, if it is a tool built into the Finder (which would provide protection when downloaded from ALL programs), only then would it scan only once mounted and be able to show a button to eject it.

  6. Wednesday, 2. September 2009 um 10:46 pm

    Thanks for joining in the debate al, the threats currently in the wild for MacOS are Trojans, absolutely, but I see no reason to suppose these will be less succesful on the Mac than they currently are on the Wintel platform. Trojans are by far the most prevalent form of malware on Windows too right now. They rely on socially engineering the user, and the user is most often the weakest link. If you’re dumb enough to download the pirated software or the fake codec, then you’re probably dumb enough to give it your password when it asks you for it.
    Malware exists for Mac OS X and malware is being succesful on Mac OS X, just check out the botnet that Krowi came up with.
    Figures on infected machines are difficult to come by of course, as most infected users are simply unaware they have become victims.

    As regards the word “virus” I didn’t use it, I said “malware” which has a much larger definition. I would personally accuse Apple marketing though, of knowing that most non-savvy users use the word “virus” to refer to ANY malicious software, including the Trojans I referenced, and thus their ad campaigns are at best unhelpfully misleading. It is not helpful when we judge “standard computer users” by our own knowledge. I am sure most non-technical folks would have real trouble explaining the differences between the different types of malware, and to be honest, they shouldn’t have to. They do deserve though, clear and honest information from the companies with whom they do business

  7. Saturday, 20. February 2010 um 12:58 am

    So do Trend do an anti virus software for Mac?

  8. Sunday, 21. February 2010 um 7:11 pm

    We didn’t when I wrote that, we do now :)

  9. Wednesday, 10. March 2010 um 4:19 am

    [...] Security Essentials replace OneCare adequately? clubhouse , Connect , Security Essentials , Story Apple anti-malware? Snow joke! – countermeasures.trendmicro.eu 08/27/2009 It looks, on one hand, as it Apple are now alive [...]

Leave a comment

XHTML allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam protection

© Copyright 2010 Trend Micro Inc. All rights reserved.
Legal Notice. Disclaimer