Apple anti-malware? Snow joke!

It looks, on one hand, as it Apple are now alive to the danger that malicious code represents to their users. Reports from beta testers indicate that in the newest version of MacOS Snow Leopard, due for release tomorrow, Apple have included anti-malware technology (although someone needs to tell their marketing department who as previously blogged, are still touting Mac OS as being unaffected by malware new ad called “Surprise“).

Picture courtesy of Intego

Picture courtesy of Intego

 

In the new version of MacOS, when a user downloads a file that is detected as containing malicious code, the user is notified that the file “could damage your computer” and prompted to delete the offending file.

 

This recognition of the threat of malware is a new, important and very encouraging step made by the folks over at Infinity Loop.

 

Although I welcome any attempt by Apple to keep their growing user community safe and secure, the malware detection released with Snow Leopard can only be described as rudimentary at best, files are only scanned at time of download, and even then, only when downloaded by certain applications (such as Safari, iChat or Mail). Malware is detected by way of a static pattern matching file, the file that ships with Snow Leopard contains definitions for only two pieces of malware, OSX_RSPLUG and OSX_KROWI. The update mechanism that is being proposed for these virus patterns is the standard Apple Software Update technology so updates may well be irregular. Rather than the real-time updates necessary to combat today’s sophisticated threats. There appears to be no real-time scan (files are not scanned as they are executed), no central management or reporting.

 

The RSPlug Trojan (Oct 2007), drops the DNSChanger malware, and Krowi is the piece of malware responsible for the creation of the first OSX botnet and was found hidden in various illegally shared copies of popular Mac applications. No mention then of the Jahlav family of malware so prevalent at the moment. In fact the most recent discovery of a new variant of this was made just this week by Trend Micro’s own Feike Hacquebord and was hiding in supposed pirated copies of Snow Leopard itself.

 

RSPlug and Jahlav have both been known to pose as video codec installers, a tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign.

 

These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.

9 thoughts on “Apple anti-malware? Snow joke!

  1. Pingback: Articles about Windows 7 as of August 27, 2009

  2. al

    Let’s get a couple things straight.

    First, there are still zero viruses for Mac OS X (there were viruses for Mac OS before they switched to unix, but who cares about that now). There are a few trojans (that won’t spread on their own), and Apple is beginning add some protection against them. Even without this and without any other 3rd party anti-virus, Mac OS X is still less likely to become compromised than a Windows machine running internet security software. So adding a buffer in case somebody was dumb enough to download a pirated program that is infected with a trojan to prevent infection can ONLY further the idea that Macs are indeed more secure.

    And second, are you sure that only a few Apps have the protection? That screenshot shows “eject disk image” as an option, not “delete.” If the disk image was just downloaded by a program, it wouldn’t be mounted, and the button would say “delete” instead of “eject.” However, if it is a tool built into the Finder (which would provide protection when downloaded from ALL programs), only then would it scan only once mounted and be able to show a button to eject it.

    Reply
    1. Rik Ferguson Post author

      Thanks for joining in the debate al, the threats currently in the wild for MacOS are Trojans, absolutely, but I see no reason to suppose these will be less succesful on the Mac than they currently are on the Wintel platform. Trojans are by far the most prevalent form of malware on Windows too right now. They rely on socially engineering the user, and the user is most often the weakest link. If you’re dumb enough to download the pirated software or the fake codec, then you’re probably dumb enough to give it your password when it asks you for it.
      Malware exists for Mac OS X and malware is being succesful on Mac OS X, just check out the botnet that Krowi came up with.
      Figures on infected machines are difficult to come by of course, as most infected users are simply unaware they have become victims.

      As regards the word “virus” I didn’t use it, I said “malware” which has a much larger definition. I would personally accuse Apple marketing though, of knowing that most non-savvy users use the word “virus” to refer to ANY malicious software, including the Trojans I referenced, and thus their ad campaigns are at best unhelpfully misleading. It is not helpful when we judge “standard computer users” by our own knowledge. I am sure most non-technical folks would have real trouble explaining the differences between the different types of malware, and to be honest, they shouldn’t have to. They do deserve though, clear and honest information from the companies with whom they do business

      Reply
  3. Rafal Los

    Hold the phone! I’ve been seeing ads on my TV non-stop about how Mac is the system without all the viruses, trojans, bugs and crashes… this totally changes my world view!

    Or not.

    Reply
  4. Pet

    If this is so laughable, why don’t you immediately get in your seats to develop some anti-virus/malware application for Mac OS? You really should feel some responsibility concerning this, not just stand there like some goofy jokers!

    Reply
    1. Rik Ferguson Post author

      Hi Pet, Trend Micro have anti malware and safe surfing solutions both for enterprise and consumer available, but I try really hard not to push product on this blog. Thanks for asking though!

      Cheers,
      Rik

      Reply
  5. Pingback: Twitter Trackbacks for Apple anti-malware? Snow joke! » CounterMeasures [trendmicro.eu] on Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *

*