Picture courtesy of Intego

 

In the new version of MacOS, when a user downloads a file that is detected as containing malicious code, the user is notified that the file “could damage your computer” and prompted to delete the offending file.

 

This recognition of the threat of malware is a new, important and very encouraging step made by the folks over at Infinity Loop.

 

Although I welcome any attempt by Apple to keep their growing user community safe and secure, the malware detection released with Snow Leopard can only be described as rudimentary at best, files are only scanned at time of download, and even then, only when downloaded by certain applications (such as Safari, iChat or Mail). Malware is detected by way of a static pattern matching file, the file that ships with Snow Leopard contains definitions for only two pieces of malware, OSX_RSPLUG and OSX_KROWI. The update mechanism that is being proposed for these virus patterns is the standard Apple Software Update technology so updates may well be irregular. Rather than the real-time updates necessary to combat today’s sophisticated threats. There appears to be no real-time scan (files are not scanned as they are executed), no central management or reporting.

 

The RSPlug Trojan (Oct 2007), drops the DNSChanger malware, and Krowi is the piece of malware responsible for the creation of the first OSX botnet and was found hidden in various illegally shared copies of popular Mac applications. No mention then of the Jahlav family of malware so prevalent at the moment. In fact the most recent discovery of a new variant of this was made just this week by Trend Micro’s own Feike Hacquebord and was hiding in supposed pirated copies of Snow Leopard itself.

 

RSPlug and Jahlav have both been known to pose as video codec installers, a tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign.

 

These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.

 

That is certainly the case if you believe Apple’s latest advertisement, available here and titled Elimination.

“I just need something that works without crashing, or viruses or a ton of headaches.”

 Apple’s ads have always been amusing, but this won’t be the first time that someone calls them out for also being misleading.

 

To say that there is no malware (or viruses) for the Apple platform is demonstrably untrue. In January of this year a pirated copy of iWork was made available as a Torrent, that copy of iWork was found to contain a trojan. Those affected systems were later found to have been recruited into a botnet that has already been used for DDoS and Spam runs.

 

By the same token, Mac OS and many applications on the Mac OS platform have recently been found vulnerable to some high profile exploits. This was most publicly evidenced by the Pwn2Own at CanSecWest both this year and last, but also includes such well used applications as Adobe Flash and Acrobat and Microsoft Office.

 

For many years now Mac users have believed themselves to be invulnerable to malware, and this is not the first time they have been encouraged by Apple in this belief. This complacency leaves many Mac users with the mistaken belief that either Macs are not vulnerable to malware, or that none exists for their platform or both, impacting their ability to make informed decisions when downloading or installing new software, opening attachments or visiting questionable sites.

 

Given the fact that today’s cybercrime motivation has shifted from a misplaced sense of “l33t h4x0r” pride to a sole focus on the business of generating cash, the threat to Mac users is definitely growing. Cybercrime and malware in today’s world is big business, and one that ever more closely resembles the world of legitimate business, including outsourcing, R&D budgets, Malware as a Service platforms, SLAs and even EULAs. In this shady world of business it would defintely be fair to say that as the Mac market share expands and the user base grows, so does its perceived “investment potential” to the cybercriminal.

 

It’s all about Return on Investment, and the fact that that user base is largely unprepared and the computers themselves largely unprotected can only increase the attractiveness. Apple should talk honestly and openly with their customers about the threat, giving them fair and balanced advice when it comes to protecting their investment, their identites and their cash.

 

As regards the other one, a Google search for “Mac OS crash” yields over 3 million results…

 

For the record, I’m a Mac user.