Mac Malware Revisited

April 12th, 2012

Back in the early days, Mac users confronted a moderate level of malware infections. I remember one occasion when I visited a local software store — back in Edison, New Jersey — and bought a screen saver from a reputable publisher. The floppy was infected, however. I didn’t have anti-virus software at hand, and had to reformat my Mac IIcx’s drive and reinstall everything. Well, it was only weeks after I bought the computer. I didn’t have much to reinstall, so the restore process wasn’t as intimidating as it might have otherwise seemed.

In passing, I quickly discovered the value of security software, and download an shareware app, called Virus Detective, which I used until the author, Jeffrey Shulman (no relation to the famous poker player by the way), give it up. The computer store took back the infected floppy and refunded my money, with abject apologies.

Not long thereafter, my employer, a graphic arts studio in New York City, encountered a virtual avalanche of floppies infected by a so-called desktop virus called WDEF. This was back in the early 1990s.

Of course, Mac viruses paled into insignificance compared to what happened on the Windows platform over the years, until Microsoft began to clean up their act. With the arrival of Unix-based Mac OS X, it was felt that Macs couldn’t possibly be infected by malware, and millions of Mac users were more or less lulled into a sense of security.

But a lot of things have happened in recent years. The arrival of Apple’s mobile gadgets has turned the company into a worldwide powerhouse, with a market cap ahead of all other companies on the planet. Anything Apple does gains worldwide headlines, so one expects it would only be a matter of time before Internet criminals look to Macs to spread their misery. The fact that Mac sales are growing faster than Windows sales these days only makes the platform even more appealing.

Most Mac malware outbreaks, though, have consisted of so-called Trojan Horse apps, which masquerade as something real but, when installed, have the potential to take over your system. Last year, lots of Mac users paid money for a fake anti-virus app called MAC Defender (also known by other names), which presented itself on a site that claimed to have discovered the presence of malware after allegedly scanning your Mac. The app, after claiming to remove the non-existent virus, did nothing further — other than take your money in license fees of course.

Apple updated security definitions in recent versions of OS X to guard against that particular malware outbreak.

But the most threatening malware of all first appeared last September as a Trojan Horse, a fake Flash-based player app labeled as Flashback. The most recent iteration, a so-called “drive-by download,” has reportedly infected over 600,000 Macs worldwide according to some estimates. By “drive-by,” I mean you visit a site that hosts Flashback, and it will infect unprotected Macs by exploiting a security leak in Java.

The end result is that the infected Macs can be taken over and become part of a large bot network that could spread spam and even more malware. Not a pretty picture.

Last week, Apple updated Java for Snow Leopard and Lion to fix the security leak that made Macs susceptible to Flashback. It doesn’t, however, actually remove the malware if it’s already there. But the major virus protection apps, such as Intego’s VirusBarrier, have long since been updated to guard against Flashback. Intego, by the way, was perhaps the first company to discover the existence of Flashback.

After saying nothing for a while, Apple has since posted a support document at their site that explains what Flashback is all about, and how to get the Java security update. On Thursday, Apple released yet another Java security update, this one designed to rid infected Macs of Flashback, and disable the “automatic execution of Java applets.” In working with ISPs to take down the servers causing the outbreak, Apple apparently also tried to bring down a server run by a security software publisher, Dr. Web, which was designed to measure the extent of the infection. Talk about the laws of unintended consequences.

It’s good to know Apple finally recognizes the seriousness of Flashback and is taking steps to wipe it off infected Macs. But it may also be a case of trying to close the barn doors after the cows have left. Up till now, Apple has played down the potential for Mac malware. While support documents will guide you on how to protect yourself, and they even mention security software as a possible solution, most Mac users aren’t being actively informed about the dangers. A false sense of security isn’t going to protect you from possible infection.

Now since most Mac malware has so far arrived in the form of a Trojan Horse, being careful about what you download and where is usually enough to keep you safe. But a drive-by infection can just happen. You visit the wrong site, and the vulnerability can be exploited in a matter of seconds without your direct intervention. You aren’t even presented with a request for your system password.

Now some suggest you just turn off Java in Safari (it’s in the app’s preferences, under Security). The steps of disabling Java from other browsers is more complicated, and you need to read the Help menus. But don’t confuse Java with Javascript. The latter is simply a scripting language that allows a site to display dynamic content. If you turn it off, some of the nifty features on those sites, such as the ability to post a message almost instantaneously in our forums, will be deactivated.

For most of you, living without Java isn’t such a big deal. Few apps use it these days, but some Web-based conference tools and interactive chat rooms require Java. So if you see the coffee cup icon on a site that you want to visit, and you’re sure it’s a safe site, you may just want to turn Java back on. Meantime, I do hope Apple takes this malware outbreak as a wake-up call to become more proactive about protecting Mac users. They’ve taken positive steps in OS X, but more needs to be done.

| Print This Article Print This Article

2 Responses to “Mac Malware Revisited”

  1. Louis Wheeler says:

    Apple seems to be phasing out unapproved third party applications, Flash and Java, among others. Both have been sources of malware. Apple takes decreasing responsibility for maintaining and bug fixing them. They will be assigned as, “Install at your own risk.”

    I notice that Apple gets hit both ways on security issues. It gets dinged when it is tardy at fixing flaws in third party apps or its Unix foundations and when it attempts to use unconventional means.

    This tardiness is a mixed bag, since Apple does not try to maintain the latest builds. Hence, it escapes some of the malware which inflicts the Linux community. Slowness to upgrade and slowness to correct flaws in non proprietary software have the same cause: Apple has limited resources and less need.

    Apple has had the luxury of not being under intensive attack, but that situation may be changing. It has been slow to upgrade to a 64 bit operating system, although this has improved security, ASLR & DEP. Sand-boxing, supervisor programs similar to VPro are in process. Apple is lambasted either way, because moving to a 64 bit OS must necessarily consign three to five year old computers to legacy. Apple does not maintain a decades long tail like Microsoft does.

    Apple is accused of maintaining a “walled garden” when it restricts applications to the Mac. It gets pilloried if it uses un-PC methods of maintaining security, as when it attempted to use an application specific firewall. Panic ensued when migrants from Windows found that the general firewall was turned off by default.

    Gatekeeper, in Mountain Lion, has been cited as being tyrannical, because it is not “open.” Gatekeeper allows retroactive deletion of applications which prove troublesome. This recourse has provoked flights of fancy. Conspiracy theories are being fielded. Apple no longer issues DVD’s and uses downloads, instead. So, this must mean that Apple intends to lock out the Jailbreak and Hackentosh community.

    Microsoft has historically funded pundits hostile to Apple. So, no matter what Apple does, it gets criticized for being different.

    Although, there is no reason for Apple users to be complacent, we still need to count our blessings: Thank God, We are NOT on Windows!

  2. Viswakarma says:

    It looks as though the person in charge of security, that Apple hired from Microsoft, seems to have dropped the ball!!!

Leave Your Comment