These are interesting times for Mac users.And I'm not just referring to Apple's remorseless expansion into gadgets and gizmos, or even the very occasional Proof of Concept malware intended to prove that OS X is exploitable, but to the fact that the security industry, the media and the bandits are all paying the platform much more attention. Last year, the arrival of a Mac version of the DNSchanger Trojan caused a great deal of excitement, and this year we've seen reports of a Mac version of a well-known rogue anti-spyware program, Linux backdoors ported to OS X, and a (not in itself malicious) bot compiled for Linux, FreeBSD and Darwin. Last week the forums at macvirus.org were flooded with links to sites harbouring the DNSchanger (RSPlug) Trojan. (By the way, that's nothing to do with the older macvirus.com domain which I (occasionally) maintain in my copious free time.)
All very novel and interesting, but is it significant? Well, certain vendors whose product ranges include a Mac product evidently think so, since they're laying increasing stress on potential Mac vulnerabilities and issues. Furthermore, they're in the process of being joined by other vendors who've never had a Mac product up to now.
How big a market is there? Bigger than you might think.
General Mac users may, if you follow the comments on The Register and many Mac sites, seem to fall into two groups: those who insist that there is no Mac malware, there never was any Mac malware, and there never could be any Mac malware; and those who believe them. (The Register, by the way, seem to fall somewhere in between: while they've run quite a few Mac-related malware stories, they seem to be under the curious impression that there's been no Mac malware since 1992, but I'll pursue that oddity another time.)
Probably not much of a market there, at any rate until some form of malware really spreads far and fast across the Mac community as macro viruses and AutoStart did in the 1990s. Corporates with mixed platforms, however, may be in a better position to have noticed that there's a difference between the interesting but low-impact Proof of Concept viruses of the past few years and today's Mac malware, which reflects, in its own small way, the dramatic changes in the Windows threat landscape this century. The Mac fanboiz do have at least one thing right: Mac viruses aren't a big deal. Arguably, nor are PC viruses, nowadays. Self-replication used to be an end in itself for much malware, but it turns out not to be all that useful in terms of making money, and it's Return On Investment (ROI) that drives most malware development nowadays, not bragging rights ("Look at me! I wrote a Mac virus!").
The Mac malware I'm alluding to above is crimeware, the means to a (criminal) end, not an end in itself. So the real significance of the fact that there's most of it doesn't lie in the (rather low) number of people it's affecting at present, but the fact that the blackhats think that there are enough potential Mac-using victims to be worth their present development costs. They could be right: the biggest potential threat to the Mac-owning community isn't any intrinsic vulnerability in the platform: it's their susceptibility to social engineering attacks. I believe that susceptibility is raised by a complacent "can't happen here" mindset. It appears that (at least) one Mac user had an unproductive discussion with Apple support analysts who wouldn't believe that he could be having a problem with OSX/DNSchanger because they weren't aware of any malware that targets OS X. That doesn't surprise me, because Apple's own web site is not immune to marketing masquerading as security advice. But it's disconcerting that a site associated with a Mac security product seems so unaware of the Mac threatscape that as of this afternoon, it still hasn't noticed that its forum is flooded with links to sites known to have been serving malicious software.
David Harley
Research Author
