MacMatters

I run (in my copious free time) a page called Mac Virus that I inherited from Susan Lesch, who ran it as a comprehensive Mac antivirus resource. (That page has nothing to do with the later pages at macvirus.org or macvirus.net, by the way, which also refer to themselves as Mac Virus, and recently experienced infestation problems with fake codecs.)

 I’ve never really had the time to keep Mac Virus current to the standard that Susan did, updating it on a pretty much daily basis, but I try to keep at least half an eye on the Mac malware scene and try to help out with Mac-related queries when I receive them. This week, I had one of those "So what Mac malware is there really?" enquiries. This really ought to be an FAQ at Mac Virus, I guess, but until it is (and because there are readers of this blog who are interested in Mac issues), here’s a quick summary of my response. Even at the risk of an avalanche of rabid Mac zealots telling me that I don’t know what I’m talking about.

 There are quite a few older malicious programs that are specific to the Mac, though hardly any of them are likely to have any effect on a modern system (especially an Intel-driven system, where the Classic/pre OS X environment is no longer supported), and I haven’t seen any of them reported in years. (Is anyone still using HyperCard?!) 

Then there are some proof of concept viruses for OS X, but they don’t pose much of an immediate threat. (Of course, replicative malware is a shrinking proportion of current malware even on Windows platforms.)

There are other malware-related threats that you should be aware of, if not panicked by. (We’re not talking huge numbers to date.) For instance, Trojans like the DNSchanger fake codecs mentioned earlier, the occasional rootkit, rogue anti-malware programs… Some of these are affecting

And there are the cross-platform issues: macro viruses aren’t a very big deal now, but they haven’t altogether disappeared, and there are other  issues with MS Office document vulnerabilities, though the exploits have been almost invariably Windows-specific till now. Also, VBA  is absent from the latest Office for Mac, though  it will be back in the next version, apparently.

In fact, there is a persistent risk of Windows-specific or cross-platform malware spreading by way of Windows non-users. It was actually an instance of that – the macro epidemic of the mid-1990s – that dragged me into the Mac anti-malware arena in the first place.

I would advocate that Mac users in a corporate environment should be using protected machines, irrespective of the perceived risk from Mac-specific threats. I would never discourage the use of commercial anti-malware by home users (there is some free AV for Macs, but none that offers comprehensive protection). Macs aren’t at anything like the same level of direct risk from malware that Windows is, and may never be. That said, we do see the bad guys getting interested in mining sparser seams of potential victims as Windows users become more security-conscious. Some, including me, believe that the risk level is increasing, but slowly. We may not yet be at the point where anti-malware protection is essential even for people who use Macs at home and who don’t take foolish risks. But never say never.

As it happens, Apple have just released a comprehensive – well, large, anyway – document on securing Leopard.  Being an Apple document, it includes a brief mention of viruses (summary: use antivirus, practice safe hex) but makes no mention of the wider range of malware that might concern you more. Ah well… I do happen to know that "OS X Exploits and Defense" (published recently by Syngress) includes more information on malware, because I wrote those two chapters. ;-) Contrary to the impression you may get from some book sites, though, I didn’t write or tech-edit the whole book (the confusion arises because I had to withdraw from editing due to imminent surgery), and I haven’t found time to read the rest of the book yet. When I do, I’ll give you the benefit of my prejudices.  

David Harley
Research Author
ESET LLC

Author David Harley, ESET

2 Responses to “MacMatters”

  1. Saad says:

    Hello.
    Do you know what is 2 deficiency of ESET Smart Security?
    1. It has no friendly options. For example when we download a virus file it should ask “do you want cancel it or continue downloading?”. Maybe i am downloading a zip file that is 300mb! and it contains a virus file aside setup file. We can just extract setup file. Do you know my aim?

    2. A day my ESET cant update virus definition because it has a network error. I didnt know why! after few weeks i try “Spyware Doctor”. It finds and clean 5 spyware on my system and after i can update my virus difinition again!
    http://www.pctools.com/spyware-doctor/
    I think you should cooperation to others.

    I’m sorry for my bad english!!

  2. David says:

    The ESET support page at http://www.eset.com/support/ offers ways to pass on your opinions about ways in which our service could be improved. As I don’t work in product support or product development directly, I can’t comment authoritatively on the issues you raise. However, while I agree that it’s good to give the customer choice where appropriate and possible, in the case you describe, I think it’s defensible for a scanner to “play safe” when files that are not themselves overtly malicious are found in a suspicious context, such as in an archive file that contains a known malicious file. It’s not uncommon for malware to come bundled with files that contain no malicious code themselves, but are only put there to support the installation or execution of malware. What a scanner does is (a) look for known malicious code (b) look for code that suggests malicious intent, even though it’s not known malware. But malicious intent is a state of mind, not a programmatic function: the scanner can only make a guess based on context and other factors.

    I don’t quite know what you mean by cooperation in this context: ESET, like other anti-malware vendors, works with other vendors in many contexts. And we do share samples (in mmore than one context). But there are just too many samples (and they change too fast) for every product to detect every known malicious program, let alone the suspicious ones. It sounds as if your system may have been infected by something that specifically blocks access to ESET’s update servers. If ESS had been able to update its definitions, in the interim it might have been able to detect some or all of the same spyware by the time that the other product detected it. But I guess we’ll never know.

Leave a Reply

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
07 Jun 2008
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.