Mac User has reported in a little more detail than I’ve seen elsewhere so far on the Trojan detection in Snow Leopard, quoting freelance OS X and iPhone developer Matt Gemmell. In fact, the meat of the story is Gemmell’s tweets, which state that:the system checks for only two known Trojans, RSPlug and iServices, and that only certain files are checked.
Mac User has been quick to remark that "…the only way to get malware onto Macs is to persuade the user to install it…" That’s misleading, guys. What you mean is that you only know of malware that works by tricking the user into installing by social engineering. That’s approximately true, at least of contemporary Macs, but it doesn’t mean that there is no way to install malware without the active participation of the computer user. It simply means that "self-launching" exploits aren’t being seen in the wild right now. Let’s not perpetuate the urban myths that:
Still, this does represent a step nearer to the real world for Mac users (as does Apple’s inclusion of this rudimentary malware-specific enhancement to the File Quarantine utility). Even a year or two ago, the inevitable responses on Mac lists to any mention of Mac malware were along the lines of:
Wider recognition that a Mac system could be compromised is a Good Thing. However, initial comments on the Mac User site indicate that, as I feared, some users are already overestimating the likely effectiveness of this countermeasure.
Mac World’s coverage is more comprehensive and, I’d say, a little more realistic. It gives more information about the mechanism, and sounds a note of caution about the likelihood or otherwise that Apple will offer timely updates for future malware, pointing out also that the utility doesn’t offer any form of disinfection. Full marks for responsible coverage!
The sky isn’t falling: however, it’s good to see some recognition of the fact that MacLand is getting to be a more dangerous place.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, We Live Security