Snow Leopard and Malware

Mac User has reported in a little more detail than I’ve seen elsewhere so far on the Trojan detection in Snow Leopard, quoting freelance OS X and iPhone developer Matt Gemmell. In fact, the meat of the story is Gemmell’s tweets, which state that:the system checks for only two known Trojans, RSPlug and iServices, and that only certain files are checked.

Mac User has been quick to remark that "…the only way to get malware onto Macs is to persuade the user to install it…" That’s misleading, guys. What you mean is that you only know of malware that works by tricking the user into installing by social engineering. That’s approximately true, at least of contemporary Macs, but it doesn’t mean that there is no way to install malware without the active participation of the computer user. It simply means that "self-launching" exploits aren’t being seen in the wild right now. Let’s not perpetuate the urban myths that:

  • It isn’t possible to write a "drive-by download" or other self-launching exploit for OS X. Of course it’s possible. That doesn’t mean it’s easy, or necessarily likely at this time, but there is nothing magic about the OS X security model. See, for instance, "OS X Exploits and Defense".
  • Malware doesn’t matter if it’s user-launched, Some Mac users are fixated on the idea that all that Windows malware is self-launching: this is not, and never has been the case. If social engineering by the bad guys was ineffective, the malware problem would be much, much less significant.

Still, this does represent a step nearer to the real world for Mac users (as does Apple’s inclusion of this rudimentary malware-specific enhancement to the File Quarantine utility). Even a year or two ago, the inevitable responses on Mac lists to any mention of Mac malware were along the lines of:

  • Mac viruses can’t happen and Trojans don’t matter
  • Mac users are too smart to fall for social engineering
  • If they do, it’s their own fault.
  • Go away and stop bothering me with this stuff.
  • Not listening. La-la-la-la-la….

Wider recognition that a Mac system could be compromised is a Good Thing. However, initial comments on the Mac User site indicate that, as I feared, some users are already overestimating the likely effectiveness of this countermeasure.

Mac World’s coverage is more comprehensive and, I’d say, a little more realistic. It gives more information about the mechanism, and sounds a note of caution about the likelihood or otherwise that Apple will offer timely updates for future malware, pointing out also that the utility doesn’t offer any form of disinfection. Full marks for responsible coverage!

The sky isn’t falling: however, it’s good to see some recognition of the fact that MacLand is getting to be a more dangerous place.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Author David Harley, ESET

  • Adam

    “Currently, the only way to get malware onto Macs is to persuade the user to install it.”

    That’s probably true. If you know of Mac malware found in the wild that doesn’t work by tricking the user, then it should be easy to provide a few examples to rebut that argument. If you can’t, the argument still stands.

    Of course it doesn’t mean that “there is no way to install malware without the active participation of the computer user—period.” There must be some way to pull this off, you’d need an unpatched vulnerability to weaponize and exploit and then to hijack a few websites to distribute the goods. I can’t see why it would be impossible (except that you probably couldn’t find one at the moment). And that’s not what that guy implied, he said that currently the threat is limited to a few trojans. True enough, this has been the case for the last 2 years. (The DNS changer trojan was first found in fall 07.)

    Who said that “all the Windows malware is self-launching”? As a matter of fact, some Windows vulnerabilities are used in website drive-by-download attacks, that’s a big difference between Windows and OS X. User-launched malware matters but is less scary, it’s targeting the user. At least users can learn good security practices, learn to recognize social engineering, etc. The File Quarantine feature, which already existed in Leopard, has been enhanced and it could help, too.

    In all, I don’t see how MacLand is getting to be more dangerous, the number of known malware didn’t increase dramatically.

  • http://www.eset.com/threat-center/blog/ David Harley

    Interesting points. As it would be a pity if they got lost in an exchange of comments, I’ve answered them today in a separate blog at http://www.eset.com/threat-center/blog/2009/09/03/mac-malware-again.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.