Macs & Malware

These are interesting times for Mac users.And I’m not just referring to Apple’s remorseless expansion into gadgets and gizmos, or even the very occasional Proof of Concept malware intended to prove that OS X is exploitable, but to the fact that the security industry, the media and the bandits are all paying the platform much more attention. Last year, the arrival of a Mac version of the DNSchanger Trojan caused a great deal of excitement, and this year we’ve seen reports of a Mac version of a well-known rogue anti-spyware program, Linux backdoors ported to OS X, and a (not in itself malicious) bot compiled for Linux, FreeBSD and Darwin. Last week the forums at were flooded with links to sites harbouring the DNSchanger (RSPlug) Trojan. (By the way, that’s nothing to do with the older domain which I (occasionally) maintain in my copious free time.)

All very novel and interesting, but is it significant? Well, certain vendors whose product ranges include a Mac product evidently think so, since they’re laying increasing stress on potential Mac vulnerabilities and issues. Furthermore, they’re in the process of being joined by other vendors who’ve never had a Mac product up to now.

How big a market is there? Bigger than you might think.

General Mac users may, if you follow the comments on The Register and many Mac sites, seem to fall into two groups: those who insist that there is no Mac malware, there never was any Mac malware, and there never could be any Mac malware; and those who believe them. (The Register, by the way, seem to fall somewhere in between: while they’ve run quite a few Mac-related malware stories, they seem to be under the curious impression that there’s been no Mac malware since 1992, but I’ll pursue that oddity another time.)

Probably not much of a market there, at any rate until some form of malware really spreads far and fast across the Mac community as macro viruses and AutoStart did in the 1990s. Corporates with mixed platforms, however, may be in a better position to have noticed that there’s a difference between the interesting but low-impact Proof of Concept viruses of the past few years and today’s Mac malware, which reflects, in its own small way, the dramatic changes in the Windows threat landscape this century. The Mac fanboiz do have at least one thing right: Mac viruses aren’t a big deal. Arguably, nor are PC viruses, nowadays. Self-replication used to be an end in itself for much malware, but it turns out not to be all that useful in terms of making money, and it’s Return On Investment (ROI) that drives most malware development nowadays, not bragging rights (“Look at me! I wrote a Mac virus!”).

The Mac malware I’m alluding to above is crimeware, the means to a (criminal) end, not an end in itself. So the real significance of the fact that there’s most of it doesn’t lie in the (rather low) number of people it’s affecting at present, but the fact that the blackhats think that there are enough potential Mac-using victims to be worth their present development costs. They could be right: the biggest potential threat to the Mac-owning community isn’t any intrinsic vulnerability in the platform: it’s their susceptibility to social engineering attacks. I believe that susceptibility is raised by a complacent “can’t happen here” mindset. It appears that (at least) one Mac user had an unproductive discussion with Apple support analysts who wouldn’t believe that he could be having a problem with OSX/DNSchanger because they weren’t aware of any malware that targets OS X. That doesn’t surprise me, because Apple’s own web site is not immune to marketing masquerading as security advice. But it’s disconcerting that a site associated with a Mac security product seems so unaware of the Mac threatscape that as of this afternoon, it still hasn’t noticed that its forum is flooded with links to sites known to have been serving malicious software.

David Harley
Research Author

Author David Harley, ESET

  • Johnson

    When can you support Mac OS X?

  • The good old Mac virus debate.

    Personally I feel it all comes back to the simple economics concept of supply and demand. At least 90% of the internet uses Windows, maybe four percent use Macs. It’s pretty obvious which platform most malware developers are going to cater to.

    I have to agree with you, in the near future Mac users will start to see a rise in “crimeware”. The credulous philosophy of it won’t happen to me is a perfect setting for social engineering attacks. The OS might be more secure than windows but that still doesn’t change the fact the weakest link is the end user.

    It’s surprising that malware developers aren’t already targeting Macs more often. Considering that Apple has become the new AOL for the upper class computer users you think they would be a likely target for social engineering based installs with an identify theft intent.

    The AOL analogy might be a little harsh.

  • Randy Abrams

    Currently we don not have plans for MAC support. That may change, but there is no way I could say when.

    Randy Abrams
    Director of Technical Education

  • David Harley

    I don’t really think it’s a virus debate at all any more. The bad boy fascination with replication for its own sake seems very much in decline. Crimeware, though… In fact, part of my intention was to try to move the discussion on from viruses, not least because Mac fans sometimes dismiss malware as not important if it isn’t viral. That’s certainly a lot less true now…

    Some have suggested that Mac market share needs to go up a few percentage points before Mac users become an attractive target. I think there’s enough testing of the water crimeware-wise to be considered significant, though. Marketshare is important, but I don’t think it’s the only factor, by any means. What we have seen over the years is displacement of activity as profitability declines due to over-exploitation. Obviously, this doesn’t just happen in computer security… If there are too many crooks spoiling the Windows broth, maybe the Mac equivalent is starting to look more nutritious these days. :)

    David Harley
    Research Author

  • This is something a lot of mac users miss. You might need admin rights to drop a traditional virus onto a mac(*), but you don’t need those rights to run a program at all.

    I might need root to take a mac over, were I that way inclined, but I definitely don’t need root to break your heart (rm -rf ~ anyone?) or to steal your bank login details if you keep them in a ‘sticky note’ in your home folder somewhere.

    (*) and it’s been my experience that mac users are starting to get “next button” fatigue from installer programs now, and that makes even doing this easier.

  • Hi, Rob. Long time no speak…

    That’s certainly a thought. I notice, by the way, that the forum is currently down. Presumably they’re attempting some remedial action.

    David Harley

Follow us

Copyright © 2017 ESET, All Rights Reserved.