Mac User has reported in a little more detail than I've seen elsewhere so far on the Trojan detection in Snow Leopard, quoting freelance OS X and iPhone developer Matt Gemmell. In fact, the meat of the story is Gemmell's tweets, which state that:the system checks for only two known Trojans, RSPlug and iServices, and that only certain files are checked.

Mac User has been quick to remark that "...the only way to get malware onto Macs is to persuade the user to install it..." That's misleading, guys. What you mean is that you only know of malware that works by tricking the user into installing by social engineering. That's approximately true, at least of contemporary Macs, but it doesn't mean that there is no way to install malware without the active participation of the computer user. It simply means that "self-launching" exploits aren't being seen in the wild right now. Let's not perpetuate the urban myths that:

  • It isn't possible to write a "drive-by download" or other self-launching exploit for OS X. Of course it's possible. That doesn't mean it's easy, or necessarily likely at this time, but there is nothing magic about the OS X security model. See, for instance, "OS X Exploits and Defense".
  • Malware doesn't matter if it's user-launched, Some Mac users are fixated on the idea that all that Windows malware is self-launching: this is not, and never has been the case. If social engineering by the bad guys was ineffective, the malware problem would be much, much less significant.

Still, this does represent a step nearer to the real world for Mac users (as does Apple's inclusion of this rudimentary malware-specific enhancement to the File Quarantine utility). Even a year or two ago, the inevitable responses on Mac lists to any mention of Mac malware were along the lines of:

  • Mac viruses can't happen and Trojans don't matter
  • Mac users are too smart to fall for social engineering
  • If they do, it's their own fault.
  • Go away and stop bothering me with this stuff.
  • Not listening. La-la-la-la-la....

Wider recognition that a Mac system could be compromised is a Good Thing. However, initial comments on the Mac User site indicate that, as I feared, some users are already overestimating the likely effectiveness of this countermeasure.

Mac World's coverage is more comprehensive and, I'd say, a little more realistic. It gives more information about the mechanism, and sounds a note of caution about the likelihood or otherwise that Apple will offer timely updates for future malware, pointing out also that the utility doesn't offer any form of disinfection. Full marks for responsible coverage!

The sky isn't falling: however, it's good to see some recognition of the fact that MacLand is getting to be a more dangerous place.

David Harley
Director of Malware Intelligence