Thursday, June 2, 2011

Mac Viruses and Other Stupid Hoaxes

I'm writing this to clear up a bit of confusion and panic over the Mac 'virus' scene. The latest trojan (not a virus) is loosely referred to as 'MacDefender', and masquerades as a Mac anti-virus app. This is not the end of the world. It's not even the beginning of the end.

But first, a little background info...


Viruses
A Virus is a piece of software that spreads by making a copy of itself, when it's placed on a new computer. Usually they have some ulterior motive. Some viruses send out spam. Some viruses delete your files. Some do nothing at all. The distinction here is that a virus has to make copies of itself (self-replication) in order to spread.

Your computer gets 'infected', usually without you knowing it, by having a virus installed on your machine usually without any human intervention. And yes, there were Mac viruses, long ago.

Trojan
A trojan is a piece of software that spreads by acting like it's harmless, then doing something bad once it's installed and running on your computer. Trojans usually require human intervention. And Trojans usually do something bad, like look for credit card info and send it to the trojan's author, or install adware on your computer. Trojans don't usually self-replicate. They are usually one-trick ponies.

MacDefender requires that the user downloads and installs the MacDefender program, even walking it through the installation process. In some variations, the download occurs immediately when you visit a particular page. But the trick here is that at all times, you'll be faced with this window, at some point.



And when you are, just go to the File menu and *quit* the installer.



How Apple Can Stop This Madness Immediately 
(and how you can, too)

There's a setting in Safari, that automatically opens files that the browser thinks are 'safe'. Like some types of installers, apparently. If you use Safari, open the Preferences window and turn this off.



Problem solved in one step. 

This isn't the first time Mac users have been faced with crap like this. There was the QuickTime Autoplay virus back in the olden days, which was similarly stupid. When Apple finally turned off that feature, the last of the true 'Mac viruses' died off.

Why aren't there more Mac viruses? No one actually knows. The OS has security holes, but Apple patches them fairly quickly. And security 'experts' are quick to jump on every single security hole and announce to the world that the sky is falling. That's just how security experts behave, though. So far, the sky's still up there. So they were all wrong.

Maybe it's the small market share! No, there were Mac viruses in the olden days, when there were far fewer Macs in the market, and they had a much smaller market share. Many virus authors write them for fame. Imagine the fame associated with being the first author of a real Mac virus! Well, it's been about a decade now, since OSX started shipping with every new Mac. You'd think they'd have figured it out in 10 years, if it was possible.

To be honest, I've never heard a good explanation for why there aren't more Mac viruses.

So what did Apple do? They posted this tidbit, about how to remove MacDefender if you have it.
http://support.apple.com/kb/HT4650

Then, in a software update, they included a thing in the operating system that allows the user's machine to get daily updates for malware 'signatures', without requiring a full system update. As a result, if your software is up to date, you'll see this instead, if you download MacDefender, or any of its variants...



Apple has responded to this particular one in a bizarre fashion. Rather than just seal off the vector (by turning that auto-open feature off by default in the software update), they added this, so they can selectively choose which files are 'safe' and which ones aren't. And Apple can update this as often as they want, so your Mac is constantly up to date.

This presents an interesting challenge to the hacker community. Apple can afford to pay a guy to change a few names in a file every day. Can the guy(s?) who wrote MacDefender afford to change their app often and enough to no longer be caught by Apple's detector, all the while finding new domains on the web to post the updated MacDefender trojan to?

Time will tell, I suppose. If Apple gets frustrated, they can always slam the door shut. But that's what I expected them to do. They don't have to play the cat and mouse game. So why do this? It almost seems like the cat is toying with this mouse.

No comments: