OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Mac Malware Guide : How do I protect myself?

Published June 17th, 2012 at 8:50 PM EDT , modified July 6th, 2015 at 5:25 PM EDT

Protecting yourself, whether you use AV software or not, is the most important aspect of avoiding malware.  The biggest part of that is keeping up with updates, not only for your system but for all your software.  Security vulnerabilities are being found and fixed by software companies all the time.  These vulnerabilities often provide ways for hackers to take advantage of weak points in the system or in an app to install something on your machine.  One would think that, once an update had been released to close these security holes, hackers would abandon any attempt to take advantage of them, but data has shown this not to be the case. Such updates actually provide hackers with a precise method to use to strike at machines that have not been updated.  Since many people never install updates, hackers know they can continue to use those vulnerabilities long after they have been patched.

For example, the Flashback malware took advantage (initially) of vulnerabilities that had already been patched. Similarly, a Microsoft Office vulnerability that had been fixed by an update in late 2009 was taken advantage of by malware (Sabpab) that first appeared in early 2012. So install updates! If you don’t, you’re keeping vulnerabilities that the bad guys have been made aware of and may exploit.

Adware

Adware is a rapidly-growing menace on the Mac. Adware programs are multiplying like the proverbial rabbits. Worse, most of them aren’t detected in any way by any anti-virus software, including Apple’s built-in anti-malware protection. Even when one is detected by anti-virus software, allowing that software to remove the detected files often won’t fully remove the adware.

The best way to avoid adware is to pay close attention to what you’re downloading. Adware typically comes attached to (or in place of) junk software offered by bad sites, or sometimes a bad site (like Softonic or Download.com) will wrap legit software in an adware installer. Obviously, you need to avoid such untrustworthy downloads. (More on this in the section on avoiding trojans below.)

However, there is one thing that adware almost always does that will help you identify it: present a license agreement! License agreements are often displayed by installers, requiring the user to click an “Agree” button or something similar, and people typically just click whatever button they need to to make this go away and get on with the installation. Don’t do that! Get in the habit of at least skimming those license agreements, and if you’re being asked for permission to install something other than the software you intended to download, quit the installer and trash it.

If you think you might be infected with some kind of adware, see my Adware Removal Guide for help getting rid of it.

Be wary of Java

Java (not JavaScript, which is different) has been a huge source of potential problems in the past. Fortunately, no new Java vulnerabilities have been discovered for a while, and there have been some changes to make Java in the web browser more secure, but I would not assume the danger is over. New vulnerabilities could appear at any time. If you don’t need to have Java installed on your computer, I advise avoiding it entirely. Don’t install it at all on systems that don’t include it by default (Mac OS X 10.7 or later).

If you do need to use it, be sure you are using Safari 6.1 or later and only allow it to trust Java on sites that you absolutely must use Java on. Alternately, use another browser with a “click to plugin” feature that will block any internet plug-ins unless you explicitly allow them to run.

Other troublesome web technologies

Flash is another issue, as there are always Flash-based exploits going around. Most of the time, these exploits have only affected Windows machines, but they have also been used to infect Macs. For this reason – well, and also because I just hate Flash – I recommend not having Flash installed at all. That has become a lot easier lately, as most sites have replaced Flash content with HTML5 content.

If you must have Flash, use the ClickToFlash extension in Safari, which blocks unwanted Flash content, loading it only when explicitly requested by the user. For Safari 5.1 or later, get Marc Hoyois’ ClickToFlash extension. For older versions of Safari, use the older ClickToFlash plug-in. Alternately, using Chrome could be greatly beneficial, as Chrome has similar “click to play” functionality built-in and wraps Flash in an additional sandbox, making it more secure.

Even better, don’t install Flash on your system, and use Safari or Firefox for your day-to-day browsing, but reserve Chrome for the specific task of viewing Flash content. Only use Chrome when it becomes absolutely necessary to view Flash content. This works because Chrome includes its own copy of Flash that does not need to be installed in the system.

JavaScript is not related to Java, and can’t really be used at the same level for installing malware. However, that doesn’t mean it’s not troublesome in the wrong hands. The worst thing that JavaScript can do is download something malicious onto your computer, but it can’t open or install that malicious app. It has to find a way to trick you into doing it.

JavaScript is also used for the recent plague of fake tech support scams, in which a pop-up appears in your browser informing you that you have been infected with a virus and need to call a provided phone number for help. These scams often try to use JavaScript to prevent you from navigating away from the scam page, by repeatedly spamming you with alerts. Do not fall for such scams! For more information, including how to remove the alert, see Tech support scam pop-ups.

Turning off JavaScript will cripple many sites and really won’t give you that much gain in security. If you really want to disable JavaScript, a good choice would be to use JavaScript Blocker in Safari or NoScript in Firefox to selectively allow or block JavaScripts on each site. Using such software gives greater control over JavaScript, but can be a bit of a pain in the neck. I don’t personally use anything like this myself, it’s just too annoying.

Avoiding trojans

Beyond the issues mentioned above, you should maintain a healthy skepticism to protect yourself against more mundane trojans. In particular, don’t open any application from an unknown source. Okay, I hear you, you’re not sure what the difference is between a known and unknown source. The following are examples of an unknown, and possibly untrustworthy, source:

  • Anything from a web site claiming you have viruses (a web site cannot scan your machine for malware!)
  • E-mail attachments or links from someone you don’t know
  • E-mail attachments or links from someone you know, but who you also know has absolutely no judgement about what they would open
  • E-mail attachments or links from someone you know that you were not expecting
  • Anything sent to you via online means other than e-mail (messaging software, web forums, etc) from someone you don’t know
  • Anything on most peer-to-peer file sharing networks (eg, torrents)
  • Anything from a web site with no name (ie, something like http://123.456.78.90)
  • Anything on a centralized download site, such as Softonic or Download.com
  • Anything on a site promising an Adobe Flash Player update, video plug-in for viewing the site’s content, video streaming apps, useless utility apps (such as “cleaning” apps) and other such junkware
  • Anything on a site offering things like “free” commercial movies, TV shows, music and the like

So, how does this compare to things that you can trust? Here are a few examples of trustworthy sources:

  • E-mail (or other online messaging) attachments you were expecting or from someone whose judgement you trust.
  • Downloads from a reputable web site
  • A few peer-to-peer sharing apps that have protection in place to ensure the file you are downloading is the same as a master file from a trusted source

The trickiest part of the trusted list is figuring out if a web site is reputable. Remember that a web site’s domain name (ie, www.somesite.com) must be registered with a name, address and phone number, making it traceable to someone. A web site without a name, where the address is a string of four numbers, does not have a domain name to make it so easily traceable. Of course, there’s nothing to say that a domain name couldn’t be registered with false information, so if you aren’t sure about the site, try looking for the software in the App Store (found in the Applications folder in Mac OS X 10.6.6 or later) or asking on the Apple Support Communities site. You could also try searching on Google or Yahoo to see if you can find reliable references to the program by some other third party. (Be cautious of fake “review” sites that try to appear unbiased but actually guide you to a specific app.) It would also be a good idea to download a Web of Trust extension for your web browser to help identify shady web sites, though it’s important to keep in mind that, like any such crowd-sourced data, it’s potentially subject to manipulation or ignorance-based biases.

When it comes to peer-to-peer file sharing programs, some people use them as a fast way to download legitimate software. However, you ultimately don’t know who you’re downloading it from. Further, peer-to-peer networks are one of the biggest sources of illegal software, music and movies on the internet, and as such are also one of the biggest sources of malware. It’s easy to be anonymous on a peer-to-peer network, and anonymity is important when doing something illegal, like distributing malware.  This is not just a theoretical concern, as Mac malware has been distributed in the past on peer-to-peer networks, masquerading as pirated copies of prominent Mac software.  Just avoid these networks entirely! I mean, honestly, in this day and age, why do you need even the legit torrents anyway?

I also recommend keeping the download folder used by your web browser empty. When you download something, don’t leave it in the download folder indefinitely. If you wish to keep the item, move it to some other location, and if you don’t, put it straight in the trash when you’re done with it. This will help to prevent “sneak” downloads, where a script on a web page will download something onto your machine without your requesting it. It is much easier to notice such a rogue download in an empty download folder than in one that is crowded, and this reduces the chance that you might find it later and open it, wondering what it is.

Other security issues

Care should also be taken on open wireless networks (those that do not require passwords to access). You never know who else is on such a network with you. Such a person could send you an unsolicited file via instant messaging, copy a malicious app into an unsecured public folder if you have file sharing turned on, and any number of other possible exploits. One particularly nasty technique that has become popular is to fool your machine into thinking there is a software update available, and when you allow it to download and install, it actually downloads malware.  So never install software updates that your machine tells you about while on an open wireless network!

It’s also fairly easy for someone with inexpensive hardware and free software to sit there on the same network and watch every packet of data going to and from your machine. The guy at the next table in Panera could be reading your e-mail along with you! The (rather unlikely) possibility of a hacker using information you’re transmitting to get access to your machine and install malware while you’re eating your panini is only one of many dangers in such a situation. There are many other more likely possibilities. So, be cautious what you do in such environments. For more information on keeping your machine safe on open wifi, see Staying safe on public wifi.

Finally, it’s very important to maintain a frequently-updated set of backups, just in case you ever do fall victim of malware. Use Time Machine to backup frequently onto at least one external hard drive, preferably a Time Capsule or a hard drive attached to a recent AirPort base station so you don’t even have to think about connecting it. Then use something else, such as Carbon Copy Cloner or SuperDuper, to create a “clone” backup onto a different external hard drive, or preferably multiple drives used in a rotation that puts at least one off-site at all times. This way, if you ever get infected with something that can’t be easily removed, you’ll have a wide variety of choices as to how to revert to a previous state, backed up prior to the infection.

<- Do I need anti-virus software? Am I infected? ->