The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Mac Malware Guide : How do I protect myself?

Published June 17th, 2012 at 8:50 PM EDT, modified April 25th, 2014 at 12:16 PM EDT

Protecting yourself, whether you use AV software or not, is the most important aspect of avoiding malware.  The biggest part of that is keeping up with updates, not only for your system but for all your software.  Security vulnerabilities are being found and fixed by software companies all the time.  These vulnerabilities often provide ways for hackers to take advantage of weak points in the system or in an app to install something on your machine.  One would think that, once an update had been released to close these security holes, hackers would abandon any attempt to take advantage of them, but data has shown this not to be the case. Such updates actually provide hackers with a precise method to use to strike at machines that have not been updated.  Since many people never install updates, hackers know they can continue to use those vulnerabilities long after they have been patched.

For example, the Flashback malware took advantage (initially) of vulnerabilities that had already been patched. Similarly, a Microsoft Office vulnerability that had been fixed by an update in late 2009 was taken advantage of by malware (Sabpab) that first appeared in early 2012. So install updates! If you don’t, you’re keeping vulnerabilities that the bad guys have been made aware of and may exploit.

Adware

Adware is a rapidly-growing menace on the Mac. Adware programs are multiplying like the proverbial rabbits. Worse, most of them aren’t detected in any way by any anti-virus software, including Apple’s built-in anti-malware protection. Even when one is detected by anti-virus software, allowing that software to remove the detected files often won’t fully remove the adware.

The best way to avoid adware is to pay close attention to what you’re downloading. Adware typically comes attached to (or in place of) junk software offered by bad sites, or sometimes a bad site (like Softonic or Download.com) will wrap legit software in an adware installer. Obviously, you need to avoid such untrustworthy downloads. (More on this in the section on avoiding trojans below.)

However, there is one thing that adware almost always does that will help you identify it: present a license agreement! License agreements are often displayed by installers, requiring the user to click an “Agree” button or something similar, and people typically just click whatever button they need to to make this go away and get on with the installation. Don’t do that! Get in the habit of at least skimming those license agreements, and if you’re being asked for permission to install something other than the software you intended to download, quit the installer and trash it.

Some common adware names to look out for are Genieo, InstallMac, GoPhoto.it, Spigot, Downlite, DynamicPricer, Savekeep (and strangely-spelled variations of that name) and Jollywallet. This is not a comprehensive list by any means, but if you see any of these, you know you’ve got trouble!

If you think you might be infected with some kind of adware, see my Adware Removal Guide for help getting rid of it.

Be wary of Java

Java (not JavaScript, which is different) has been a huge source of potential problems in the past. Fortunately, no new Java vulnerabilities have been discovered for a while, and there have been some changes to make Java in the web browser more secure, but I would not assume the danger is over. New vulnerabilities could appear at any time. If you don’t need to have Java installed on your computer, I advise avoiding it entirely. Don’t install it at all on systems that don’t include it by default (Mac OS X 10.7 or later).

If you do need to use it, be sure you are using Safari 6.1 or later and only allow it to trust Java on sites that you absolutely must use Java on. Alternately, use another browser with a “click to plugin” feature that will block any internet plug-ins unless you explicitly allow them to run.

Other troublesome web technologies

JavaScript is not related to Java, and can’t really be used at the same level for installing malware. The worst thing that JavaScript can do is download something malicious onto your computer, but it can’t open or install that malicious app. Keep your downloads folder empty, so that these surreptitious downloads are easy to notice, and you won’t find them later and open them out of curiosity. Turning off JavaScript will cripple many sites and really won’t give you that much gain in security. If you really want to disable JavaScript, a good choice would be to use JavaScript Blocker in Safari or NoScript in Firefox to selectively allow or block JavaScripts on each site. Using such software gives greater control over JavaScript, but can be a bit of a pain in the neck.

Flash is another issue, as there are always Flash-based exploits going around. Most of the time, these exploits have only affected Windows machines, but they have also been used to infect Macs. For this reason – well, and also because I just hate Flash – I always recommend blocking Flash on a site-by-site basis. In Safari, the ClickToFlash extension can be used to block unwanted Flash content, loading it only when requested by the user. For Safari 5.1 or later, get Marc Hoyois’ ClickToFlash extension. For older versions of Safari, use the older ClickToFlash plug-in. Alternately, using Chrome could be greatly beneficial, as Chrome has similar “click to play” functionality built-in and wraps Flash in an additional sandbox, making it more secure.

Avoiding trojans

Beyond the issues mentioned above, you should maintain a healthy skepticism to protect yourself against more mundane trojans. In particular, don’t open any application from an unknown source. Okay, I hear you, you’re not sure what the difference is between a known and unknown source. The following are examples of an unknown, and possibly untrustworthy, source:

  • Anything from a web site claiming you have viruses (a web site cannot scan your machine for malware!)
  • E-mail attachments from someone you don’t know
  • E-mail attachments from someone you know, but who you also know has absolutely no judgement about what they would open
  • E-mail attachments from someone you know that you were not expecting
  • Anything sent to you via online means other than e-mail (messaging software, web forums, etc) from someone you don’t know
  • Web sites visited by clicking a link in an e-mail from someone you don’t know
  • Anything on most peer-to-peer file sharing networks (eg, torrents)
  • Anything from a web site with no name (ie, something like http://123.456.78.90)
  • Anything on a centralized download site, such as Softonic or Download.com
  • Anything on a site promising an Adobe Flash Player update, video plug-in for viewing the site’s content, video streaming apps, useless utility apps (such as “cleaning” apps) and other such junkware

So, how does this compare to things that you can trust? Here are a few examples of trustworthy sources:

  • E-mail (or other online messaging) attachments you were expecting or from someone whose judgement you trust.
  • Downloads from a reputable web site
  • A few peer-to-peer sharing apps that have protection in place to ensure the file you are downloading is the same as a master file from a trusted source

The trickiest part of the trusted list is figuring out if a web site is reputable. Remember that a web site’s domain name (ie, www.somesite.com) must be registered with a name, address and phone number, making it traceable to someone. A web site without a name, where the address is a string of four numbers, does not have a domain name to make it so easily traceable. Of course, there’s nothing to say that a domain name couldn’t be registered with false information, so if you aren’t sure about the site, try looking for the software in the App Store (found in the Applications folder in Mac OS X 10.6.6 or later) or asking on the Apple Support Communities site. You could also try searching on Google or Yahoo to see if you can find reliable references to the program by some other third party. It would also be a good idea to download a Web of Trust plug-in for your web browser to help identify shady web sites.

When it comes to peer-to-peer file sharing programs, some people use them as a fast way to download legitimate software. However, you ultimately don’t know who you’re downloading it from. Peer-to-peer networks are one of the biggest sources of illegal software, music and movies on the internet, and as such are also one of the biggest sources of malware. It’s easy to be anonymous on a peer-to-peer network, and anonymity is important when doing something illegal, like distributing malware.  This is not just a theoretical concern, as Mac malware has been distributed in the past on peer-to-peer networks, masquerading as pirated copies of prominent Mac software.  Just avoid these networks entirely!

I also recommend keeping the download folder used by your web browser empty. When you download something, don’t leave it in the download folder indefinitely. If you wish to keep the item, move it to some other location, and if you don’t, put it straight in the trash. This will help to prevent “sneak” downloads, where a script on a web page will download something onto your machine without your requesting it. It is much easier to notice such a rogue download in an empty download folder than in one that is crowded, and this reduces the chance that you might find it later and open it, wondering what it is.

Other security issues

Care should also be taken on open wireless networks (those that do not require passwords to access). You never know who else is on such a network with you. Such a person could send you an unsolicited file via instant messaging, copy a malicious app into an unsecured public folder if you have file sharing turned on, and any number of other possible exploits. One particularly nasty technique that has become popular is to fool your machine into thinking there is a software update available, and when you allow it to download and install, it actually downloads malware.  So never install software updates that your machine tells you about while on an open wireless network!

It’s also fairly easy for someone with inexpensive hardware and free software to sit there on the same network and watch every packet of data going to and from your machine. The guy at the next table in Panera could be reading your e-mail along with you! The (rather unlikely) possibility of a hacker using information you’re transmitting to get access to your machine and install malware while you’re eating your panini is only one of many dangers in such a situation. There are many other more likely possibilities. So, be cautious what you do in such environments.

There are many other security issues that you would be wise to be aware of. Even the issue of what you do on an open wireless network is only very peripherally related to malware; there are much bigger, and more likely, dangers that don’t involve malware at all. For more information on such topics, see Apple’s Mac OS X Security Configuration Guides.

Finally, it’s very important to maintain a frequently-updated set of backups, just in case you ever do fall victim of malware that erases your hard drive. (See my Mac Backup Guide for more information about backups.)

<- Do I need anti-virus software? Am I infected? ->


This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.