New Mac malware abounds
Published April 25th, 2012 at 12:27 PM EDT , modified April 25th, 2012 at 12:29 PM EDT
Several new malware programs have appeared for the Mac in the last week or so, bringing the grand total of new Mac malware in the first four months of 2012 to 5, compared to 6 for all of 2011.* This increase in Mac malware is a concerning trend, and is making for lots of juicy news stories in the media. But how much do Mac users really need to worry about this? That’s a hard question to answer, since every individual will have a different threshold for worry, but let’s start with some facts.
Last week, a minor new variation of the Sabpab malware was reported by Sophos. This new variant apparently has been observed taking advantage of the same Microsoft Office vulnerability as the Tibet malware. And this week, all within a 24-hour period, came announcements of three other developments. A minor new variant of Flashback was reported by Intego, using the same Java vulnerabilities, proving that the Flashback hacker(s) are still actively working at infecting people. A new trojan, named FkCodec, was discovered in Sophos’ threat database, but without any other announcement, details are extremely sparse. (There have been several reports on the Apple Support Communities from people who have discovered this malware on their systems, but no reports about how it got there or what it does beyond the single-sentence description on the Sophos site.) And another new bit of malware called Maljava was seen by Symantec, infecting both Mac and Windows users through one of the same Java vulnerabilities that Flashback has been using.
This flood of reports in a one week period, following up on the high infection rates being reported from earlier variants of Flashback, seems concerning. And Mac users should be concerned! But it’s very important to understand that there are some very simple things Mac users can do to protect themselves. First and foremost is ensuring that all software is up-to-date. Much of the new malware appearing lately has been taking advantage of Java or Microsoft Office vulnerabilities that have already been patched. Yet many users never update their systems or other software. This phenomenon was reported on back in February by Sophos, who pointed out that the number of exploits taking advantage of a particular Microsoft Windows vulnerability has been rising since the patch was released, not falling. It is important to understand that a patch that closes a vulnerability does not discourage hackers from attacking it. Instead, it points out exactly where a weak point is and how it can be exploited on machines that have not updated. And since hackers know that many people don’t update software, those updates are essentially invitations for them to write malware. Once a patch has been released, it is important to update as quickly as possible!
Another thing Mac users need to do is be cautious online. This does not only mean being careful about what you download, it also means being careful about what technologies you enable in your web browser. In particular, Java and Flash have been notorious for having more holes than a sieve. Flashback notwithstanding, both of these should be disabled in all web browsers as a simple precaution. Java applets are found on only a few web sites, so disabling Java is the best choice for most people. Flash, unfortunately, is still fairly common, and cannot be as easily disabled. However, Marc Hoyois’ ClickToFlash Safari extension can help by disabling Flash by default, and allowing you to load specific Flash applets found on a web page one at a time. (His ClickToPlugin extension blocks more than just Flash, including some Java applets. However, it’s important to understand that this cannot block all Java applets, and thus cannot be used as a comprehensive defense with regard to Java.)
Some users may not be savvy enough to determine what is and is not safe online, or may simply want some additional peace of mind. In such cases, anti-virus software can be beneficial. However, it’s important to understand that there’s a lot of bad anti-virus software out there. Just to name a few, iAntivirus does not protect against any recent malware, MacScan cannot reliably identify malware and has a tendency to identify false positives and BitDefender does not identify a several items from my malware collection. Be sure you’re getting something good, that won’t bring your system to a grinding halt with constant background scanning. Sophos Anti-Virus for Mac Home Edition has been excellent in my testing, and catches every item in my collection. ClamXav is also good, though it does miss one older variant of Flashback (which, to be fair, hasn’t been sighted in the wild to my knowledge since last year).
As much as Windows-centric news sources and friends would have you believe, it is not time for Mac users to panic and run for cover. These threats are all fairly minimal for the most part, and all can be easily avoided. To all those who I have seen express the unprofessional sentiment of happiness at Mac users finally “getting their comeuppance” by being affected by malware, let me just point out that the total number of malware threats to the Mac platform in this century is still several orders of magnitude smaller than the number of new Windows malware programs reportedly appearing per day!
For more information about this topic, see my Mac Malware Guide.
* Those malware counts lump all variants of a particular series together – for example, MacDefender, MacSecurity, MacProtector, etc are all counted as one – with the exception of Flashback, for which I am counting the 2011 Flashback trojan and the 2012 Flashback malware that installs as a drive-by download separately.