OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New Mac malware abounds

Published April 25th, 2012 at 12:27 PM EDT , modified April 25th, 2012 at 12:29 PM EDT

Several new malware programs have appeared for the Mac in the last week or so, bringing the grand total of new Mac malware in the first four months of 2012 to 5, compared to 6 for all of 2011.*  This increase in Mac malware is a concerning trend, and is making for lots of juicy news stories in the media.  But how much do Mac users really need to worry about this?  That’s a hard question to answer, since every individual will have a different threshold for worry, but let’s start with some facts.

Last week, a minor new variation of the Sabpab malware was reported by Sophos.  This new variant apparently has been observed taking advantage of the same Microsoft Office vulnerability as the Tibet malware.  And this week, all within a 24-hour period, came announcements of three other developments.  A minor new variant of Flashback was reported by Intego, using the same Java vulnerabilities, proving that the Flashback hacker(s) are still actively working at infecting people.  A new trojan, named FkCodec, was discovered in Sophos’ threat database, but without any other announcement, details are extremely sparse.  (There have been several reports on the Apple Support Communities from people who have discovered this malware on their systems, but no reports about how it got there or what it does beyond the single-sentence description on the Sophos site.)  And another new bit of malware called Maljava was seen by Symantec, infecting both Mac and Windows users through one of the same Java vulnerabilities that Flashback has been using.

This flood of reports in a one week period, following up on the high infection rates being reported from earlier variants of Flashback, seems concerning.  And Mac users should be concerned!  But it’s very important to understand that there are some very simple things Mac users can do to protect themselves.  First and foremost is ensuring that all software is up-to-date.  Much of the new malware appearing lately has been taking advantage of Java or Microsoft Office vulnerabilities that have already been patched.  Yet many users never update their systems or other software.  This phenomenon was reported on back in February by Sophos, who pointed out that the number of exploits taking advantage of a particular Microsoft Windows vulnerability has been rising since the patch was released, not falling.  It is important to understand that a patch that closes a vulnerability does not discourage hackers from attacking it.  Instead, it points out exactly where a weak point is and how it can be exploited on machines that have not updated.  And since hackers know that many people don’t update software, those updates are essentially invitations for them to write malware.  Once a patch has been released, it is important to update as quickly as possible!

Another thing Mac users need to do is be cautious online.  This does not only mean being careful about what you download, it also means being careful about what technologies you enable in your web browser.  In particular, Java and Flash have been notorious for having more holes than a sieve.  Flashback notwithstanding, both of these should be disabled in all web browsers as a simple precaution.  Java applets are found on only a few web sites, so disabling Java is the best choice for most people.  Flash, unfortunately, is still fairly common, and cannot be as easily disabled.  However, Marc Hoyois’ ClickToFlash Safari extension can help by disabling Flash by default, and allowing you to load specific Flash applets found on a web page one at a time.  (His ClickToPlugin extension blocks more than just Flash, including some Java applets.  However, it’s important to understand that this cannot block all Java applets, and thus cannot be used as a comprehensive defense with regard to Java.)

Some users may not be savvy enough to determine what is and is not safe online, or may simply want some additional peace of mind.  In such cases, anti-virus software can be beneficial.  However, it’s important to understand that there’s a lot of bad anti-virus software out there.  Just to name a few, iAntivirus does not protect against any recent malware, MacScan cannot reliably identify malware and has a tendency to identify false positives and BitDefender does not identify a several items from my malware collection.  Be sure you’re getting something good, that won’t bring your system to a grinding halt with constant background scanning.  Sophos Anti-Virus for Mac Home Edition has been excellent in my testing, and catches every item in my collection.  ClamXav is also good, though it does miss one older variant of Flashback (which, to be fair, hasn’t been sighted in the wild to my knowledge since last year).

As much as Windows-centric news sources and friends would have you believe, it is not time for Mac users to panic and run for cover.  These threats are all fairly minimal for the most part, and all can be easily avoided.  To all those who I have seen express the unprofessional sentiment of happiness at Mac users finally “getting their comeuppance” by being affected by malware, let me just point out that the total number of malware threats to the Mac platform in this century is still several orders of magnitude smaller than the number of new Windows malware programs reportedly appearing per day!

For more information about this topic, see my Mac Malware Guide.

* Those malware counts lump all variants of a particular series together – for example, MacDefender, MacSecurity, MacProtector, etc are all counted as one – with the exception of Flashback, for which I am counting the 2011 Flashback trojan and the 2012 Flashback malware that installs as a drive-by download separately.

Tags: , , , , , , , ,

8 Comments

  • Gavin says:

    Re: Flash. My impression was that unchecking “Enable plug-ins” in Safari disables Flash. Is that not correct?

    I’ve been leaving that unchecked as a routine practice and only switching it back on on those occasions when I’m sure that I need it and feel confident about the site.

    • Thomas says:

      Yes, that check box will disable Flash, but the problem is that it disables Flash globally. Then, when you encounter a site that uses Flash, you have to journey back into Safari’s preferences to enable Flash again (globally), and have to remember to disable it again later. That’s a hassle, and it assumes that you can trust all the Flash on a particular web page. That may not necessarily be the case, with some Flash being provided by ads and other such third-party sources. ClickToFlash enables you to easily disable all Flash, but to also easily load specific Flash applets as needed.

  • Philippe says:

    Antivirus software: I’m using Sophos & ClamXav on a regular basis but I have also tested Intego VirusBarrier X6… Although it includes an unneeded firewall (unless I’m missing, it has nothing to sell vs. OS X’s firewall), it isn’t too heavy on my system.

    I won’t buy it but as Intego specializes in Mac security sofware, it could be another choice for people who need to be reassured by more features, what do you reckon?

    • Thomas says:

      I have never tested VirusBarrier, so I can’t really comment on that one. Sophos does the best among AV software I have tested. I’m a bit reluctant to support Intego lately, as their blog posts in the wake of the Flashback scare have had a fear-mongering “Let’s sell more copies of VB” feel to them. But that’s a personal issue, and does not say anything one way or the other about the quality of their software.

  • Philippe says:

    Yeah… I do agree about the “fear-mongering”. I saw a french ad saying “Mac malware increased by 1,000% between 2010 and 2011 !”. Ludicrous… but at least they offer decent products… Nothing like the f. MacKeepItForYourButt ;).

  • JJ says:

    First, let me just say thank you for your time and effort that you put into informing and educating the apple community. I’m a first time mac user and your comments have been extremely helpful.

    My question is, I have OS X 10.7.3, I do not have flash or java installed and I have java disabled in Safari per your instructions. Is it necessary for me to install “ClickToFlash” for an extra layer of defense or is it not necessary since I do not have flash installed on my system? Many Thanks!

    • Thomas says:

      If you are sure you haven’t installed Flash (it doesn’t come pre-installed on Mac OS X 10.7), then there’s no need for ClickToFlash.

  • Silvy says:

    I had not read the article that celolsy, but I think the whole reason why this presents a problem is because the Microsoft Outlook email program is too permissive. It acts as a sort of RPC agent for anyone clever enough to exploit its ability to execute instructions from an inbound email message. I remember the days of telling people that you can’t get a virus from an email message, but then Microsoft opened up the door to malware.

This post is more than 90 days old and has been locked. No further comments are allowed.