Scott's Weblog The weblog of an IT pro specializing in virtualization, networking, open source, and cloud computing

Mac OS X Malware Uncovered

After having just written about predictions concerning Mac OS X malware (viruses, spyware, trojan horses, worms, etc.), news of a Mac OS X virus comes in from MacNN. Is the prediction coming true?

Sophos has a detailed analysis of the malware; Intego has also posted a question and answer regarding the new threat. In addition, McAfee has updated their virus library as well. Security firms are in disagreement whether this is a virus or a trojan horse; some say it should be classified as a virus since it attempts to spread via iChat and trojan horses aren’t self-replicating. Such cut-and-dry definitions rarely fit reality. Personally, based on the analysis that I’ve seen, it doesn’t look or act like a trojan horse. I’d classify it as a virus.

How does one protect oneself against this threat? Well, Mac users, you take a page from your Windows-using friends: Don’t blindly assume that all files are safe and can be trusted. In other words, don’t double-click stuff you don’t know is safe! This particular malware spreads via a .tgz file, which when uncompressed appears as a graphic file. It is, however, a compiled executable. I would imagine that it is probably possible, then, to right-click on this file and see a “Show Package Contents” menu item, which is a dead ringer that this is anything but a simple graphics file. Of course, the anti-virus companies have updated their virus signatures to protect against this particular threat; refer to your particular vendor (if you use anti-virus software) for updates.

For network administrators or other technically savvy users, I’d recommend blocking .tgz files via e-mail. There’s no evidence that this malware spreads via e-mail, and I’m not aware of any vulnerabilities that would allow this virus to replicate via e-mail, but better to be safe than sorry. Now that this has happened, crackers will move quickly (in my opinion) to make this more potent and more dependable (it doesn’t really work right now).

I’m not aware of any products or software to protect IM sessions. It may be prudent to configure Camino, Safari, Firefox, or your other browser of choice not to automatically open certain file types. In Camino, this is done by unchecking the “Open downloaded files” in the Preferences. Honestly, I couldn’t tell you where to do the same thing in Safari or Firefox; I rarely use those products.

To Mac users: This is NOT the end of the world. It’s just the evolution of our favorite platform. It was bound to happen sooner or later.

To Linux users: Get ready. Your day is coming, too, if Linux continues to gain popularity.

To Windows users: Better get your jibes in while you can. By the way, did I mention that Microsoft just patched 7 security flaws in Windows and Internet Explorer, including two of which allowed remote code execution?

Be social and share this post!