The market for Mac malware

Are malware makers finally ready to pay Apple the ultimate compliment by writing viruses and trojans that target Mac OS X?

Sure–they already have. For the past few years, Mac trojans have been surfacing that will screw with your machine in various ways. But they all require assistance from the unwise or the unwary: You not only have to download and install one of these malicious programs, you also have to authorize its operation by typing your Mac’s admin password. And these phony applications are so rare and so obvious that Mac users can comfortably get by without running anti-virus software.

That’s not the case in Windows (nor was it always the case with “classic” Mac system software). On Thursday, ZDNet’s Windows columnist Ed Bott suggested that Mac users were due to experience that sort of anxiety, citing the Mac’s increased market share, the history of remote exploits for Mac OS X and the arrival of the first Mac-specific write-your-own-virus toolkit:

My prediction is that the bad guys are still “testing market conditions,” and waiting for the right time for their grand opening. I think we’ll see a few more of these tentative probes—beta tests, if you will—before anyone unleashes a truly widespread attack.

The next day, Bott wrote about a new trojan, hidden behind a “poisoned” image page found in a Google search, that featured both Windows and Mac versions.

The problem with predicting an imminent wave of Mac viruses is that so many people have been wrong before–as Mac blogger John Gruber noted in a post Thursday, titled “Wolf!”, that quoted more than a dozen forecasts of Mac malware doom, going back to 2004. But this time could be different. Veteran Mac journalist Glenn Fleishman surprised a few people, possibly including himself, by repeatedly defending Bott’s analysis in conversations on Twitter.

(This is why you should follow more than one person covering a subject you care about; you’ll see this shop talk among competing reporters and analysts that you’d otherwise miss if you only followed one of those people.)

As a Mac owner and the primary source of tech support for two others (my mom and my mother-in-law), I’m not too worried about Mac trojans. I think Bott slightly oversells that risk, for two reasons.

One, every Mac trojan that I’ve seen so far requires you to type an admin password. Any Mac user with a few weeks of experience should recognize as an unusual sign, reserved only for things like system-software updates and installing printer drivers–other apps only require you to drag their icons to the Applications folder. This sets the Mac apart from Windows, in which almost every single program requires running an installer and authorizing that action by clicking through a User Account Control dialog. That said, recent Windows switchers could easily see a password request from a new OS X app as something normal.

Two, Apple’s Mac App Store provides a safe alternative (though I’m happy it’s not the only way to add third-party software to a Mac.) Somebody worried about getting hit with viruses from strange downloads can stick to that and should be safe. I wish Windows had an equally simple, obvious alternative–a few of my readers at the Post seemed unable to avoid downloading the trojan of the week and desperately needed such an option.

And yet: Over Easter, I expanded my usual troubleshooting of my mom’s iMac by installing the free, open-source ClamXav anti-virus program on that machine.

I’m much more concerned about zero-day exploits of vulnerabilities in OS X’s Internet-facing software. As contests such as the annual Pwn2Own competition have shown, it’s not all that hard to take control of a Mac remotely by luring a victim to a malicious site. The Mac’s growing market share–which Apple put as more than 20 percent of the consumer market in the U.S. back in October–gives malware authors an increasing economic incentive to target those flaws. And Apple’s sometimes-sluggish pace at shipping security fixes makes their job easier.

That’s my worry. I hope I’m wrong about it.

15 thoughts on “The market for Mac malware

  1. How long do you think it’ll be before the Mac App Store will be the only way to get 3rd party software on Macs? And what do you wanna bet mac users will welcome the move.

    Regarding every application needing admin permission on Windows…that’s not strictly true. I have installed Google Chrome on Windows XP and Windows 7 without it requiring admin permission. So while Windows makes it easier (via API calls) for every tom, dick and harry application to require admin permission, it’s not absolutely required.

  2. I’m glad to still be surprising in my senescence. It’s not new that I (and a bunch of other sensible Mac writers/programmers/analysts) believe there will be true in-the-wild exploits for Mac OS X. Rather, the difference is in the headline writing. I’ve always said “inevitable”; Gruber’s Wolf post is about “imminent.”

    I’m sure we’ll see an effective bit of malware spread through malicious Web pages in good neighborhoods (JavaScript injection onto otherwise normal pages) sometime between now and the heat death of the universe. I can’t predict precisely when.

    I thought Ed’s points were well taken: that the more tools that appear to automate malware creation, the more money criminals clearly see in attacking Mac users, and thus the more likely that exploit-finders are working hard at Mac OS X.

    Honestly, when a handful of bright people can find zero-day exploits for root control every year at Pwn2Own at CanSecWest, imagine thousands of less-bright but still clever people working on the same task. It’ll happen.

  3. Pingback: With Lion, the Mac Looks Mobile-Minded | DotNetMobile

  4. Pingback: With Lion, the Mac Looks Mobile-Minded | Mobile Device Shopping

  5. Pingback: New Computer? Same Old Setup Issues | CEA Digital Dialogue

  6. Pingback: Secure your Mac from Flashback infection – USA TODAY | Daily News Pages

  7. Pingback: Secure your Mac from Flashback infection |

  8. Pingback: Secure your Mac from Flashback infection

  9. Pingback: Secure your Mac from Flashback infection |

  10. Pingback: Secure your Mac from Flashback infection

  11. Pingback: Secure your Mac from Flashback Infection | Techno-Plex

  12. Pingback: Yoomza News - Secure your Mac from Flashback infection – USA TODAY

  13. Pingback: Secure your Mac from Flashback infection | NeweSTory

  14. Pingback: Weekly output: podcast, software updates, Nokia 900, Flashback and Java, Google seach tools | Rob Pegoraro

What do you think?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.