It has been a longstanding part of the mythology of Apple computers: They ‘just don’t get viruses’. It has even been a big part of their advertising.
Of course for those in the field of computer security, it was well known that there really wasn’t anything magically immune in Apple systems, particularly in comparison to newer versions of Windows such as Vista and Windows 7. Apple computers did not get malware because they were not targeted, nothing more. As soon as hackers decided to target Mac systems, exactly the same results would occur.
Well that day has arrived. A new malware called Mac Defender has infected a significant number of Mac systems. According to Ars Technica, an anonymous source at an Apple Store has described nearly six percent of the systems being brought in as having the malware on them. And the fact that Ars Technica is having to get their information from anonymous sources is the most important part of the story.
Technically Mac Defender is nothing noteworthy. It is exactly the sort of scareware/Rogue AV attack as has been common for some time and which we recently covered regarding Lizamoon.The only particular difference is the style of the graphics. Since this type of malware is launched from a script on a web page, and a script can detect the operating system of the client computer, it is likely that the same infected page was sending some users to Mac Defender and others to a Windows version. Who knows, someday the ‘script kiddies’ will put in a line for the Linux users too. Bear in mind that even though Mac Defender pretends to be an Antivirus deep searching for malware it simply is pretending to do that, so it could be as simple as a browser add-on.
Now that we have a clear and widespread outbreak of a Mac virus one would expect that Apple would follow a well worn example of what a reasonable response is from a vendor: issue a knowledge base article, create a removal tool for downloading, and relatively quickly either issue a patch for the vulnerability or make it part of an auto-updated malicious software removal tool.
Apple instead decided to tell its employees to deny that it exists. Ars Technica has been shown a copy of a memo from Apple to their service employees. The instructions are that they should confirm that the problem is not with Apple’s hardware or OS and that the malware really is the customer’s problem and not Apple’s. Specifically, the memo made four points labeled ‘Important’:
- Do not confirm or deny that such malware has been installed
- Do not remove or uninstall any malware software
- Do not send escalations or contact Tier 2 for support about removing the software or send any impact data.
- Do not refer customers to the Apple Retail Store. The ARS does not provide any additional support for malware.
This is an utterly awful security response from a company. It makes me appreciate Microsoft’s threat response because I had not realized how bad it could have been by comparison. Awareness is the most essential component in threat reduction. Apple is making a corporate policy out of ignoring a problem so that they can continue an advertising myth that was never true in the first place. Apple does its users and the security community a double disservice. The ‘Macs don’t get viruses’ myth gives too many of their users a false impression that they don’t need security software, making them even more vulnerable.
Apple has come to their senses and issued a support document that admits the nature of the malware, gives advice on how to avoid it, and provides a step-by step removal guide. Furthermore Apple has promised in the next few days a security patch that will detect and remove the malware and provide a detection warning before it is installed.
Sophos is now reporting that a variant of the Mac Defender malware is now being spread via Facebook page updates pretending to be a video of Dominique Stauss-Kahn, The link apparently is able to detect the make of the computer that the browser is running on (a very simple and commonplace thing to do) and directs Mac and Windows users to different versions. This kind of attack vector tends to be effective because users know that the video is illicit and realize that these kinds of video sometimes contain virus payloads. So when the user clicks on the link and gets the fake virus warning the nature of the link adds credibility to the fake warning.
Sophos also noted that Apple has come out with the promised OS update. Update 2011-003 allows for daily updates of the XProtect lists and will run a scan when an administrative user logs in. The interesting thing in Sophos’ analysis is that now that Mac users are being targeted OSX may actually be providing fewer opportunities for protection than Windows! To start with the update is available only for users of OSX 10.6 ‘Snow Leopard’. Earlier verions of OSX get nothing. By comparison Microsoft provides security updates for Windows 7, Vista, and for serious matters even XP. Next the scan is run only when an administrative user logs in, while Windows will run system scans irregardless of who (or even if) a user is logged in. Finally the XProtect system protects links but will not protect against files contained in attachmets, on USB disks, or .torrent downloads among others. Windows has OS hooks that antivirus makers can unilize to scan all files as they are opened whenever and however they are opened, which OSX apparently does not.