Mac Malware Mainly Low-Risk Proofs of Concept in 2010

Despite the number of Mac-specific threats and proof-of-concept code that appeared in 2010, Mac security risk remains relatively low. However, Mac users need to become more security-savvy to keep the risks low.

There were a number of Mac-specific threats in 2010, and security researchers became more vocal about Mac security. In fact, Intego, a Mac security vendor for Virus Barrier x6, published its first annual review of Mac threats on Jan. 20.

Calling 2010 a "busy year" for Mac security and malware, Intego highlighted in its report proof-of-concept malware and "trickware" that emerged in 2010, security vulnerabilities discovered in the operating system, and iOS security.

Koobface, the cross-platform worm that spread via Facebook, Twitter and MySpace, was a "serious problem" but was poorly coded, making the threat very low, Intego said. When users navigated to sites infected with Koobface to view videos, the sites attempted to install a malicious Java applet. Users were alerted by a dialog asking if they wanted to install an applet. Koobface did highlight, however, the likelihood that more virus authors will use Java to create cross-platform malware that targets non-Windows machines as well.

While actual Mac malware in the wild remained relatively rare, Intego pointed out ways the threats could have been worse. An example was OpinionSpy, spyware installed by free screen savers. OpinionSpy was intended to be a benign tool collecting information on users' browsing habits, but its features could open backdoors, inject code into applications and download new code without users being aware, said Intego.

Intego found on various forums a variant for HellRTS, which opened a backdoor on computers running OS X to give remote users the ability to take control and execute commands. This variant was not found in the wild, but it can lay dormant indefinitely as the authors figure out new delivery mechanisms, Intego said.

Another example of proof-of-concept malware that never made it onto users' Macs was "ransomware," which could encrypt and password-protect files on users' computers. To unlock the files, an infected user would have to pay the authors ransom. It was found on a few blogs but not in the wild, Intego said. The report noted that the proof-of-concept was based on a feature, not a bug, in Mac OS X, which would make it difficult to defend against.

Intego's Virus Monitoring Center also saw a "large number" of RSPlug malware, which dates back to 2007. Windows malware tends to peter out pretty quickly after initial infection as antivirus and other security products learn to detect and remove them. With a majority of Mac users still not installing an antivirus application, older threats seem to hang around longer, so RSPlug can do as much DNS tampering in 2011 as it did when it was discovered in 2007.

Mac and iOS users are at low risk from serious security problems, but they need to increase their awareness of phishing attacks as well as Web and application-based threats, Intego said. At the moment, most Mac malware requires users to willingly install and actually grant administration privileges before it can infect a machine. However, malware will try to mislead non-security savvy users into authorizing installations of suspicious software or steal money through phishing sites and e-mail scams, Intego said. There were a number of phishing scams in 2010 pretending to be from Apple as well, Intego said.