I thought it would be useful to summarize all known existing Mac malware in one thread and keep it up to date as new malware is discovered or security updates released to address existing malware issues.

I define malware very broadly - anything that can compromise the Mac and is delivered or downloaded using any one of Apples applications even if the user has to install and run it.

Excluded would be malware that depends "social engineering type" malware like phishing attempts.

I think a thread like that would be most useful to newcomers to the Mac, but would also help veteran Mac users - right now the Mac malware discussion always seems to start in some thread that's totally unrelated to malware initially like this one for example:

http://www.ehmac.ca/anything-mac/71962-sell-my-woman-macbook.html

Let me start by listing the five "malware" links that were posted in that thread just recently - perhaps people who are familiar with those "Mac threads" can comment on them and also post other known Mac malware.



Leap-A (aka: OS X/Oomp-A, aka: Oompa-Loompa)

Typical report:
First ever virus for Mac OS X discovered (http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html)

Comment:
Leap-A is not and was not a virus. There is a difference. Story is deliberately misheadlined (notice the source)

Better information: New MacOS X trojan/virus alert - Ambrosia Software Web Board (http://www.ambrosiasw.com/forums/index.php?showtopic=102379)

In summary:
You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
...and then for non-Admin users, it fails to infect most applications.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

A few important points

-- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus)
-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system
-- If you're not running as an admin user, it will silently fail to infect most applications
-- It doesn't actually do anything other than attempt to propagate itself via iChat, and then only via Bonjour! (aka "Rendezvous) -- it does not sent itself over the Internet, rather just to your local Bonjour user list
-- It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching
-- It's not particularly sophisticated
--I'd really be tempted to call this thing a non-event; it's poorly written, can't spread beyond your local network, is unlikely to infect anything on most machines, and needs user interaction to do anything at all--

Fixed in Security Update: Not applicable, social engineering malware

--------------------------------------

YouTube - os x virus (http://www.youtube.com/watch?v=CBk0olNvFgE)
Flash virus that you have to install

Need more info on this

---------------------------------


OSX.RSPlug.A

Typical report:
Mac OS malware targets porn surfers | Apple - CNET News (http://news.cnet.com/8301-13579_3-9808489-37.html)

OSX.RSPlug.A is malware best described as a Trojan horse. OSX.RSPlug.A disguises itself as a video codec that would ensure whatever porn video you just stumbled upon will play on your Mac.

But to get infected with the malware, you have to
1. accept the invitation to download "new version of codec,"
2. open up the .dmg (disk image) file,
3. click the installer.pkg file, and
4. enter your administrator's password

Once infected, the malware changes your DNS settings to hijack Web traffic and redirect it to phishing sites or ads for porn. And you still won't get to watch the video.

If you're running Tiger, you might never realize how you were infected, but Leopard's Advanced Network preferences will at least let you recognize that the DNS servers have been changed. You'll be unable to change them back without going through a lengthy process detailed by Macworld's Rob Griffiths.


Fixed in Security Update: Not applicable, social engineering malware

------------------------------------------


Trojan using AppleScript THT

Typical report:
Mac OS X Trojan reported in the wild | Defense in Depth - CNET News (http://news.cnet.com/8301-10789_3-9973703-57.html)

On 19 June 2008, security vendor SecureMac reported seeing new variants of AppleScript.THT Trojan horse in the wild affecting users of Mac OS X 10.4 and 10.5.

The new variations exploit a vulnerability within the Apple Remote Desktop Agent, and can avoid detection by opening ports in the firewall and turning off system logging. The new Trojans can log keystrokes, take screen shots, take pictures with the Apple iSight camera, and enable file sharing, according to SecureMac.

The Trojans are using an AppleScript called ASthtv05 and/or may be bundled as an application. You must download and execute the file for your Mac OS X system to become infected.

Fixed in Security Update: Not applicable, social engineering malware

-------------------

F-Secure Malware Information Pages: Trojan:OSX/DNSChanger (http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml)
DNS Changer

I sense a hint of sour grapes.

I sense a hint of sour grapes.

No clue what you're talking about.

When I looked at the first "malware" link that was posted, it goes back to Feb. 2006.
My question would be - was what was described then really correct (I have read over and over again that in many cases when Mac malware was initially reported it was only half the story) and secondly - is this "malware" (after it has been identified correctly) still a threat today, and (hopefully), perhaps someone knows which Security update eliminated the threat assuming it was there in the first place.

I really have no idea where the "sour grapes" comes from and don't really want an explanation.

But if you can contribute and post more Mac malware, or comment and update us on the five items listed above - please be my guest.

That's what this thread is for.

Hahaha! All you fools on OS X! You have a grand total of 14 viruses! that can destroy your system and livelihoods! :D No, seriously, you've got like nothing to contend with... especially verus Windows' 114,000 viruses.

The only Mac OS Classic virus I've ever seen was one that played the Butcher's line from Diablo every time the computer would start up. Every time the desktop finished loading, as sound would go "Ahhhhhh... Fresh Meat". I still haven't discovered what it is...

I realise you are not responsible for the headline in that first "virus" report, but it's not really a virus. Neither is the second one. This should be noted.

Better information on Leap-A:
New MacOS X trojan/virus alert - Ambrosia Software Web Board (http://www.ambrosiasw.com/forums/index.php?showtopic=102379)

So, while it's true there is malware out there for OS X, to date a brief summary of the available information might be:

There's really nothing out there you need concern yourself with. Don't install any packages that you don't know what they are and you'll be fine. No viruses, still. If they ever turn up, you'll hear about it from legit Mac news sources or this forum LONG before you have even a remote chance of suffering from it.

You have a grand total of 14 viruses! that can destroy your system and livelihoods! :D No, seriously, you've got like nothing to contend with... especially verus Windows' 114,000 viruses.

And that's just viruses - the Windoze universe went over the million mark a few months ago when it comes to trojans and malware that are in active circulation. Not only that, logging onto a web site or reading an e-mail can easily trash a Windoze system. OSX users are so retrograde, what, with the three Codec cum trojans in circulation, and a few obscure ways that specially written viruses can trash OSX through virtualizers like VMFusion. There is just not enough excitement for the OSX user in this regard.

I listed these previously here... (http://www.ehmac.ca/anything-mac/70768-another-pile-windows-7-a-5.html#post748498)

a little over a year ago (Halloween 2007) there was an OS X Trojan:

New Apple Trojan Means Mac Hunting Season Is Open (http://www.wired.com/politics/security/news/2007/11/mac_trojan)

Mac Users Get A Credit Card Stealing Trojan for Halloween, Security Company Reports | Threat Level from Wired.com (http://blog.wired.com/27bstroke6/2007/10/mac-users-get-a.html)

Trojan targets Mac users - SC Magazine US (http://www.scmagazineus.com/Trojan-targets-Mac-users/article/58290/)
Intego Security Memo (http://www.intego.com/news/ism0705.asp)

Then there were two issues earlier this year, rogue application MacSweeper in January (2008):
Security reseacher issues warns against rogue MacSweeper | News Blog - CNET News (http://news.cnet.com/8301-10784_3-9850942-7.html)

And trojan application Imunizator in March (2008)
http://www.informationweek.com/blog/main/archives/2008/03/another_trojan.html

And the AppleScript.THT trojan this summer (June 2008):
AppleScript.THT Trojan Horse - Mac OS X Trojan Horse (http://www.securemac.com/applescript-tht-trojan-horse.php)

And that's just viruses - the Windoze universe went over the million mark a few months ago when it comes to trojans and malware that are in active circulation. Not only that, logging onto a web site or reading an e-mail can easily trash a Windoze system

GOOD LORD!! Why do so many threads on this board wind up being about the "I hate Windows" soapbox. This is so tiring, honestly.

I totally get that this is a Mac site, and that lots of folks on it hate Windows, but do we have to keep hearing about it again and again? If you really hate Windows so much, then why are you renting it time in your head?

Could we please talk about something else?

Someone should start a sticky thread called I Hate Windoze, Bill Gates, and the Microsoft Evil Empire. Or, perhaps we could have an Everything I hate about Windoze, Eh? Subforum.

GOOD LORD!! Why do so many threads on this board wind up being about the "I hate Windows" soapbox. This is so tiring, honestly.


Where do you read "I hate Windows" in this thread?

All I see is a comment about how much exists for Windows compared to that "14 virus" number for the Mac which is just a joke.

Anyway - this is not intended to be a OS X vs Windows thread - all I want to do is to get the true story about each one of the OS X malware reports people dig up everytime this subject comes up.
I'm interested in that and so are many newcomers to the Mac.

If you have something to contribute on that subject, please do - I will try to summarize everything relevant that's posted and keep updating the first post.

I just updated the first post with the type of infromation I would like to collect on each one of these OS X malware threats.

Any comments on the information and the format?

I was reacting to EPs post, which seemed to me to be another I hate windows hijack.
I think what you are doing is a good thing, Krs...very good.

I listed these previously here... (http://www.ehmac.ca/anything-mac/70768-another-pile-windows-7-a-5.html#post748498)

a little over a year ago (Halloween 2007) there was an OS X Trojan:

New Apple Trojan Means Mac Hunting Season Is Open (http://www.wired.com/politics/security/news/2007/11/mac_trojan)

Mac Users Get A Credit Card Stealing Trojan for Halloween, Security Company Reports | Threat Level from Wired.com (http://blog.wired.com/27bstroke6/2007/10/mac-users-get-a.html)

Trojan targets Mac users - SC Magazine US (http://www.scmagazineus.com/Trojan-targets-Mac-users/article/58290/)
Intego Security Memo (http://www.intego.com/news/ism0705.asp)

Then there were two issues earlier this year, rogue application MacSweeper in January (2008):
Security reseacher issues warns against rogue MacSweeper | News Blog - CNET News (http://news.cnet.com/8301-10784_3-9850942-7.html)

And trojan application Imunizator in March (2008)
Another Trojan Targets Mac OS X - Security Blog - InformationWeek (http://www.informationweek.com/blog/main/archives/2008/03/another_trojan.html)

And the AppleScript.THT trojan this summer (June 2008):
AppleScript.THT Trojan Horse - Mac OS X Trojan Horse (http://www.securemac.com/applescript-tht-trojan-horse.php)



Trouble is they were buried in a thread about Windows 7.

I find if I do a search on ehMac, I get so many hits, it's hard to find the right posts for what one is looking for - that's why I started this thread.

I'll roll those into the first post as I find time - hopefully with similar information as for the first malware in the list.

Someone should start a sticky thread called I Hate Windoze, Bill Gates, and the Microsoft Evil Empire. Or, perhaps we could have an Everything I hate about Windoze, Eh? Subforum.

...but I like Windows. I like its task-oriented interface, even though Microsoft stole that from OS/2. I like how it is compatible with everything. I like how I can get it to do ANYTHING. I never said I hate Windows, and I never will... unless that is Windows 95/98/Me. I hate those just because they goddamn crash all the time.

Keep it real, NT forever.

GOOD LORD!! Why do so many threads on this board wind up being about the "I hate Windows" soapbox. This is so tiring, honestly.

I hate windows, too, but you don't hear me going on and on about it.

In fact, if you take a look, I think you will find that the constant mindless windows-bashing (as opposed to the occasional dig or genuine criticism) comes mainly from just one or two people. Highly blockable people, I might add.

I'm not sure if it's malware or not, but the odd time I will hit a site that opens a full screen window with some offbeat ad in Safari and when I attempt to close it, it opens yet another window and repeats the process each time I attempt to get rid of it.

The only solution I have found when this happens is to quit and relaunch Safari.

Not malware per se, but a pernicious use of javascript.

AdBlock will help with that.

In fact, if you take a look, I think you will find that the constant mindless windows-bashing (as opposed to the occasional dig or genuine criticism) comes mainly from just one or two people.

You are right....my apologies to the rest. I was having an temporary hissy fit.

OK, so, bottom line:

Q: "Do you have any virus' on your Mac?"

A: "Only the ones I've installed!"

Can someone tell me WHY there are so few viruses for the Mac? Or maybe none. I am feeling a bit excluded by the hacker community ;)

OK, so, bottom line:

Q: "Do you have any virus' on your Mac?"

A: "Only the ones I've installed!"

Ha, ha............

But I'm not even sure that is true - if you have to install "malware" then by definition it's not a "virus" - at least that's my understanding of the "Virus definition", although, as we saw with the first one on the list, security people have classified that malware differently depending where you look.

For want of any thing better, I'll take the Wiki definition:
A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user.

Can someone tell me WHY there are so few viruses for the Mac? Or maybe none. I am feeling a bit excluded by the hacker community ;)



Well, first of all, it's not that there are "few viruses" for the Mac - I take it per the Wiki definition, there are currently NONE.

And it's not that the hacker community hasn't tried - it just seems to be really tough to write a virus for OS X, to a large degree because it's UNIX based - a lot of servers on the Web run using UNIX, so that OS has to be pretty robust against malware that installs itself without help from the user.

At the annual security conference in Vancouver, there is a contest each year how quickly and how successfully someone can compromise the various operating systems. makes for interesting reading.

One thing I personally find interesting - Apple issues security updates rather frequently when compared to Microsoft.
The two companies seem to have a totally different philosophy when it comes to malware. Apple's approach seems to be that the OS should be as secure as possible, so if some security hole is revealed, it gets fixed pretty quickly; Microsoft on the other hand seems to take the approach that Windows has so many security holes it can't make the OS secure and in any case, Windows users are expected to run anti-virus siftware, or better all sorts of anti-malware software, so timely security fixes are not really required - we just to a general bug fis/feature enhancement once a year or so.

Can someone tell me WHY there are so few viruses for the Mac?

A popular myth is that it is because Windows is so dominant, hackers just don't pay attention to the Mac.

This isn't the case at all. The virus writers of this world are WELL aware that the first real virus for the Mac will gain international headlines and underground acclaim, possibly even large cash prizes. There are a million malevolent morons out there who would KILL to be the first to write a virus for the Mac.

Believe me, they've tried. HARD. But the bottom line is that the Mac's in-built security is VASTLY better than Windows'. Period, end of story.

Five main reasons:

1. Built on UNIX. krs already covered this, but it bears repeating: banks, the government and other institutions prefer UNIX because it's more secure than any other mainstream OS. Windows, despite the protests to the contrary, is still built on DOS, which was never secure to start with.

2. Admin does NOT equal "root" on a Mac. It does on Windows. Vista finally addressed this, but did so in such an annoying way that most users turn OFF this protection!

3. Until recently, Windows shipped with all ports open. Mac OS X ships with all ports except the industry standard ones CLOSED.

4. Requiring the admin password before ANY install that mixes with the system or infrastructure of the OS. This creates "walls" between the apps and the OS that isolates malware/crapware.

and finally

5. Windows "exploits" and vulnerabilities are so numerous that scripts are easily written to take advantage of specific ones. You hear about the occasional Mac vulnerability (usually via some OS component like QuickTime, Javascript or Webkit), but these are generally fixed before anyone can actually develop something "in the wild." Windows exploits are so all-encompassing that even after YEARS of regular, almost-weekly fixes, MS shows no signs that they've locked down Vista, or are even close to doing so.

I know Windows people never believe this, but the proof is already out there. A half-million Windows viruses (not counting spyware, keyloggers and other malware) and ZERO for the Mac.

Admin does NOT equal "root" on a Mac.

Of course, as far as normal use is concerned, "admin" does not equal "root" on a Mac. However, since the context of this thread is malware, it should be pointed out that "admin" essentially does equal "root" on a Mac since various privilege escalation vulnerabilities allow malware running in an "admin" account to gain "root" privileges without a password.

Since in the default configuration, the account which the majority of Mac users end up using is "admin", any malware that does manage to run in that account (via user action or arbitrary code execution vulenerability) has the potential to take over the entire system without further user action.

That isn't to say there aren't any local root privilege escalation vulnerabilities affecting standard accounts (there may well be), but using an "admin" account increases the risk because the privilege escalation vulnerabilities are so well known. A Mac may not be as safe as people make it out to be.

I'm not saying you're entirely wrong here, but some of what you say doesn't ring true.

For example, even as an admin I can't install new software without being asked to RE-INPUT my admin password. So I can't see where a program could bypass this if I as an admin can't bypass it.

There was at one time a vulnerability where if sudo or root were invoked, it stayed active for a short period afterwards. This is (and has been for a while now) no longer the case, as I understand it. Perhaps I'm mistaken.

Finally, again the proof would be in the pudding. I haven't seen or heard of any programs that take advantage of this "privilege escalation vulnerability" you speak of, and if they are "well known" then you'd think there would be more than a few around. Care to share any recent links documenting this?

But of course your overall point is that Macs are not bulletproof and I concur. But so far, real-world testing (the best kind) has failed to yield any proof that Macs AREN'T as safe as people make them out to be.

even as an admin I can't install new software without being asked to RE-INPUT my admin password. So I can't see where a program could bypass this if I as an admin can't bypass it.
That's the irony - as a legitimate "admin" user, you have to enter a password to administer the computer, but unauthorized malware that you don't want to have such privileges can do an end run around all that because of poor design decisions by Apple. Actually, as an "admin", you could do an end run as well, but during normal use, it would be easier just to enter the password. For malware, it's just a matter of executing a few additional commands, so it doesn't really involve any extra effort at all. In essence, if you are using an "admin" account, the password requirement should just be considered a courtesy by legitimate software to inform you that the installer is going to modify system files, but I wouldn't expect any such courtesy from malware.

There was at one time a vulnerability where if sudo or root were invoked, it stayed active for a short period afterwards.
This is still true - if 'sudo' is invoked, anything running in the background can still run its own 'sudo' command and it will go through without a password as long as it is within the 5 minute timeout. This is potentially an issue, but I don't consider it as serious if only because only a small proportion of Mac users would be expected to use 'sudo', and the malware would have to be running and lying in wait for that event to occur. [edit]Actually, since 10.4, it wouldn't necessarily have to be running continuously so maybe this is more serious than I gave it credit for initially. In contrast, to exploit the other vulnerabilities, an inexperienced user, using the default "admin" account, would just have to launch a bad app once, and it would be done. In Panther and early Tiger, all it would have taken was a visit to the wrong web site, and there's no reason to think that something similar couldn't turn up in the future that uses some browser vulnerability or eg. a third-party plug-in that everybody uses.

I haven't seen or heard of any programs that take advantage of this "privilege escalation vulnerability" you speak of, and if they are "well known" then you'd think there would be more than a few around.
At least one of them has been used in malware (albeit as a part of the payload, not the initial takeover) in malware that has already been mentioned in this thread. The vulnerability remains unpatched today (10.5.5). As to why others haven't been used (that we know of), my only guesses would be that either the malware writers themselves aren't up to speed on the Mac, or else "social engineering" has been sufficiently effective in getting users to give their password freely.

But so far, real-world testing (the best kind) has failed to yield any proof that Macs AREN'T as safe as people make them out to be.
Macs certainly face fewer threats and the incidence of what is out there is relatively low so on the whole, Mac users currently aren't very likely to be affected by malware - I think everyone is in agreement there. However, it is important for individual users to be aware that if they are unlucky enough to run into one, and they are using an "admin" account, the system isn't going to do anything to stop it, as individuals affected by Opener or OompaLoompa would be able to tell you.

And again, there is no guarantee that a "standard" account is safe . However an "admin" account in 10.5.5 definitely gives malware access to "root" privileges.

This thread is a great idea, between the media that can't wait to declare OS X as hole-ridden as windows and Mac Fanboys who deny any existence of any problems, it'll be nice to have a place to get some decent information and threat levels on OS X vulnerabilities.

Ok -

I cleaned up the first five "virus" (actually really malware) links that were posted.

The last one seems identical to the third one, OSX.RSPlug.A, but with different names. If it is in fact different, can someone let me know how.
Otherwise I'll just roll the additional names and the link into the third listing.

What about the second "You Tube" one - ayone have better info on that???

Also - it's not really made clear what happens if someone should install one of these pieces of malware - for example, the last one in the list.
Does that mean if I type my bank URL into the browser, the bank web page will show up but the user name and password will be transmitted to this rogue site???
Would be nice to add to each one what the consequences are if you do install any of those.

Also raises another question in my mind - what are all these OS X security updates fixing? Obviously none of these malware vulnerabilities listed so far in the first post.

I'll go through the rest of the thread as I find time and add any new ones to the first post.

Also raises another question in my mind - what are all these OS X security updates fixing? Obviously none of these malware vulnerabilities listed so far in the first post.



I quote the first malware in your list:

-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system

Basically the OS X security fixes fix security issues, such as that famous remote desktop agent hole that was there for a few months where a process could gain root (superuser) privileges without any password or authentication. That's a security exploit. Seems most malware depend on the user actually running it and giving it permission to do wonky stuff, and no security update can fix that since for all the system knows, it's letting the user do exactly what the user wants.

It's basically the equivalent of gaining root privileges and then doing an rm -rf / which would delete major portions of the system and render it useless and unbootable.

The system won't stop you doing that since you're supposed to be able to do things like that if you wnat to, it's not an exploit.

Patrix.