Aside from a couple of “conceptual” examples shown at conferences here and there, the only real piece of malware on the Mac that’s made it “into the wild” is the now infamous MAC Defender and its variants….one of which, MacGuard, has recently made headlines.
Naturally, the MacGuard topic has hit all the major tech news sites, igniting yet another round of “Mac vs. Windows” flame wars. Ironically, all this attention is probably helping the malware’s progress; I’ll go into m0re detail on that in just a moment. First, I’d like to clear something up.
MAC Defender and its variants are not viruses!
To date, there are NO actual “viruses” out there for OS X. Like its biological namesake, a computer virus can be transmitted simply through exposure. If, however, you are immunized against it—either through natural resistance or by getting immunized— then you don’t get sick.
It’s the same way with computers. Web sites, emails and the like can be “infected” with a particular virus, opening up your computer to infection as well. If you have a Windows box, you’d better be up-to-date on your antivirus software (the “flu shot”) or your computer is going to contract that same virus. Macs, on the other hand, use a completely different code base, which is highly resistant to casual infection. They’re like those kids from that one episode of Star Trek: The Next Generation that had enhanced immune systems, except your Mac isn’t likely to prematurely age others to death…
In short: there are no true “viruses” for the Mac.
So what are MAC Defender and its variants?
MAC Defender and its variants are “Trojan horses,” rather than true “viruses.” They owe more to “social engineering” than to any technological prowess. The only way MAC Defender and/or its variants can get on your system is if you choose to install it. The trick for the malware authors is to actually get the user to do so.
So how do they do that? Trickery.
And their target audience is made up of four groups:
- The Conditioned. As the Mac platform has grown, there have been a lot of converts from the Windows side of things who are used to constant virus threats and having to keep antivirus software updated; for them, virus alerts and responses are nearly reflexive.
- The Fearful. Users whose exposure to computer related topics is primarily gleaned from mainstream news—again, primarily Windows-centric; when they hear there’s a “virus” out, they grow fearful that something terrible is going to happen to their computer.
- The Uninformed. Those that use (and think of) their Mac as an appliance and pay no attention to computer related topics. So if a pop-up appears, they just click it like they would a system or other software update.
- The Clickers. Those who are simply careless in what they install and from where; a window pops up and they click “OK” without bothering to look at what it says.
The scammers behind these pieces of malware prey on the aforementioned users’ naiveté and/or laxity regarding their systems. They set up their site with information “of interest” to potential victims (often by “poisoning” a Google search by including popular keywords), and code it so that once they’re on the page for a certain amount of time, a window pops up that looks a lot like a Finder window, claiming that the computer is “infected.”
At this point, users usually do one of two things; they either close the browser window and move on, or they go all “Chicken Little” and start downloading utilities willy-nilly.
And, of course, there just so happens to be a “fix” offered right there in the pop-up window, ready to be downloaded, installed and opened by the user.
If that happens, the user’s Mac does have malware installed.
As malware will do, it then starts causing the computer to open sites (often of an “adult” nature) at random times and spouts out “warnings” that your computer is “infected.” Of course, conveniently enough, that “anti-virus” program has a fix; they just need a credit card number…
This isn’t as bad as you think…
Apple has wisely avoided giving a lot of press to this issue. If they came out like the rest of the press is, then they’d be just spreading the panic and, ironically, cause more instances of this software being installed (“Oh, I must have that virus Apple was talking about. Oh goody, these guys have a solution…”).
However, that doesn’t mean Apple isn’t doing anything about it. Yesterday, there was a software patch released for OS X 10.6 that updates XProtect (an integrated part of 10.6) to check for MAC Defender, remove it if you’ve got it already, and warn you if you try and open a downloaded version. Unfortunately, less than eight hours after Apple released this patch, newer variants that circumvent this detector, such as MacGuard, have been found. However, XProtect itself has been updated to check for new malware definitions daily; as soon as a new definition is put out, you’ll get the update. It really is just a matter of time on that one, and Apple certainly has the potential to kick those definitions out faster, especially now that it’s focusing on them.
In the meantime, rather than relying on your computer to tell you a file is potentially dangerous, you just need to use a little common sense to protect yourself from malware like this.
Don’t lose your head; use it.
If you’re surfing along and a window pops up saying you have a virus and/or you should install some program or another, ask yourself these four simple questions:
- Do I have antivirus software installed on my computer already and if so, is that what the warning looks like?
- Has my computer been exhibiting unusual behavior previous to this pop-up?
- Is this software being downloaded from a company I’ve heard of before and trust?
- If the software installer is automatically running, did I intentionally launch that program from the Finder?
If you answer “No” to any of these questions, then do not install the software!
This malware, like many Trojan Horses, relies on the end user being fearful and/or misinformed about Mac malware in order to ultimately profit from its sole purpose of getting that credit card payment. Don’t give them anything to work with.
Keep up on your Mac news from reliable sources like MacFixit, AppleInsider, The Unofficial Apple Weblog, and even here at the OWC Blog. Learn about what’s going on with the OS and what potential things to look out for.
And, on the off-chance that you do come across one of these pieces of malware, just take a hint from the late Douglas Adams and “DON’T PANIC” Keeping your head and thinking things through will help you a lot more than that offer for software that just happened to pop up…