| MacVirus |
If you got to this page looking for the Mac Virus page at macvirus.com, welcome! This is the home of what may eventually be a major Macintosh security resource, including some of the historical material that was formerly available at Mac Virus. Unfortunately, negotiations with the organization that was to have sponsored it stalled, but if there's enough interest it will happen eventually. If you're looking for macvirus.org or macvirus.net, those sites are currently experiencing some (hopefully temporary) problems you may want to be aware of: see Mac Virus Links below. The Mac malware business is heating up right now: several anti-malware vendors are in the process of launching Mac-specific scanners, and some who already have products in that space are emphasising that there's more Mac malware about than there used to be. And there is. Not just the OSX/RSPlug (or OSX/Puper, or OSX/DNSchanger) Trojan that came to prominence last year (see below), though that remains a significant worry. (It's still claiming victims, though hardly epidemic, and variants are still appearing regularly, indicating that the bad guys still think it's worth dedicating time and resources to Mac development. It's also a worry that according to F-Secure, Apple support are still unaware that any malware exists that targets OS X: see http://www.f-secure.com/weblog/archives/00001388.html.) We're also seeing other forms of blackhat interest such as a rogue antispyware products that only detect imaginary malware, various flavours of malicious/semi-malicious software ported across platforms (Linux, FreeBSD, OS X), and so on. I've been writing a couple of chapters on these issues for a Syngress book on OS X security, but unfortunately I'm not sure at present whether that project is going to be completed. However, I'm currently doing contract work that requires me to keep a close eye on these developments, and some of those observations will find their way onto this page. In the last quarter of 2007, a Trojan called OSX.RSPlug.A (or OSX/Puper) attracted a great deal of attention. I blogged on that at the Securiteam site - see http://blogs.securiteam.com/index.php/archives/1029. I'm no longer blogging on that site: in fact, most of my blogging activity now takes place on the ESET site at http://www.eset.com, where I've just posted a blog entry on recent developments (http://www.eset.com/threat-center/blog/?p=116). As ever, I'm happy to try to answer queries on this, or refer them to someone better equipped: also, I'm particularly interested in tracking the real impact of this type of threat, and reports of compromised machines will be forwarded to groups and individuals who can use them to reduce the damage they cause. This site has no connection with http://www.macvirus.net or http://www.macvirus.org (actually the same site, which is in turn associated with http://www.securemac.com/ and the antispyware package MacScan. Of course, the Mac Virus site hasn't been maintained regularly over recent years. Recently, though, I've become concerned that these other sites, which may be seen as authoritative, are actually seriously under-maintained. Some of the virus information on these sites seems to be reasonably sound, though sketchy and out-of-date, and some of the information is completely wrong (AutoStart did not appear in 1985!). Some of the links are to pages dealing with anti-virus packages that either don't exist any more or are so cobwebby that they really shouldn't be recommended. Even worse, the forum at macvirus.org has been flooded with spam linking to sites that have been serving the DNSchanger Trojan, and the messages have not been removed despite publicity in The Register and elsewhere. I'm attempting to contact the maintainers of the site at present, but have to recommend that you treat the virus.org, virus.net and securemac.com sites with extreme caution, and do not regard information given there as authoritative. I'll put up more information here as the situation develops. However, I still hope to establish amicable relationships with other Mac security resources as this one develops. I’ll be putting up some more Mac links in due course, and will maybe include some reviews. In the meantime here are a couple of links you may find useful.: http://www.apple.com/support/security/ MacVirus Archives The archive version of the original Mac Virus is not currently available here or at ICSAlabs, but will be restored here in due course, though it's of more historical interest than contemporary relevance. Version 2 of the “Viruses and the Macintosh” FAQ will not be put up here until I’ve finished revising it, which may take a while... The Mac security landscape has changed a lot since Mac Virus was last updated. Classic Mac viruses are rarely reported now, and OS X malware is still something of a novelty. This page will, therefore, be more of a general Mac security resource, but will still make good use of my alleged specialist expertise in Mac malware where appropriate. In the meantime, I'm working on updating Mac Virus material to reflect the 2007 threatscape, and new material will start to appear here in due course. In the meantime, if you have questions, comments or ideas, please contact me at info@smallblue-greenworld.co.uk, and I’ll help if I can. Recent Mac Virus Paper Traditionally, the response to any mention of viruses in the Mac community is along the lines of “There aren’t any Mac viruses, it’s all vendor hype.” I’ll come back to that issue in due course. For now, I’ll just remark that Marius van Oers presented an interesting paper on “Macintosh OSX binary malware” at the 2006 Virus Bulletin Conference: as far as I remember, this was the first Mac-related paper to be presented there since I presented one in 1997 to half a dozen delegates, a dog and the hotel detective. (It was my first conference presentation, and I still break into a sweat remembering it…) For more info on the VB conference, check out http://www.virusbtn.com/conference/index. Mac Viruses in Security Books Peter Szor’s excellent “The Art of Computer Virus Research and Defense” includes a little Mac virus information, as does Rob Slade’s out-of-print “Guide to Computer Viruses”. Roger Grimes’ “Malicious Mobile Code” makes only fleeting allusions, but it is sub-subtitled “Virus Protection for Windows”. “Viruses Revealed” by myself, Rob Slade and Urs Gattiker, includes quite a lot of Mac info, but it’s far from up-to-date. However, the rights to the book have reverted to the authors, and we’re considering an updated edition. My chapter on viruses in “Maximum Security” includes some Mac virus info, as does Nicholas Raba’s Macintosh chapter. The 4th Edition of the “Computer Security Handbook” includes a handful of very generalized observations. The AVIEN book discussed elsewhere on this site includes a little cross-platform information. I will be implementing a wider-ranging review of Mac resources in due course.
|