Macs have been relatively safe from the kind of viruses that plagued Windows users through the last couple of decades. But once it was revealed that a variation of Flashback was able to create a botnet of more than half a million Macs thanks to an unpatched Java vulnerability users stood up and took notice. OS X has largely been free of viruses and worms up to this point, but that still doesn't stop unsuspecting users from being tricked into typing an admin password into a cleverly (or, sometimes, not-so-cleverly) disguised installer.
It should be noted that Flashback originally required an admin password as well, but eventually shed that requirement. But the recent Flashback hubbub wasn't the first indication that malware could affect Mac users—not by a long shot. In fact, the first versions of the Flashback trojan itself appeared as early as September 2011, so the latest outbreak wasn't even the first we've heard of this particular malware.
As Apple continues to increase its share of the PC market, Macs are becoming a viable target for malware authors, sprouting a handful or two of trojans in the last decade. Here are five in particular that were considered (by some) to be harbingers of a great malware infestation for OS X that instead proved to be more bark than bite.
Patient zero
One of the first well-known trojans for Mac OS X turned up in 2004. OS X by default hides file extensions, so it's possible for an executable to masquerade as some other file type, like an image or music file. If OS X is set to hide file type extensions, the a file named "hot_pic_xxx.jpg.app" will appear to the user as "hot_pic_xxx.jpg". With a custom icon, an unsuspecting user might double-click the icon, launching the app instead of loading the supposed image in Preview.
Mac security firm Intego spotted a trojan that took this method a little further by burying executable code in the IDv3 tag of an MP3 file. Double-clicking the file would launch the trojan code in the IDv3 tag, then play the MP3 inside iTunes to keep the user none the wiser.
At the time, Intego warned that the trojan could do all kinds of bad things like delete files, infect other MP3s, or send itself via e-mail. However, the exploit was merely a proof-of-concept that never went anywhere.
RSPlug.A
While subsequent trojans identified as malware turned out to be little more than harmless proof-of-concepts, Intego warned of a more serious threat in 2007 dubbed "RSPlug." This trojan pretended to be a QuickTime codec necessary to view videos from porn sites, but instead installed a DNS server that would redirect users to fake versions of sites like eBay or Paypal. These sites would capture users' logins to scam money from unsuspecting from them.
Several variations later appeared that seemed to prey on the most naïve users, barely attempting to hide the fact that the installers were not from trusted sources. While Intego considered RSPlug a "critical" threat, it required users to enter an admin password before it could do anything unsavory, preventing it from infecting more than a tiny percentage of Mac users.
OSX.Trojan.iServices
Within a month of launching iWork '09 during Macworld Expo in January, a pirated version of the $79 productivity suite started circulating on the 'net stuffed with code which installed a backdoor in OS X. More variations of this same trojan appeared in various "pirated" apps, including Adobe Photoshop CS4.
Needless to say, this trojan didn't infect many users, either. While Adobe's rather expensive creative software was probably a much smarter payload target than Apple's budget office software, this trojan only infected casual "pirates" that probably learned a valuable lesson about paying for legitimate software licenses.
"MacGuard"
In 2008, malware authors tried to take advantage of unsuspecting Mac users by pretending to be virus scanning software. Dubbed "MacGuard," this malware caused fake virus infection alerts to appear on a user's computer, offering to rid the user of the virus by entering credit card information.
Fortunately, the app was poorly ported from a nearly identical Windows version, and didn't fool too many users before being identified by security vendors. Our advice then was to stick to well-known antivirus vendors, like Norton or McAfee, instead of unknown software begging for credit card numbers.
The same basic trick later appeared in a much more convincing form in 2011 as "Mac Defender." That software was much more sophisticated and at least had the appearance of a legitimate app. It took a couple weeks for Apple to acknowledge the problem and offer a software update that eliminated the malware, but that was after it appeared that the malware spread in relatively significant numbers. Though the true impact of Mac Defender remains unclear, it certainly brought the issue of Apple's responsibility in working against malware to light.
HellRTS.D
A new tool to install a backdoor in OS X was discovered in 2010, called "HellRTS." This malware required physical access to a computer to install, though Intego warned that the code could have been packaged as a trojan. This backdoor was actually a variant of exploit code discovered as far back as 2004, but fortunately never materialized in any malicious trojan.
Variants of RSPlug and later the Mac Defender trojan ultimately caused more concern, and Apple moved to update the anti-malware feature silently built-in to Snow Leopard in 2009 to identify and eliminate these potential threats.
An ounce of prevention...
As we have noted in all our coverage of potential Mac security threats, an ounce of prevention is worth far more than a pound of cure when it comes to computer security. Running as a non-admin user prevents most malware from installing itself in the first place, and turning off Java or Flash in your browser eliminates those popular exploit vectors. Furthermore, a heightened sense of skepticism when dealing with unfamiliar websites, e-mails from unknown senders, or software downloads from unverified sources also helps to reduce the likelihood of being the victim of a trojan or other malware.
We think Apple could do more to respond to threats once widely identified, especially when it comes to the amount of time it takes to offer a software update. Still, the company is making some effort to limit software downloads by default to trusted sources like verified developers or the Mac App Store.
Of course when it comes to Flashback, even being hyper aware wouldn't have helped much—malware is increasingly being injected into iframes on Google image search results and other sites that people widely trust. Users should remember that even sites they visit regularly have the potential to morph into attack sites if they're compromised and infected with exploits. Perhaps it's time for us to consider installing antivirus software as a rule, just like our Windows-using brothers and sisters.
reader comments
51