Malware episode puts Mac users on notice
We're most vulnerable in our minds, not our operating systems. The recent Mac Defender malware should put to rest those assumptions and be a wake-up call for a change in attitude. It was for Apple. It should be for all Mac users.
Special to The Seattle Times
Mac users have the wrong idea about malware. I know I did. We tend to think of viruses as software that installs itself on our computers when we visit malicious Web pages in the Internet's back alleys, like porn and pirated software sites. Or of worms that infect remotely by scanning for vulnerable systems. And we think only Windows systems are affected.
Some of that is true. But we're most vulnerable in our minds, not our operating systems.
The Mac Defender malware should put to rest those assumptions and be a wake-up call for a change in attitude. It was for Apple.
After a few weeks of Apple's typical watch-and-wait silence, Apple added a support page explaining how to remove Mac Defender, which can appear under many different names, and promised an update.
That arrived last Tuesday as a three-part software fix, but only for Mac OS X 10.6.7 users. First, the update scans for Mac Defender and variants and removes it. Second, it adds a definition to a very small number of malware signatures in Snow Leopard's File Quarantine database. Files tagged as such can be launched, but Mac OS X warns you that the item "will damage your computer."
Third, the update will provide a daily check in with Apple for new malware definitions. Apple moved from slowly reactive to a quicker response after years of relying on the lack of interest by criminals in attacking its platform. (You can disable the daily update in the Security preference pane by unchecking Automatically Update Safe Downloads List. But why?)
Mac Defender is a close cousin to the kinds of malware that plagues Windows users, as well. Like Leopard and Snow Leopard, Windows 7 has a relatively strong (possibly stronger) security model that deters malicious software developers from taking over a system without a user's acquiescence. And fully up-to-date Windows XP, Vista, and 7 users don't experience the worms of yesteryear that spread through infected systems, leaping one to the next.
I spoke to Ed Bott, a veteran reporter on Windows issues who blogs at ZDNet. He noted that social engineering is now the name of the game on Windows, as we see with this first serious foray for Mac OS X. Social engineering is a fancy term for talking someone into something they shouldn't do. There are plenty of naive users of Mac OS X, as there are of Windows, who don't make safe choices, and Apple's made unsafe choices easier, too.
Mac Defender has morphed in just a few weeks, although the sequence remains the same. You visit a Web page via a poisoned search result or compromised Web ad and are redirected to another page or have another window open with a dialog that says your machine has suspicious programs. Click OK, and the software downloads while a Web page shows what appears to be a scan of your desktop.
Mac Defender relies on Safari's infamous Open Safe Files after Downloading option found in its preferences in the General tab. Apple continues to ship Safari and Mac OS X with this option checked. It should have been removed long ago, and you should uncheck this box on your machine.
Mac Defender downloads in Safari, runs, and asks for a click to proceed. The latest variant doesn't require a password if the user has Administrator privileges, which is how most Mac user accounts are set up. The software installs, and then downloads the actual payload separately.
This software also runs automatically, performs a fake system scan, and says it finds severe problems. It prompts you to register, at which point you are prompted for a credit-card number. Bott created a YouTube walk-through of the latest malware installer, and a later one showing Apple's security update blocking it. He said this kind of software often also rejects a few credit-card numbers as invalid, even while charging them, to increase the take from each fooled user.
If you're reading this column, you are likely sophisticated enough to not fall for such nonsense, starting with clicking in the link on the Web page. You might have already turned off the Safari Open Safe Files option, or use a browser like Firefox or Chrome that requires additional steps to install this malware.
But how many of your friends, relatives, and colleagues are going to be this credulous? And Mac Defender is just the first effort to make any impact. Don't be fooled by the fact that in this release you have to enter a credit-card number to be scammed. Future Mac malware will be just like that under Windows, with the potential to install all manner of viruses, like keystroke loggers, spam email programs, and the like.
Should you dash to Intego or another website to purchase anti-malware protection? Bott's simple and clever answer: "If you don't know the answer to that question, then the answer is yes." While such software protects you best only after exploits are already known, less-techie Mac users can be continuously protected through automatic updates and scans, when they might skip or delay Apple's software updates.
For more advanced users, I recommend Little Snitch. It doesn't block viruses and the like, but it keeps you informed about network connections made by software you've installed — and, ostensibly, software that installs itself.
Mac Defender was clearly a test case, with the criminals that drive malware for profit discovering that they can persuade enough people to click.
Bott notes that the money obtained through this first scam will fund the research and development for the next. Social engineering makes malware a brain virus: it relies on us to inject ourselves and get sick. Inoculate those you know by spreading the vaccine of safe behavior.
Glenn Fleishman writes the Practical Mac column for Personal Technology and about technology in general for The Seattle Times and other publications. Send questions to firstname.lastname@example.org. More columns at www.seattletimes.com/columnists