Mac Virus/Malware FAQ

From Mac Guides

Jump to: navigation, search

This Guide was created by stridemat and is based upon a forum post by GGJstudios


Contents

You DO NOT have a virus on your Mac!

If you want to know why this is true, read on.

The term "virus" is commonly but erroneously used to refer to all types of malware, adware, and spyware programs that do not have the reproductive ability of a true virus.

The bottom line is this: as a Mac user, your chances of being affected by a virus, trojan or other malware are extremely slim, unless you've been careless about where you get software and when you enter your administrator password.

If you're experiencing a problem or unexpected behaviour with your Mac, there's better than a 99.9% chance that it's something other than a virus or other malware.

What is a virus?

A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:

  • It must execute itself. It often places its own code in the path of execution of another program.
  • It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.

The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the reproductive ability. Malware includes computer viruses, computer worms, Trojan horses, most rootkits, spyware, dishonest adware and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer system's data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing themselves.

'What is a Trojan horse?

Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet.


'What is a worm?

Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm.


What is a virus hoax?

Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. Following are some of the common phrases that are used in these hoaxes:

  • If you receive an email titled [email virus hoax name here], do not open it!
  • Delete it immediately!
  • It contains the [hoax name] virus.
  • It will delete everything on your hard drive and [extreme and improbable danger specified here].
  • This virus was announced today by [reputable organization name here].
  • Forward this warning to everyone you know!

Most virus hoax warnings do not deviate far from this pattern. If you are unsure if a virus warning is legitimate or a hoax, additional information is available at the Symantec Security Response online database.


'What is scareware?

Another type of hoax is referred to as scareware. It's a bogus virus warning that pops up when visiting some websites, and looks something like this. If you take a close look, you'll see the popup refers to a Windows system, which obviously doesn't relate to Mac OS X. It can't harm your Mac at all. Just close the site, clear your browser's cache and cookies, and you'll be fine. Sometimes these scareware sites will generate a never-ending loop of popups, to the point that you must Force Quit your browser. Such scareware sites are usually intended to lure a Windows user into clicking the links to install bogus "antivirus" software, which is typically a trojan. Even if you click the links on a Mac system, it can't install anything, because Windows executable files can't run on Mac OS X.

There are NO viruses in the wild that affect Mac OS X at this time.

If this changes, this post will be updated. According to noted computer virus expert Paul Ducklin, in order for a virus to be considered in the wild, "it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users." This definition excludes "proof of concept" code that is used in a testing situation under strictly controlled conditions, and which poses zero threat to average computer users.

In the past, there have been a few viruses that ran on older versions of the Mac operating system (Mac OS 9 and earlier), but they do not run on any version of Mac OS X. Like every other OS, Mac OS X is not immune to malware threats, this situation could change at any time, but if a new virus is discovered, the news media, forums, blogs, etc. will be instantly buzzing with the news. See update below.*

There are trojans that can affect Mac OS X

These must be downloaded and installed by the user, which usually involves entering the user's administrator password. Also, Mac OS X will give you a warning when you first launch an app you downloaded from the web. Trojans can easily be avoided by the user exercising common sense and caution when installing applications. A common source of trojans is pirated software, typically downloaded from bit torrent sites.

AntiVirus Apps

While some may prefer to install 3rd party antivirus software, it's not needed to keep your Mac malware-free if you practice safe computing (read the What security steps should I take? section of this FAQ). Also, using antivirus software can give some a a false sense of security, leading them to exercise less caution in their computing practices. Antivirus detection rates are less than 100% and sometimes new malware isn't initially recognized as such by antivirus apps. The point is, even if you elect to use an antivirus app, it's still wise to practice the safe computing. Be aware that running antivirus apps can cause other problems, such as with Time Machine backups, iTunes Store downloads, and others, not to mention impacting performance, all with no benefit that can't be achieved by simply practicing safe computing.

It is possible to have a Windows virus-infected file reside on your hard drive, but since a Windows virus (like any Windows program) can't run in native Mac OS X, it would be harmless to your Mac and could not spread.

If for some reason you elect to run a 3rd-party antivirus app:

  • ClamXav is a good choice, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges. However, recent tests show its detection rate is lower than some other apps.
  • Here is a link to results of recent tests of antivirus apps. Be aware that the test only involves one aspect of such apps, and other factors should be considered. However, it may be useful in identifying detection rates when performing manual scans.
  • Despite its detection rate, Sophos should be avoided, as it could increase your Mac's vulnerability, as described here and here.
  • iAntiVirus has a bogus malware definitions list, making their detection accuracy untrustworthy. They also make inaccurate claims about the existence of Mac malware, in order to hype the need for their product.

What security steps should I take?

Practicing safe computing can keep your Mac free of all Mac OS X malware that has ever been found in the wild, without the need for 3rd party antivirus apps.

  • Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall
  • Uncheck "Open "safe" files after downloading" in Safari > Preferences > General
  • Disable Java in your browser. (For Safari users, uncheck "Enable Java" in Safari > Preferences > Security.) This will protect you from malware that exploits Java in your browser, including the recent Flashback trojan. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for the duration of your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)
  • Change your DNS servers to OpenDNS servers by reading this.
  • Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.
  • If you're running Mountain Lion, check your Gatekeeper settings in System Preferences > Security & Privacy > General > Allow applications downloaded from. For more information on these settings: OS X: About Gatekeeper
  • Never let someone else have access to install anything on your Mac.
  • Don't open files that you receive from unknown or untrusted sources.
  • For added security, make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.
  • Always keep your Mac and application software updated. Use Software Update for your Mac software (at least weekly). For other software, it's safer to get updates from the developer's site or from the app's menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.
  • For protection against phishing attempts, make sure the URL of the website you're visiting is as expected. Look in the address bar of your browser to make sure the page you're viewing is from the domain you intended to visit.

That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure. For more details, you can read the Mac Security Suggestions compiled by munkery

What about sending files to Windows users?

Some users choose to run antivirus such as ClamXav on their Mac to scan for Windows viruses (it also scans for Mac threats), so the Mac user can't pass a virus-infected file to a Windows user. However, a more prudent approach is for every Windows user to be protected by their own AV software, to guard against viruses from any source, not just those that might come from a Mac user.

Running anti-virus on your Mac to protect Windows users from malware is like covering your mouth when you cough in front of the kids, then sending them out without flu shots to a school where a flu epidemic is spreading like wildfire. Great! They might not catch anything from you, but you've left them vulnerable to the greater risk. It's wiser to make sure they have flu shots, so they're protected from infection, whether it be from you or from other people.

If you really want to help your Windows friends, encourage them to get their own anti-virus protection installed, or offer to install it for them.

Why am I being redirected to other sites?

Some users experience a problem with being directed automatically to sites that they didn't intend to visit. This may also occur when searching with Google. You don't have a virus! It's a problem with your DNS settings, either in your Mac or in your router. Try resetting your router. Here's how to fix the problem in Mac OS X:

1. Go to System Preferences > Network
2. There you will see a padlock icon in the lower left corner. If the padlock is already open (unlocked), go directly to step 3. If the padlock is closed and the note says "Click the lock to make changes", click the lock and enter your administrator password, so you can change DNS servers.
3. Select your network on the left column, click the "Advanced" button in the lower right area of the window.
4. Click the DNS tab to see the listing of your DNS Servers
5. If any of the DNS servers are greyed out after entering your admin password, you may be able to simply add the OpenDNS or Google servers listed below. If you need to remove greyed-out servers, refer to this: 10.5: Disable DHCP-specified DNS servers
6. Select each set of numbers and click the "-" icon for each to remove all existing DNS servers
7. Click the "+" icon to add the following servers.
You may choose either OpenDNS or Google servers (not both sets):
OpenDNS (OpenDNS has announced they are blocking the Flashback trojan):
Primary DNS Server: 208.67.222.222
Secondary DNS Server: 208.67.220.220
Google:
Primary DNS Server: 8.8.8.8
Secondary DNS Server: 8.8.4.4
8. When you've completed your changes, click "OK" to close the Advanced settings window
9. Click "Apply" on the Network window to save your changes

As an alternative, you can use namebench to find the fastest DNS servers available for your computer.

*UPDATE - Recent threats in the news

Flashback Trojan

The Apple knowledge base article on removing this malware can be found here. As with every other instance of Mac OS X malware that has ever been released in the wild, this malware posed no threat to users who were already practicing the safe computing suggestions in the What security steps should I take? section of this FAQ.

MacDefender or MacSecurity or MacProtector or MacGuard installation package

Apple has issued a knowledge base article on this issue, found here:

How to avoid or remove Mac Defender malware
A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender "anti-virus" software to solve the issue."
This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.
The most common names for this malware are MacDefender, MacProtector and MacSecurity.
In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.
In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.
(to read the rest of the KB article, click the link above)

Further information on MacDefender:

This is not a virus or even a true trojan! MacDefender, MacSecurity, MacProtector, MacGuard and other variations refer to a software installation package that automatically downloads when viewing some images in Google search results. It may automatically launch, depending on your browser and settings, but it cannot be installed unless you actively continue the installation process, which may or may not include entering your admin password. The solution is simple: don't! If you quit the installation process without completing it, nothing on your Mac is affected. Simply delete the downloaded file, and your Mac is clean. To prevent these files from launching in the future, uncheck "Open "safe" files after downloading" in your Safari Preferences.
Be aware that there is animation on the website that appears that simulates scanning your computer for malware. THIS IS BOGUS. (read further in this post for information on "scareware") Nothing is being scanned and nothing is executing on your computer during this animation! It's no different than watching a video on YouTube or visiting any website with animation. The animation on the site would appear no matter what computer or OS you were using to view it. If you quit the installer that downloads and launches, nothing is installed on your computer. If you delete the installer after quitting, your Mac is completely clean of any trace of this installer.

For more info, read this article: New 'MACDefender' Malware Threat for Mac OS X and this thread.

trojan.osx.boonana.a Trojan

On Oct. 26, 2010, Mac security site SecureMac posted this security bulletin:

SecureMac has discovered a new trojan horse in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video.
When a user clicks the infected link, the trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system.

New Java-Based Malware Targets Mac OS X:

As with all trojans, this requires the user to unwittingly invite the infection by deliberate action (in this case, clicking on a fake video link). You cannot be infected by this trojan if you don't click on the appropriate link. You can eliminate this threat by disabling Java in your web browser.