Mac malware volumes 'spike' without pain

Apple Mac users have a good reason to feel more secure than their PC-using cousins: compared to malicious software created for Windows systems, malware writers have left OS X in relative peace.

While the total malware count for PCs, according to security company F-Secure, is 850,000, its count for current versions of Mac OS X is under 100 — a list which is dominated by variants of a single trojan it labelled OSX/DNSChanger, which was discovered last year by security company Intego.

But last week there was a "spike" in malicious OS X activity when Intego announced it had discovered another Mac trojan — OSX.Trojan.PokerStealer, which masks itself as a poker game and is distributed as a zipped file containing the supposed gaming application.

According to Intego, the trojan asks the user to enter their password in order to rectify a fictional problem with the software. If entered, the Trojan uploads the details, which include the computer's IP address, to a server. This information could be used to take control of the system.

Also last week, security vendor SecureMac reported seeing new variants of a more dangerous trojan, AppleScript.THT, affecting users of Mac OS X 10.4 and 10.5.

The new variations exploit vulnerabilities within the Apple Remote Desktop Agent and try to avoid detection by turning off system logging. The new trojans can log keystrokes, take screenshots, take pictures with the Apple iSight camera and enable file sharing, according to SecureMac.

Despite the virtually insignificant levels of Mac malware, McAfee, Macscan, Avast, Intego, Symantec, and Sophos all produce security software for OS X.

In 2007, a year after McAfee released its AV product for the Mac, Marius van Oers, a McAfee AvertLabs security researcher wrote: "With an estimated OS X market share of about five per cent on the desktop systems one would expect to see more malware for OS X."

According to a January report by Web statistics vendor Net Applications, the Mac's share of operating systems around the world was 7.57 per cent — a 21.7 per cent growth.

Still, it's difficult to find a Mac user whose computer has been harmed by malware. So should consumers and businesses invest in security software?

Paul Ducklin, head of technology at security vendor Sophos, cautiously recommends Mac users buy AV.

"I was accused of inflating the threat and scaring people," he said. "There seems to be a whole part of the community that would love to see someone say that Macs are terrible, but we're trying to steer a line down the middle… If the user is determined to give permission to little-known programs or to accept attachments, they can end up reducing their own security.

"I do suggest people use it to protect Macs both from itself and their operation of it, but I admit the risk of getting infected is very much smaller than when using a PC," said Ducklin.

Ducklin argues that even if Macs are not infected, they — along with Linux-based systems — could be used to attack PCs.

"In one example we saw, you could see the threat wasn't coming from the outside and not getting through the firewall. The threat was coming from a Mac running OS X 10. Someone had hacked in and reconfigured it as a delivery hub for malware. The Mac couldn't be infected, but if it had had AV, it would not have been able to serve infected files to Windows computers," said Ducklin.

Greg Vickers, a security engineer at Queensland's University of Technology, told ZDNet.com.au that it doesn't matter how low the malware count is for Mac OS X, they still need protection.

"Antivirus should be used for Macintosh computers as viruses do exist for the Macintosh operating system. Even with high levels of user education and the low target profile of the Mac OS, it is possible for a virus to infect a Mac computer," said Vickers.

"Macintosh and Linux computers are a target for malware, irrespective of how widely that threat is perceived across the IT security industry. Any risk associated with that threat needs to be considered in an enterprise environment."

But Vickers points out another area of security that isn't affected by software vulnerabilities — people.

"The human is what's going to be a potentially much more exploitable link than a possible security problem in an OS or application. Social engineering attacks can be quite successful and easier to do than a technical attack," he said.