Snow Leopard's malware protection only scans for two Trojans

Snow Leopard's malware protection only scans for two Trojans

Summary: The much hyped built-in malware protection into Apple's Snow Leopard upgrade appears to be nothing more than a XProtect.plist file containing five signatures for two of the most popular Mac OS X trojans - OSX.

SHARE:

The much hyped built-in malware protection into Apple's Snow Leopard upgrade appears to be nothing more than a XProtect.plist file containing five signatures for two of the most popular Mac OS X trojans - OSX.RSPlug and OSX.Iservice.

Intego, the company that originally reported the new feature, has just released a comparative review of their (commercial) antivirus solution next to Apple's anti-malware function. Here are some of the highlights:

  • Apple’s anti-malware function only scans files downloaded with a handful of applications (Safari, Mail, iChat, Firefox, Entourage, and a few other web browsers) -- therefore the disturbingly modest signatures base would be undermined if the user were to download the malware from a BitTorrent application
  • Apple’s anti-malware function currently only scans for two Trojan horses, as of the initial release of Snow Leopard -- relying on such a modest set of signatures for malware variants of known OS X families, clearly indicates the premature release of the feature
  • Apple’s anti-malware function receives occasional updates via Apple’s Software Update -- in respect to malware, even Mac OS X malware, every modified variant of a known malware family enjoys a decent life cycle until it gets detected through malware signatures. In its current form the reliance on occasional Apple Software Updates compared to regular/scheduled independent signatures update, clearly increases the life cycle of a known piece of malware

Go through related posts: New Mac OS X DNS changer spreads through social engineering; Mac OS X malware posing as fake video codec discovered; New Mac OS X email worm discovered; Trojan exploiting unpatched Mac OS X vulnerability in the wild

It its current form, Snow Leopard's anti-malware feature offers nothing else but a false feeling of security. What do you think? Talkback.

Topics: Operating Systems, Apple, Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

156 comments
Log in or register to join the discussion
  • Much hyped by whom?

    Here's a quote from the first link you provided (emphasis mine): "Apple
    has [b]quietly[/b] added a new Snow Leopard feature to scan software
    downloads for malware..."

    msalzberg
    • ZDNet Apple post have degenerated into a complete joke

      Misinformation, untruths, fear and now pretend disappointment.

      Quite frankly it's embarrassing.
      Richard Flude
      • Richard, Richard, Richard....

        Your continued koolaid induced delerium concerning the real threat to unprotected Macs in the world is really quite shameful.
        This year had a rather large botnet consisting of 100000+ Macs, the Trojans in 5 different P2P packages, Pwn2own third year running for quickest takeover, third year running most reported exploits, third year running slowest patch realease for reported exploits.... do we contiue? Or are you willing to see your errors and retract.
        CrashPad
        • Nobody's perfect

          Least of all the Windows OS. There are so many malware intrusions on Windows, it makes people wonder whether computers are really worth it.

          I have three Macs in my house all operating up to 18 hours per day by myself, my wife and my two young kids. We have never had any malware experiences - period. And I have been using Macs for 25 years.

          My two PCs don't get the same usage because people in our family don't want to deal with all the security updates and ongoing intrusions all the time. All that kind of stuff is usually left to me to deal with.

          I realize that the Mac is vulnerable, theoretically. But in the real world, the PC is much more so.
          aj.redmond@...
          • Malware is prevalent no matter...

            what OS is involved. It is as much a problem for the browser as well. You think different you are not dealing with reality!!!
            How about this all these people listening to you maybe I should post your phone number and encourage them to call you when they dont install malware protection and get hit, guranteed it will happen.
            Your blinded by your own arrogance maybe?
            CrashPad
          • Re: Malware is prevalent no matter...

            The reality is that MOST malware is not designed for unix platforms, including the beloved Apple OS and Linux.

            Combine that with a reasonably secure kernel and you've got an extra layer of protection right out of the box.

            True, nobody should be arrogant to the point where they think they CAN'T be hit, but it is reassuring to know that the odds are pretty low on being hit in general. Combine that with safe browsing practices, and you're just a little bit lower.

            Windows, on the other hand, to make relatively secure, almost requires some level of anti-virus, anti-malware and anti-rootkit protection. This type of protection is uncommon on the unix-based desktop, I would imagine.
            harrisharris
          • RE: Re: Malware is prevalent no matter...

            The fact of the matter is that OS X Doesn't have a secure kernel, the OS has no malware mitigation techniques, except for the couple that came with Snow Leopard. Windows Does, it also happens to be the OS swamped with malware because it's the most common type of OS in the world, not for lack of security.
            kurayaminokumo
          • Totally agree

            Why does it even *matter* what is the most
            "secure"? What matters is your chance of
            getting a virus in the real world (or some
            other type of malware). As of today, with OSX
            or *nix based systems, that chance is pretty
            much zero.

            This is certainly not to say that OSX or Linux
            are inherently more secure (which they may or
            may not be in various ways), but no matter
            which way you slice it, you still have a
            astronomically higher chance of getting malware
            on Windows than on other OS's.
            scorchgeek
          • You stated it in your first sentence...

            "The reality is that MOST malware is not
            designed for unix platforms, including the
            beloved Apple OS and Linux"

            It is only the fault of Windows popularity that
            most malware is made to run on it.

            "Combine that with a reasonably secure kernel
            and you've got an extra layer of protection
            right out of the box."

            If this is true, how is it that Mac OS is
            usually one of the first to fail at pwn2own?
            The exploits are there, its just that no one
            but security researchers care to develop
            malware for such a small market.

            I've run Windows my entire life (so I can't
            speak for Mac OS) but I never have anti-virus
            running (I run a couple of the free ones every
            couple of months as a precaution) I run windows
            firewall and thats it. I've had three virus' on
            my machines in over ten years. Two were because
            I forgot to scan pirated software and one (a
            particularly resilient smitfraud variant) cause
            a not so computer literate friend of mine
            downloaded and ran the purported "porn cam"
            software from some malicious site (can you
            believe I actually had to educate him on how to
            find porn on the internet... sad)

            Point...
            Windows is not a piece of software artwork, but
            Windows is NOT the same kind of OS as Mac, they
            have different markets and different
            requirements. As an OS Windows is stable and
            secure, though it's easy for a user to put a
            hole in ANY OS' security (or stability).
            shadfurman
          • Funny

            I have been using PC since dos 1 and I have never had any kind of a virus on any of them. And I run them 24.7 and all of my current lab pcs are wide open to the internet.
            rparker009
          • Are they each connected to their own Internet...

            connection or do they run through a router ???
            mrlinux
          • How do you know?

            What I don't get is how people can claim they have encountered no malware whatsoever. If you don't check your system, how do you know?

            I mean, back in the glory days, it was easy to tell if you got a virus. It'd pop up a 'your system will die on April 30th' alert, or a 'Punked!' alert, or hit you with fifty billion pop-ups and replace your search page, or any one of a dozen different and highly disruptive symptoms.

            Nowadays, though? Nowadays, they just install rootkits and backdoors, then go to sleep. Odds are, you wouldn't notice that your system was running 1% slower than usual. So...how do you KNOW that you've had no problems with malware? Have you scanned for it? Have you compared old hashes of software against the existing versions? What approach are you using to verify the pristine quality of your Macs?
            alkanshel
          • "What approach are you using to verify the pristine quality of your Macs? "

            Steve Jobs' TV commercials that Macs aren't vulnerable...and a little dose of keeping one's head in the sand for good measure.
            IT_Guy_z
          • Pretty much

            Anyone asserting that their system is completely clean and works fine without an antivirus/antimalware application is living in the mid-90s.
            alkanshel
          • exactly the point...

            Most Mac users wont even be aware of the dangers. Surf the net, there are plenty of sites that openly talk of the exploits being created for Macs.There are discussion of the ease of the takeovers, and that is being backedup by what has happened at pwn2own the last three years.
            CrashPad
          • But everyone knows

            that malware is intrusive and explicit! If I don't see my default search client being changed, I should be fine!

            ...Man, I actually miss the old intrusive-malware days. Frickin' rootkits and stealth backdoors are annoying things to fight.
            alkanshel
          • What rootkit exists there for OSX....

            That doesn't require an administrator user's interaction? Is there any
            malware are out there at all, and just quietly installs without the user even
            knowing about it? I have never heard of any for OSX.
            arminw
          • Ahh but there is....

            do a little research, query exploiting Macs or Mac exploits. Ahh hell just look http://trailofbits.wordpress.com/2009/08/10/advanced-mac-os-x-rootkits/ Denial is the playgorund of the Devil, and he loves the Mac playground.
            CrashPad
          • true, but...

            most people with PCs DO virus scan on occasion,
            either they don't know anything about their
            system and their virus scanner just runs on
            boot (and can be worse than the malware
            *cough*norton) or they DO know what they are
            doing and so they run it on occasion.

            But how do you know if your mac doesn't have a
            virus? I bet a significant number of macs have
            a virus, and the user never even knows. Either
            its dormant and they don't know, its actively
            slowing the system and the user just doesn't
            care. Or they take it into the Apple geeks and
            they fix it (like they're going to say, oh you
            had a virus, no they're going to say, there ya
            go, it's fixed)
            shadfurman
          • Why bring up "the pc"?

            You own a mac. what ever is happening to the pc won't matter once your mac is pawned. Insecure pc, or secure pc as a matter of fact, won't protect you mac. You think?
            eargasm