Times are changing Windows isn’t the only OS that needs antivirus

There is a Mac Trojan horse that seems to be making quite a splash in the news. Consumer websites and business websites alike are covering this new malware with feverish intensity. While this isn’t the first malware to be introduced to the Mac, it is still interesting because it comes bundled with costly software.

The Trojan, called OSX.Trojan.iServices.A, is packaged with a pirated version of Apple iWork and was first caught in the wild on January 21, 2009 on BitTorrent trackers. A variant, OSX.Trojan.iServices.B, was found bundled with a pirated copy of Adobe Photoshop CS4 five days later. Tens of thousands of Mac users have downloaded the infected software packages so far. Both Trojan variants seem to be loaded after the user supplies the root password for the install of either iWork or Photoshop. After the install the Trojan connects to the available network connection and checks in with what seems to be a controller server. The attacker now has root access to a host with a broadband connection.

What is particularly clever about this malware? It is packaged with large, and expensive, Mac software files. Because of this the malware writer knows a couple of things about the demographic that is liable to download these files:

1. They will probably have a broadband connection.
2. They are unlikely to have anti-virus installed on their machine.

Granted the current malware seems to rely on a Mac user either navigating the shady underbelly of the Internet or downloading files illegally. However, with the growing popularity of Apple’s Macintosh machines and the success of this Trojan it is likely that we will be seeing more malware written for OSX. The common objections to this thought are that the user base is small when compared to Windows and that it is a waste of resources to run antivirus when there are so few viruses written for the OSX platform.

It is true that the Mac user base is much smaller. As of December 2008 the tally was 5.24% on W3Counter.com. Sure, writers of malware may, for the most part, write for the much larger Microsoft user base. However, 5.24% of the 53,892,847 users referenced in W3Counter.com’s sample is still almost 3 million users. Most of whom will not have any anti-virus installed. That means that once a host is compromised, the compromise will likely go undetected. Even if an IDS picked up suspicious traffic from an OSX host, how would IT respond considering the current trend of thinking? Would they assume that since the host sending the traffic is a Mac that it can’t be infected? How long would that Mac stay infected?

Moreover, it is important to remember, that many software vulnerabilities are portable. What that means is a vulnerability in Microsoft Word is often just as effective on OSX as it is on Windows XP. The same goes for browsers with their numerous plug-ins. This allows a virus to be capable of exploiting vulnerabilities across platforms. A proof-of-concept virus was created in 2006 that did just that on Windows and Linux, and that wasn’t the first. In 2001, the sadmind/ISS worm exploited a vulnerability in SUN Microsystems Solaris Operating System and once established, scanned for and attacked Microsoft IIS Web Servers. While not trivial, it seems the rewards are beginning to outweigh the trouble it takes to create these cross-platform viruses.

The question really boils down to this. How long should Mac administrators wait to protect themselves? The PCI Security Standards Council clearly feels that the threat of malware infection has become real enough for all Operating Systems, and that antivirus software is an integral part of a whole security policy. They now require antivirus software “on all systems commonly affected by malicious software (particularly personal computers and servers)” to become compliant. I, for one, believe they are right.