Detecting and avoiding malware and spyware
The May 2004 discovery of two "critical" security flaws in Mac® OS X , both of which were closed by applying subsequent security updates, triggered considerable interest in the possible exposure of Mac OS X users to malware and spyware. Malware is any application that might do intentional harm to your system; viruses are considered to be a special type of malware. Spyware is any application that captures and discloses your personal information without your knowledge or approval.
- Addresses recent developments in malware and spyware targeting the Mac.
- Provides general advice for detecting and avoiding both malware and spyware.
- Applies to Mac OS X 10.2 Jaguar through Mac OS X 10.6 Snow Leopard®.
Some of the information and links referenced in this FAQ are from the "Security" chapter of our book, Troubleshooting Mac® OS X.
Threats to Mac OS X
Since we initially published this FAQ, the number of new security threats to Mac OS X have grown:
- The Web is a growing source of security exploits that can affect both Mac and PC users.
- Cross-platform technologies, such as Adobe® Flash® (SWF files) and PDF documents have become avenues for security exploits.
- The "Month of Apple Bugs" (MOAB) project identified numerous security exposures in both Mac OS X and related third-party software. Many of the identified vulnerabilities received corresponding Secunia Advisories. While Secunia assessed the impact of many of these vulnerabilities as "Not Critical," some were considered "Highly Critical." At the time of this writing, fixes have been released by both Apple and third-party developers for some of the Highly Critical vulnerabilities. Accordingly:
- Assure your software is up-to-date.
- Disable any option to "Open safe files after downloading" in your Web browser. In Safari®, this option is found in the General tab of Safari preferences.
- The OSX.Macarena virus, while considered a low-risk, "proof of concept" endeavor, is another indication of the efforts of some to produce a destructive Mac OS X virus. Related comments about this virus on the Symantec® Security Response Weblog are interesting.
- The Sony® Digital Rights Management (DRM) debacle affects Mac OS X, attempting to installing kernel extensions. This software is both a rootkit and spyware.
- Worms and Trojan horses targeting Mac OS X and have emerged, including:
- OSX.Exploit.Launchd, a Trojan horse released as a proof-of-concept that exploits a security exposure in Mac OS X 10.4 through 10.4.6.
- OSX.Inqtana.A, which propagates via Bluetooth®.
- OSX.Leap.A deletes, infects, or corrupts files and attempts to spread through iChat.
- SH.Renepo.A / SH.Renepo.B, aka Opener, is a rootkit that can disable the Mac OS X firewall, steal personal information, destroy data, and replicate itself to other systems on your network. That SH.Renepo can replicate itself to other systems on your network by copying itself to any mounted drive, including shared volumes, may explain why Symantec characterizes this threat as a virus while the US Computer Emergency Readiness Team (US-CERT) defines it as a Macintosh worm.
- MacOS.MW2004.Trojan, a nasty bit of malware that masquerades as a Microsoft® Word 2004 installer that erases the infected users Home folder and potentially more.
- While tricking you into installing a Worm or Trojan generally requires some social engineering, their malicious payloads can easily be packaged within apparently innocent application downloads.
- While viruses targeting the Microsoft® Windows® operating system generally cannot affect your Mac:
- You can spread Windows viruses by sending infected documents or e-mails to other users.
- Running Microsoft VirtualPC for Mac exposes PowerPC-based Macs to all Windows viruses.
- Macro viruses, such as those written for Microsoft Office products, can infect your Mac or destroy data. One should disable automatic macro execution in the preferences of your Office applications.
- Implementing Boot Camp and installing Microsoft Windows on your Intel®-based Mac exposes that computer to the same threats as running Windows on a PC.
The rise in Mac OS X exposures including numerous Apple® Security Updates, several containing fixes for critical exposures, the highest level of threat has prompted the SANS Institute to add Mac OS X to its list of "Top 20" Internet security vulnerabilities.
The rising popularity of the Mac and Mac OS X is considered by security professionals to make it an increasingly attractive target for malware and spyware. We agree with this assessment. Prior versions of the Mac OS were also subject to security threats: Section 7 of the "Viruses and the Mac FAQ" cited "around 40 Mac-specific viruses and related threats" before the advent of Mac OS X.
Detecting and avoiding malware
For general advice on avoiding malware, read the AppleCare® Knowledge Base document "Safety tips for handling email attachments and content downloaded from the Internet."
Install and use anti-virus software
The latest anti-virus applications can detect more than viruses, such as malware distributed in scripts embedded within documents sent as e-mail attachments. Accordingly, installing and using an anti-virus application, such as Symantec® Norton AntiVirus® for Macintosh®, can help detect malware and prevent its harmful effects. However, as new methods of attack are always in development, it is vital to regularly or automatically update the virus definition files used by your anti-virus software. At The X Lab, we use Symantec Norton AntiVirus for Macintosh.
An increasingly popular alternative to commercial anti-virus applications is ClamXav, a donationware application that provides a graphical user interface (GUI) and Mac OS X binaries for the open source ClamAV (Clam AntiVirus) application. Essentially, this is an open source anti-virus solution for Mac OS X.
While we have not tested ClamXav, we have read numerous comments from users who are very satisfied with it, including many who have switched to it from commercial anti-virus solutions. Graham K. Rogers has published an excellent review of ClamXav in his article "The Virus and OS X." Graham's word is always good enough for us, hence if cost is an issue, try ClamXav.
Spurious arguments against using anti-virus software
When questions arise on Mac forums concerning installing an anti-virus solution, various arguments usually arise against employing such software. We regard these arguments as spurious and refute them as follows.
- "There are no viruses affecting Mac OS X."
- The operant words missing from this argument are today or yet. This argument is spurious for the following reasons:
- As noted earlier, a number of security threats, including Trojans, worms, and rootkits, have been developed. These can be as destructive as any virus.
- Your Mac can be affected by macro viruses, Windows-specific threats if you run Windows under Virtual PC, and you can spread Windows viruses to other users even if they do not affect your computer.
- Apple continues to release Security Updates for Mac OS X. There may be additional security exposures in the operating system for a hacker to exploit.
- "The few threats to Mac OS X are not serious threats."
- This argument claims that because few were affected by the identified threats, or because Security Updates and Mac OS X Updates addressed some of these threats, that the threats need not be taken seriously.
- Nothing could be further from the truth. The mere fact that Trojans, rootkits, and other threats have been published should be a wake-up call to all Mac OS X users: nefarious people are looking to destroy the Mac's reputation for security when compared to Windows. Despite the excellent reputation of Mac OS X for security, again when compared to Windows, one must remember that Security Updates are continuing to be released for Mac OS X. Someday a clever person may find and publish an exploit before a Security Update can close the exposure. Security Updates are evidence that Mac OS X, while providing excellent security, is not invulnerable.
- "An anti-virus solution will not protect you from a new threat until its virus definitions are updated."
- In general, this is true. However, this argument is not a reason for avoiding an anti-virus solution for the following reasons:
- The primary reason for using an anti-virus solution is to protect you from known threats. For example, many Mac OS X users regularly download shareware and freeware applications advertised on a variety of Web sites. However, these web sites do not vet the actual software you are downloading, i.e. the download could introduce malware or spyware. It would be very easy for a developer to create an innocuous or useful application and include a rootkit or Trojan in the installer package. If this is the case, and the installation requires that you provide your Admin password, the hidden malware would be installed along with the application, all without your knowledge. An anti-virus solution, such as Norton AntiVirus, will protect your Mac against such threats.
- If a new security threat, such as a virus, Trojan, or worm is a variant of a known threat, it may contain code that matches the signature of the known threat on which it is based. The signature is code within the malware that matches the code of a known threat. The virus definition files used by every anti-virus solution recognize known threats by their signatures. In such a case, an anti-virus solution could protect you from the new threat.
- Anti-virus vendors have an excellent history of quickly identifying new threats and publishing updated virus definitions to defend against them. Keeping the virus definitions for your anti-virus solution up-to-date can significantly reduce the risk of new threats.
- "Anti-virus software consumes excessive CPU resources."
- All running applications consume CPU resources. In general, the CPU impact of the full range of automatic protection features of an anti-virus solution on a modern Mac with additional RAM and adequate free disk space ranges from slightly noticeable to negligible, depending upon the system in question and other tasks being performed by that system.
- The two primary factors that can affect overall system performance when using an anti-virus solution are:
- The general system characteristics of your Mac that affect performance. Systems with slow processors, insufficient RAM, or that are low on free disk space can experience performance problems with any application, particularly processor-intensive applications. See our "Problems from insufficient RAM and free hard disk space" FAQ for a discussion of this subject.
- How you configure the protection-related preferences of your anti-virus solution. For example, Symantec Norton AntiVirus 10 for Macintosh provides a wide range of options for tailoring its automatic protection facilities. These range from completely disabling automatic protection meaning one should still manually invoke a scan of e-mail attachments and downloaded files before opening them using the "Norton AntiVirus" contextual-menu choice to enabling a subset of automatic protection options, defining Safe Zones, and specifying different approaches to handling disks when mounted.
- By optimizing your Mac's performance and tailoring the protection-related preferences of your anti-virus solution, with due consideration to the threats in your computing environment, the CPU impact of an anti-virus solution can be minimized considerably, usually to the point of being unnoticeable.
- "Anti-virus software causes problems."
- This argument is again spurious. There are two primary reasons why an anti-virus solution might cause a problem:
- The installed version of the anti-virus solution is incompatible with the installed version of Mac OS X. This is the most common reason for problems associated with anti-virus solutions.
- When new versions of Mac OS X are released, such as from Jaguar to Panther® or from Panther to Tiger®, your third-party applications may require updates. Failure to install required updates to any third-party application invariably leads to problems. This is especially true of your anti-virus solution. For example, new versions of Norton AntiVirus have been released with each new version of Mac OS X: one must use a compatible version. The same is true of other anti-virus solutions. The Symantec knowledge base document "Compatibility between Symantec software and Mac OS X" specifies the versions of Norton AntiVirus that are compatible with specific versions of Mac OS X.
- There was a bug in the anti-virus solution. Anti-virus solutions are software. All software is susceptible to programming errors or bugs. The increasing complexity of software means that bugs may slip through development or testing, despite the best efforts of the developers. Apple still releases updates for Mac OS X that correct bugs in the operating system. You are just as likely to experience problems from bugs in Mac OS X or other third-party applications as an anti-virus solution. Installing software is a matter of trust, specifically that the developer has taken all necessary precautions to assure that the software is free of programming errors. Reputable software firms, such as anti-virus solution providers, take this responsibility seriously.
- The only way to mitigate the potential for problems arising from any software is to implement a comprehensive Backup and Recovery solution and use it regularly, especially before installing any software or software updates. Either that, or stop using computers until the day arrives if ever when all software is perfect and bug-free.
Install Mac OS X Security Updates
Mac OS X Security Updates regularly address security exploits and should generally be installed when available. Two examples of how Security Updates have addressed potential exploits by malware and later became standard security features of Mac OS X are the following:
- Security Update 2004-06-07 for Panther and Jaguar addressed the issue of detecting some types of malware. However, it did not address viruses, for which you need anti-virus software. This Security Update implemented a change to protect users from opening documents that could launch malware. The first time you double-click a document to be opened by a specific application, you receive an alert if you have not previously launched that application directly, i.e. by double-clicking the application's icon. The alert requires that you approve the launch of the application specified in the alert. This alert mechanism became a standard security feature of Mac OS X in Mac OS X 10.4 Tiger.
- If you do not recognize the application the alert indicates will be launched, do not select Open in the alert dialog. Investigate the application to determine its origin and potential as malware.
- Once you approve the launch of the application specified in the alert, no further alerts for that application will be seen unless you perform System cache cleaning. 
- Security Update 2004-05-24 for Panther and Jaguar closed another potential malware exploit involving Help Viewer and, in the case of Jaguar, Terminal. This again became a standard security feature of Mac OS X starting with Tiger.
Detecting and avoiding spyware
Mac spyware exists. Spector was perhaps the first example of commercial spyware available for the Mac. Advertising-supported applications may also collect and disseminate your personal information without your knowledge. If you value your privacy, review the license agreement before installing or using any ad-supported application for information concerning how it protects your privacy. You may want to contact the application's developer to determine if an ad-supported application employs spyware.
Applications are emerging to address the nascent market for detecting Mac spyware. These applications operate under the assumption that any application attempting to establish a network connection is potentially spyware. When an application attempts to establish a network connection, you are alerted. The alert identifies the application which requested a network connection, and gives you the option to permit or deny that application's request to establish a network connection on a one-time or permanent basis.
Two such applications are:
- Smith Micro® Internet Cleanup: Smith Micro claims that this product detects spyware and enables you to remove it. While we have neither tested nor seen reviews of this application, its SpyAlert feature appears to monitor all connection attempts made by applications on your Mac, alerting you to these events and enabling you to decide which applications can establish network connections. Other functions of Internet Cleanup popup and other ad blocking, cookie management, and history removal are largely superfluous as these are provided in most modern browsers, including Safari and OmniWeb®. Likewise, it's Secure Delete feature is unnecessary if you are using Mac OS X 10.3 or later due to the Secure Empty Trash feature introduced in Panther.
- Little Snitch: In addition to alerting you to applications attempting to establish network connections, which you can then permit or deny, Little Snitch enables you to define rules for future connection attempts by such applications. While Little Snitch does not also enable you to uninstall potential spyware, we have tested and recommend Little Snitch: it does one thing and does it very well.
Defending your Mac
There have been few instances of viruses directed at the Mac, one of the many advantages of the platform. Likewise, there have been few reports of malware specifically targeting the Mac. However, the good fortune of Mac users in generally avoiding these scourges of the PC world may not last forever. Similarly, spyware is likely to become an increasing problem for Mac users.
Your best defenses against both malware and spyware are the following:
- Only download and open files from trusted sites. In particular, heed all Mac OS X alerts about potentially unsafe files.
- Disable any option to "Open safe files after downloading" in your Web browser.
- Avoid Peer-to-Peer (P2P) file-sharing sites and applications. 
- Install and use anti-virus software. Keep the virus definitions updated. Enabling the automatic protection features of your anti-virus application is a good idea, particularly if your computing activities expose you to virus-prone environments, including:
- Microsoft Office documents from Microsoft Windows users.
- Educational computing networks.
- P2P sites.
- Before using an advertising-supported application, review its license agreement or contact its author to determine how it protects your privacy and if it employs spyware.
- Consider installing Little Snitch to monitor attempts by applications to establish network connections.
- Take advantage of Mac OS X network security features, such as Private Browsing and Stealth Mode.
 After performing a System-level cache cleaning, you may again see these alerts for previously-approved applications. This is because a System-level cache cleaning may remove the files related to Launch Services in your Macintosh HD > Library > Caches folder. These files save, among other things, information indicating the applications you have previously approved for launch. Some cache-cleaning utilities retain these files to preserve your list of approved applications, while others remove them as they are saved in a System-related cache folder.
This should not dissuade you from using System-level cache cleaning due to the number of problems it can resolve. However, you should be aware that, after System-level cache cleaning, the alert may return for a previously-approved application the first time you double-click a document associated with that application.
We do not advocate cache cleaning as a regular maintenance procedure: it is a troubleshooting technique. See our "Maintaining Mac OS X" FAQ for additional information.
 Cade Metz's article "Spyware It's lurking on your machine," in the 22 April 2003 issue of PC Magazine, reviewed the extensive spyware problem faced by PC users. One of the article's findings: P2P file-sharing programs are loaded with spyware. Since many P2P applications are now, or are becoming, available for the Mac, the spyware will likely follow.