Are There Any OSX Viruses in the Wild?

On Apr 7, 2008, at 2:21 PM, Nello Lucchesi wrote:

> Can we agree on whether there are ANY viruses for OSX in the wild?
> My Windows friends don't believe me when I say there are no OSX
> viruses in the wild. I'd like to know what the situation really is.

It is partially a problem with semantics. In the Windows world,
folks tend to call all malware a "virus." The anti-virus software
companies have followed suit, thus making things more confusing.
(Some AV companies sell "anti-virus" software that looks for more
than just viruses. In fact, of the AV companies that sell Mac
products, most sell only Mac products that look for all malware, not
just viruses. However, in the Windows world, there are also common
programs that only look for e.g. spyware, adware, etc.)
http://en.wikipedia.org/wiki/Computer_virus

Technically the term "virus" refers to a sub-class of computer
malware. Viruses self-replicate, other sorts of malware do not. For
example, a Trojan Horse does not automatically mail itself out to
other computers. A Trojan has to be downloaded to your computer, or
otherwise consciously installed, often via social engineering.
(That is, you may be tricked into installing a Trojan Horse, for
instance by downloading what appears to be an ordinary program, but a
Trojan doesn't get on your computer all on its own.)

Speaking just of viruses, not other malware, there are no traditional
viruses for OS X. There *are* several Trojan Horses (and not just
"concept" Trojan Horses), Word and Excel macro viruses, scare-ware,
and OS 8/9 viruses that can infect Classic running under OS X. And
Macs running Windows under Bootcamp, or under Parallels or Fusion,
can contract many (most?) Windows viruses, though I have never heard
of a virus that can cross over to the Macintosh partition and cause
damage there.

This doesn't all have to be taken on faith. There are over half a
dozen entities that track malware, both for Windows and for the
Macintosh. And while most of these entitles also sell commercial
anti-virus software, and thus can be cynically viewed as making self-
serving, and less than honest, reports of malware, not all of them do.

<http://www.sophos.com/security/analyses/search-results/?
search=macintosh&action=search&x=0&y=0>

<http://search.securityfocus.com/swsearch?sbm=%
2F&metaname=alldoc&query=macintosh&x=0&y=0>

I've been meaning to create a Macintosh malware FAQ Web site for a
long time now. Mainly because this question comes up all the time.
There is a ton of misinformation being spread about Macintosh
malware, much of it by folks who are...umm...overly enthusiastic
about either the Macintosh, or about Windows. I've been collecting a
bunch of information and citations for such a Web site, but I'm
afraid that I just haven't found the time to put it all together yet.

This is becoming a more important topic, though, as the Mac's market
share has been skyrocketing as of late, and a large proportion of
these new Mac users are former long-time Windows users. Most former
Windows users have been trained (while using Windows) that when you
have a problem with your computer, the first thing to suspect is a
virus. It's hard to convince a Mac newbie that they don't really
need to worry about malware anymore, and that instead they need to
first have a look for more common things, like corrupted preferences
files or a corrupted cache file. Of course, every-time this comes up
on a discussion list, the same thread on whether or not viruses exist
for the Macintosh gets repeated.


Randy B. Singer • Mac OS X Routine Maintenance • http://
www.macattorney.com/ts.html

On Mon, 7 Apr 2008, Nello Lucchesi wrote:

> So, what OSX viruses, if any, are in the wild now?

As I noted at the beginning of the original thread, I have personally
helped clean up a few nasty virus infestations from recent Macs. In all
cases it involved infectations with Microsoft Office, and mainly Word. I
can't remember if I've seen it with Excel or Powerpoint. I've seen it
with Office 2004 and earlier versions; I haven't yet seen many people
using Office 2008, so don't have a track record to compare with there.

In every case where I saw it happen, the person was in the habit of
exchanging a lot of documents with other people, so presumably someone
emailed over an infected Word document and things spiralled from there.

At the same time, I've helped maybe 100x as many people that *didn't*
have any kind of virus problem at all, even if they did use Office, so
I'd hardly consider it a common issue for anyone.

My suggestion for most people that aren't exchanging a lot of Office
documents is to not worry too much about it, turn on the system firewall
(even if there's another firewall elsewhere on the network, each client
should also be running the individual firewall too), be careful about
what links you follow and what emails you open, and don't worry about it
too much. Malware can happen, but the chances are remote enough that
most people can safely get away without worrying about it that much.

On the other hand, if you do receive a lot of Word documents (via email,
flash drives, burned discs, etc), then it does make sense to run a
scanner such as Norton -- just don't use it for any of the other junk
they bundle in, as it mostly just scuttles system performance and
doesn't actually help your security that much.



--
Chris Devers

On 7-Apr-2008, at 15:21, Nello Lucchesi wrote:
> Can we agree on whether there are ANY viruses for OSX in the wild?
> My Windows friends don't believe me when I say there are no OSX
> viruses in the wild. I'd like to know what the situation really is.

No, there are none. There are a handful of malware/trojans that
target the Mac, and one IQ-test that requires you to install a 'codec'
from a porn site, and give your admin password, in order to be 'hacked'.

But in terms of actual viruses, there have been none, and precious few
malwares. However, to be fair, the malware and trojan situation is
one that NO OS can protect users from. If you insist on installing
software you download from untrusted sites, and you give out your
admin password, you are at risk, and there is precious little that can
be done to protect you.

OS X is better than most in this respect, asking for permission to RUN
anything you download, and then requiring admin access to install
anything that might be a risk. But it is up to the user to verify
what they have before installing it, and since most users do not do
this, there is always a risk of a trojan.

On Apr 8, 2008, at 4:26 AM, LewisGmail wrote:
> If you insist on installing
> software you download from untrusted sites, and you give out your
> admin password, you are at risk, and there is precious little that can
> be done to protect you.

We (a nice collective "we", neither editorial nor royal) speak of
untrusted sources.

There is at present a very active scourge of infected trusted sources
(most of us probably trust the Walmart and Forbes sites, to name two
which were hacked a couple of weeks ago). These are hacked to do
"drive by" downloads--fortunately so far as I know of Windows malware.

That's one form of dangerous trusted source. (Defeated by having
Javascript off--highly unlikely for the sites which are being targeted.)

Do you suddenly get a message with attachment from a friend (in-person
or electronic friend) who never sends you attachments? Verify before
opening via a side channel that this friend actually sent the
message. (Although if infected, the infection is likely Windows.)
Email forgery is totally trivial in the absence of verfieid electronic
signatures and not impossible in their presence. Likewise an IM file
transfer you haven't agreed on with a friend whose IM style you
recognize is a red flag and needs to be verified, particularly if your
friend never does that.

The point is that while the apparent source may be trustworthy, it may
not be the actual source. Or it may not be actually trustworthy, as a
recent series of infected devices shipping from careless factories
shows.

On Mac OS X, the above is protecting against non-viral malware (the
only kind so far). On Windows, it is protecting against having to
totally erase and reinstall software and not trust any data file that
was on or connected to the infected machine.

   --John (who avoided infection of my Mac Plus via the CD with a Mac
magazine (nameless because I forget and because it was so long ago as
not to matter now) by the simple expedient of prolonged
procrastination: the next issue came with warning before I touched
the infected CD)

On Apr 8, 2008, at 4:26 AM, Chris Devers wrote:

> In all
> cases it involved infectations with Microsoft Office, and mainly Word.

Word macro viruses are very easy to avoid. And you don't need any
additional software to do so. All that you have to do is go into
Preferences in Word and turn on Macro Virus Protection. (It may have
a different name in different versions of Word.) Doing this will
keep macros from running without your permission. If a document is
not from a trusted source and/or you don't expect the document to
have a macro imbedded, you should not let the macro run.

Randy B. Singer • Mac OS X Routine Maintenance • http://www.macattorney.com/ts.html

On 4/8/08 1:16 PM, "Randy B. Singer" <randymacattorney.com> wrote:

>> In all
>> cases it involved infectations with Microsoft Office, and mainly Word.
>
> Word macro viruses are very easy to avoid. And you don't need any
> additional software to do so. All that you have to do is go into
> Preferences in Word and turn on Macro Virus Protection. (It may have
> a different name in different versions of Word.) Doing this will
> keep macros from running without your permission. If a document is
> not from a trusted source and/or you don't expect the document to
> have a macro imbedded, you should not let the macro run.

That is assuming you open the file.

--
John C. Welch

On Apr 8, 2008, at 1:39 PM, John C. Welch wrote:
> On 4/8/08 1:16 PM, "Randy B. Singer" <randymacattorney.com> wrote:
>
>>> In all
>>> cases it involved infectations with Microsoft Office, and mainly
>>> Word.
>>
>> Word macro viruses are very easy to avoid. And you don't need any
>> additional software to do so. All that you have to do is go into
>> Preferences in Word and turn on Macro Virus Protection. (It may have
>> a different name in different versions of Word.) Doing this will
>> keep macros from running without your permission. If a document is
>> not from a trusted source and/or you don't expect the document to
>> have a macro imbedded, you should not let the macro run.
>
> That is assuming you open the file.

Some people have no choice.

  * the publisher of the literary magazine had to accept submissions
from writers, and most of them use Word

  * teachers often accept homework from students as Word documents

  * many people get documents from co-workers in Word format

You can tell people sending you documents to use RTF / PDF / HTML /
etc, but DOC still has a huge amount of inertia. Most people simply
can't or won't use any other format, even if Word itself supports it.

(Also, I know of people that exchange Excel documents with complex
logic embedded in macros, so disabling macros would break things
badly. This is less common with Word, but could apply to some people
there as well.)

My trick, which I highly recommend to anyone that can get away with
it, is to just not use Office in the first place. :-)

--
Chris Devers

At 04:26 04/08/08 -0700, Randy B. Singer wrote:
>Technically the term "virus" refers to a sub-class of computer
>malware. Viruses self-replicate, other sorts of malware do not.

Technically a virus is even more limited. Worms also self-replicate.
Viruses can only replicate when embedded in full applications. This is by
analogy to biological viruses, which can only replicate within cells, not
autonomously.

Of course, the percentage of the public who understand this facet of
biological viruses is very roughly the same as of those who understand the
distinction in computer viruses, thus the meaning creep was inevitable.
I've long since given up trying to preserve the pure meaning; the world has
moved on without my permission.

Edward (who remembers receiving the System 6 WDEF virus on a floppy disk,
the only way it propagated, and being spared the agony because for once he
remembered to run Disinfectant on the disk before allowing Finder to see it)
--
Art works by Melynda Reid: http://paleo.org

On 4/8/08 4:46 PM, "Chris Devers" <cdeverspobox.com> wrote:

>>> Word macro viruses are very easy to avoid. And you don't need any
>>> additional software to do so. All that you have to do is go into
>>> Preferences in Word and turn on Macro Virus Protection. (It may have
>>> a different name in different versions of Word.) Doing this will
>>> keep macros from running without your permission. If a document is
>>> not from a trusted source and/or you don't expect the document to
>>> have a macro imbedded, you should not let the macro run.
>>
>> That is assuming you open the file.
>
> Some people have no choice.
>
> * the publisher of the literary magazine had to accept submissions
> from writers, and most of them use Word
>
> * teachers often accept homework from students as Word documents
>
> * many people get documents from co-workers in Word format
>
> You can tell people sending you documents to use RTF / PDF / HTML /
> etc, but DOC still has a huge amount of inertia. Most people simply
> can't or won't use any other format, even if Word itself supports it.
>
> (Also, I know of people that exchange Excel documents with complex
> logic embedded in macros, so disabling macros would break things
> badly. This is less common with Word, but could apply to some people
> there as well.)
>
> My trick, which I highly recommend to anyone that can get away with
> it, is to just not use Office in the first place. :-)

I'm saying, the macro detection only works if you open the file. If you have
an infected file, and for whatever reason, just forward it along without
opening, you never know.

It's one reason why Office 2007 has difference filename extensions for files
with macros.

--
John C. Welch

On 8-Apr-2008, at 14:46, Chris Devers wrote:
> * the publisher of the literary magazine had to accept submissions
> from writers, and most of them use Word
>
> * teachers often accept homework from students as Word documents
>
> * many people get documents from co-workers in Word format


On any modern Mac there is almost never a need to open a word document
WITH Word.

I have .doc files set to open with TextEdit.

On very rare occasions I need to open them in Word, but that is
exceedingly rare.

I also use rtf when anyone 'requires' that I send them a 'Word File'.

On 4/9/08 8:27 AM, "LewisGmail" <gkremegmail.com> wrote:

>> * the publisher of the literary magazine had to accept submissions
>> from writers, and most of them use Word
>>
>> * teachers often accept homework from students as Word documents
>>
>> * many people get documents from co-workers in Word format
>
>
> On any modern Mac there is almost never a need to open a word document
> WITH Word.

That's really rather incorrect. There may not be a reason for *you* in your
world, but I can think of thousands of people in different companies who,
for a variety of reasons have to use Word.

RTF is not a 1:1 substitute for a Word file, no matter what the PR for it
tells you.

--
John C. Welch

* the publisher of the literary magazine had to accept submissions from writers, and most of them use Word

* teachers often accept homework from students as Word documents

* many people get documents from co-workers in Word format

Unfortunately, like it or not, there are lots of people out there who don't know how to send a screen capture without pasting it into Word. TextEdit doesn't support Word images.

Sue

On 9-Apr-2008, at 10:05, John C. Welch wrote:
> RTF is not a 1:1 substitute for a Word file, no matter what the PR
> for it
> tells you.

It's not a 1:1 substitute, of course not. But it is more than adequate
for the vast majority of 'send us ____ (in Word format)" requests.
They don't even know the rtf file is not a doc (at least I've never
had anyone catch it).

I don't even like rtf, and if I am producing something for layout, I
prefer to go for pdf or html. For pdf I use LaTeX and for html ...
well, html.

In a previous job, we tested using Sun Office 6 to open documents
created in Microsoft Office. What we found was that some documents -- if
I remember correctly, particularly for heavily edited documents with
tracking turned on -- turned up incorrectly in Sun Office: Excel
documents with wrong numbers, Word documents with wrong styles.

I'm sure Sun Office / OpenOffice.org have improved since then, and
Microsoft have started documenting their formats better, but I'll still
be wary about using non-Microsoft-Office applications to view and edit
Microsoft Office documents if the accuracy of the documents is important.

[And with that, let's wrap up this tangent of which program to use to open MS Office files. -Joe]

Sincerely,
Heng-Cheong Leong
http://www.myapplemenu.com/

LewisGmail wrote:
> On 9-Apr-2008, at 10:05, John C. Welch wrote:
>> RTF is not a 1:1 substitute for a Word file, no matter what the PR
>> for it
>> tells you.
>
> It's not a 1:1 substitute, of course not. But it is more than adequate
> for the vast majority of 'send us ____ (in Word format)" requests.
> They don't even know the rtf file is not a doc (at least I've never
> had anyone catch it).
>
> I don't even like rtf, and if I am producing something for layout, I
> prefer to go for pdf or html. For pdf I use LaTeX and for html ...
> well, html.
>

Reading this and other threads it is clear there are at least two distinct universes out there. Those who live and work in Lewis' get to have a lot of leeway in how they deal with file formats, virus checking, etc... And those who live in a medium to large corporation or have to comply with client requests over a long term or work in larger groups. And these are not absolute boundaries but they illustrate the point.

Those in the later situation have to deal with virus pass ons, Word no mater what we think (along with macros on all the time for various reasons), etc... And for those in this later group, saying we can ignore virus issues or not use Word, or whatever is just a non starter.

I work with architects and when you have 60 people in 30 firms passing around 200 to 600 emails a day dealing with an ongoing $300 million construction project and you tell folks to NOT use Excel, Word, or whatever the project leader decides to use will get you a fast ticket off the project. And a greatly reduced chance at future business.

David Ross

The only encounter I've ever had with a real virus was back in sixth grade (back in the bad old days when win95 was "new") when someone gave my school a machine to the school that was infected with AntiEXE (if you don't remember, it was a common, multi-strain PC version of Scores). That was the event that prompted me to prompt my mom to get NAV for win95.

Mac-wise, well, the only reason that I don't own a Mac now that I'm on my own is the lack of games, so that should tell you something about my experiences (or lack thereof) with Mac viruses...

"Unfortunately, like it or not, there are lots of people out there who don't know how to send a screen capture without pasting it into Word."

Even worse, many people don't know you can just type (or paste) *text* in an e-mail message! ;-)

I use Word, Excel and sometimes PowerPoint just to avoid the hassle of converting stuff my Windows "friends" send me. Or I have to send to them. I have never encountered a macro virus in attachments from anyone I know. I trash anything else. I do have the "warn before opening a file that contains macros" setting on, but I do not have any anti-virus utilities running.

I used to have Symantec/Norton anti-virus, but it never found anything except an odd Windows virus attached to an e-mail I would have trashed anyway. I stopped using it because it really slowed things down. I think having the firewall turned on and using an account *without* administrator rights for daily work keeps my Macs safe enough.