Re: Adware/Spyware on Mac/OS X

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

This is the one response of actual malware being found on end-user
systems.  Things installed via an ssh break are different, as are
demonstrations of things on web sites that require automatically and
blindly running things downloaded.

I'm interested in real malware that propagates itself either via files
or via networks.    I have not heard of any nor seen any reports
posted of such things.    Trojans, yes, and usually from unwise
downloading of torrents.   And yes, backdoors and changes from ssh
breaks.

I'm not advocating against AV for Macs.  I'm trying to find real
instances of in-the-wild malware that is spreading itself in some way,
and real instances of Mac-based spyware.


On May 4, 2009, at 6:11 PM, Mark Borrie wrote:

> I haven't looked at the spyware list below so cant comment on how
> many of these are in the wild. However we have seen a significant
> increase of Macs infected with Malware over the past six months. In
> fact we have identified several pieces of previously undetected
> (unreported?) Mac OSX malware. Ironically we were investigating one
> such incident the day Apple released the "Macs dont need AV" video.
>
> A common response we get when investigating Mac compromises is
> surprise that the system has been infected with malware. Many users
> still believe that they are immune simply by using a Mac. The other
> problem we have is that even if AV is installed the users do not
> check their scan reports. In one case here this simple task would
> have alerted the Sys Admin that their Open Directory server was
> compromised.
>
> We treat compromises of Macs differently to Windows. Most Windows
> break ins are from malware that simply wants to own the hardware.
> Mac break ins are more often hands on much like break ins in the
> early days. The potential for data loss seems much higher as those
> that break in tend to have a good look round. Compromised Macs also
> tend to get used for underground IRC and other such things so are
> probably more valuable.
>
> AV products will not stop a brute force ssh break in. They will
> however provide an additional layer of defence for Macs.
>
> Mark
>
> Gene Spafford wrote:
> > On May 4, 2009, at 12:47 PM, Rowe, Ken wrote:
> >
> > > It appears to be a pretty small list (in comparison to MS Windows).
> > > See http://macscan.securemac.com/spyware-list
> >
> > But how many of those are really "in the wild"?
>
> --
> Mark Borrie
> Information Security Manager,
> Information Technology Services, University of Otago,
> Dunedin, N.Z.
> Ph +64 3 479-8395, Fax +64 3 479-5080