In the last few days, I have been asked by a journalist (or four) what MacDefender means for the future of Apple security, and if I thought there was excess hype around it. I’ll address the second question first. I think its safe to say the current malware would not be newsworthy if
In the last few days, I have been asked by a journalist (or four) what MacDefender means for the future of Apple security, and if I thought there was excess hype around it.
I’ll address the second question first. I think its safe to say the current malware would not be newsworthy if it affected Windows. Compared to many Windows malware packages, it is relatively easy to identify the attack, it is not hard to avoid installation if you recognize the social engineering, and if the malware is installed, it’s easy to remove.
But why is there so much hype? MacDefender is not only not novel, it’s just an instance of a problem that’s been around for years. And Microsoft researchers have concluded there’s a high probability the MacDefender malware originates from existing scareware for Windows, yet in the Windows community this scareware draws no attention at all.
The hype is primarily because this is the first socially engineered malware attack to successfully target Mac OS X, and a number of people are jumping on the “we told you so” bandwagon. As there is one family of Mac OS X malware and there are multitudes of threats for Windows, it’s hardly something to crow about, especially as this particular threat exists on Windows. I don’t say this to trivialize the problem; MacDefender is fake software designed to process fraudulent transactions and/or potentially steal card data, and people have certainly been impacted.
Secondly, we’ve seen some vendors (I won’t name names, but reading the news makes it pretty obvious) hyping the threat MacDefender poses to users. We saw this effect with Conficker, as well. A number of vendors declared an imminent apocalypse when Conficker was set to update itself. As my colleague Randy Abrams said at the time, update your operating systems with appropriate patches and run antivirus and you shouldn’t have a problem. Predictably, when Conficker updated not much happened except that infected systems remained infected.
At the end of the day, Apple is a hugely successful company with compelling products and a very loyal following. Perhaps because of their success and the enthusiasm of their fans, whenever there is even a hint of an issue with an Apple product there is a disproportionate explosion in coverage.
Regarding what the future holds: if we could truly answer this question, there would be no cybercrime. As my previous MacDefender post indicates, MacDefender has been updated to install without credentials, which is an increased threat. As seen below, the user interface has improved fairly quickly. The “application” sports a professional looking user interface, and the virus alerts are well designed. Once the malware is installed, it auto-opens various adult websites, an online pharmaceutical site, and other websites designed to convince users malware is affecting the system. It is reasonable to assume the authors will attempt to push new variants with different names, and other changes to attempt to confuse end-users.
So now what?
The best outcome of this would be for people to become more informed about social engineering and cybercrime. Modern cybercrime is more about fooling users into providing passwords and account information or using the user to bypass system safeguards to install malware, yet many consumers are still worried about viruses carried via email. It’s long overdue for these outdated perceptions to change, and for people to participate in their own online security, just as they are engaged in protecting their homes and cars. Building community cybercrime awareness will be a slow and difficult process, but in the words of J.R.R Tolkein, “It’s a job that’s never started that takes the longest to finish.”
As an Internet security vendor it’s obviously self-serving to say this, but awareness should be backed by technology. Regardless of the device or OS used to access the internet, users should consider investing in quality security software as a safety net. Installing security software after a problem strikes is like installing a burglar alarm after your house has been robbed. Combining knowledge and technology will mean users are less likely to fall prey to socially engineered malware, which may reduce the profit motive for cybercriminals, and thus reduce the incentive to create malware.
As a closing comment: one community education option (which ESET sponsors) is Securing Our eCity, a public and private sector partnership dedicated to helping consumers, business and schools become cyber-safe. Free basic Internet security training for consumers and business users can be found at http://securingourecity.org/resource.