Research

One Leopard, two Trojans

On 28th August, the latest update for MaxOS X was released – Snow Leopard. Version 10.6 differs in one very telling way from previous versions – for the first time in Apple’s long history, the company’s implemented an antivirus scanner.

Rumours about the antivirus function in the release build of Snow Leopard surfaced a few days ago. Screenshots showing a window detecting one of the well-known Trojans for MacOX were published on the Internet. The effect was pretty explosive – it wasn’t so long ago that Apple made a very inconsistent statement about the necessity (or rather the lack of it) for antivirus for their operating system.

Official company spokespeople declined to comment on this issue prior to the release of version 10.6, hinting that after 28th August, they might be able to say more. And now the release date has been and gone, with the facts of the matter that managed to leak out having now been confirmed.

Those diligent researchers who managed to get their hands on build 10a421A found out it included this file:

System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

which contains 5 very simple signature records for two Trojan programs

This is something Apple developed itself, and it’s got nothing in common with Clamav, as some people thought. It’s pretty clear why Clamav hasn’t been used – Apple didn’t want something with a GPL license (which is how Clamav is licensed) in its code. And Apple isn’t linked to any of the AV companies currently in existence.

Intego, a company which develops its own AV for MacOS did some research which highlighted these key points:

  • The built-in antivirus only scans files which have been downloaded via Safari, Mail, iChat, Firefox, Entourage and a few other browsers. It doesn’t scan files from other sources – for instance, torrent or ftp files.
  • The antivirus is only able to detect two Trojans, even though the AV industry knows of several dozen malicious programs which target the Mac operating system.
  • The antivirus updates itself via Apple standard updates.

A number of experts have expressed the opinion that this sort of AV solution can’t provide proper protection, and, what’s more, lulls the user into a false sense of security. I’m in complete agreement.

This antivirus is clearly analogous to the Microsoft Removal Tool for Windows, and this sets up a whole range of challenges for Apple. It means that Apple is de facto entering into competition with other antivirus companies and has become a member of the antivirus industry, If the company’s done that, then it should have all the appropriate departments – a virus lab, a monitoring service, antivirus technical support etc. At the moment Apple doesn’t have any of these things. But it does have its “antivirus”.

Is Apple ready to follow Microsoft, which ended up getting involved in antivirus and consequently dedicating a lot of time and resources both to antivirus and modifying other of its products in order to solve security issues? I’m not sure.

Additionally, the appearance of an antivirus in MacOS may nudge virus writers into creating large numbers of malicious programs for this platform. It’s a red rag to a bull – and someone’s already waved it.

On the one hand, Apple isn’t offering its users any real protection with this antivirus. On the other, it’s now not only entered into competition with other antivirus companies but it’s also joined the cybercrime arms race. Right now it looks to me as though Apple’s got itself into a very unenviable position.

One Leopard, two Trojans

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox