More on the MAC malware
Word is starting to spread about the MAC targetting malware "MacCodec" aka OSX.RSPlug.A, but I admit to being concerned at some of the reactions that I am seeing.
"A spokesperson for Symantec suggested that Intego "has a tendency to over-hype things" - excuse me?? What an unhelpful statement by Symantec.
"It's not going to spread far because it prompts for the Administrator password" - ah, if only life were that simple, but reality is those dancing pigs are just too darned tempting....
"Practice safe browsing: lock-down your browser (instructions below), and only download from sites you trust and install programs that you download intentionally. If you are unsure whether a program is legitimate, you can check to see if that program is also available from a trusted download site like MacUpdate.com or VersionTracker.com (not all legit programs are available on these sites, but they can serve as a good reality check)." (source: http://www.smith.edu/its/technotes/?p=41)
My apologies in advance to the people at Smith College TechNotes - this isn't personal, ok? Your article just happened to be high up in a Google search and contained the type of advice that I wanted to highlight.
Ok, so let's look at the above in segments...
"Practice safe browsing: lock down your computer (instructions below)" - locking down your computer does not protect you from social engineering attacks where you are tricked into running what you think is a safe file, a file that is seemingly required to complete whatever task it is that you are doing on the computer. Locking down your computer only protects you from exploits and "drive by downloads", neither of which apply to the MAC trojan under discussion.
And, just what is "safe browsing" anyway? The hacking of *legitimate* "safe" web sites is becoming commonplace. I could tell you about some very big names that have had their Web sites hacked, or who have involuntarily offered infected files for download, or who have hosted malicious Flash based banner advertisements - names that you would never expect to be a danger. The MAC world is going to have to become far more distrusting, and far more cynical, now that the bad guys are targeting them.
"Only download from sites you trust" - see the previous paragraph - and anyway, does anybody actually trust a porn site? I don't. And what will happen when the bad guys start using less nefarious topics such as, for example, a "how to stay safe on the internet" as the theme for their websites and malicious movies?
"..and install programs that you download intentionally" - ok, but the user is expecting to view a video - he or she *wants* to view that video and being prompted to install a codec is not unusual. The trick (a fake codec) is a commonly used, and far too often successful, trick used in the Windows world. In light of that reality, I'm not sure how this little snippet of advice helps in a situation like the MAC trojan.
"if you are unsure whether a program is legitimate, you can check to see if that program is also available from a trusted download site..." - sorry, this ain't gonna work unless you decide that if a product or codec isn't listed, you're not going to run it AND that you will only download and run from said trusted site, AND it assumes that the site itself has not been compromised. AND, what happens when the bad guys mimic the name of a well-known, trusted product? In the Windows world, the bad guys often mimic the names of Windows system files, and well known software.
And, in the end, users are lazy. They're not going to stop what they're doing, write down the name of whatever it is they have found that wants to install, load another page so that they can view whatever download site and search for the file in question before deciding whether or not to enter their Administrator password.
MacWorld's article about the trojan is here:
So what does this all boil down to? All of the above advice is good, traditional, advice and it would have been enough in the past - but nowadays it is not a panacea and much of the advice is negated by social engineering attacks anyway.