Somebody noticed that the Apple support site had a Knowledgebase article that advised "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."
The popular press picked up on the article and went nuts - just some of the sites that picked up the story were Information Week, Appscout, MacWorld, SCMagazineUS, SlashGear, The Register, LiquidMatrix, CNET, ComputerWorld, ZDNet, Security and the Net, Security Watch and Security Fix.
Edit: Was it Intego that started all of this brouhaha? See this post dated 25 November - several days before Brian's article on 1 December.. poor Brian has had the finger pointed at him in some circles for 'starting' the blog-storm. Intego is a company that sells "internet security and privacy software" for the Mac. Could it be that the heart of the maelstrom is centered upon a marketing exercise?
According to this CNET article, an Apple spokesman reckons that the article was "was old and inaccurate" and that "The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. ... However, since no system can be 100 percent immune from every threat, running antivirus software may offer additional protection." (thank heavens he slipped in that last, ass-saving sentence). So what do Apple do? They take the notice down - they don't edit it to make it new and accurate - they delete it.
I ask you this - how is Mac's "built in technologies" meant to protect its users from social engineering? Are they talking about the fact that you need to enter an administrator username and password to install software? Big deal - if that is the argument to be used, then the Mac is no more secure that Vista, which has the same type of protection called User Account Control.
Example - how many Mac users would know that the poker game pictured on the left is a Trojan horse targeting the Mac - a poker game that, when run, harvests the username, password and IP address of the victim and transmits it to a server, as well as enabling SSH on the victim's Mac computer, and which was originally discovered by Intego back in June of this year. Intego noted that once SSH is enabled, the attacker can "attempt to take control of [the Mac], delete files, damage the operating system, or much more".
What about this screen shot of a codec video codec download prompt? The download URL (ultracodec.com) looks legit doesn't it. Is it real or fake? Safe or dangerous?
I ask you this - how is the less savvy Mac user to know that a game or video codec is a Trojan if he or she does not have any antivirus protection to sound the alarm? You see, the time of the traditional "virus" infecting an operating system *without user permission* is drawing to a close, and the bad guys know it. They use social engineering more and more often to get their wares on to a victim's computer, and they use the inbuilt functionality of non-operating system applications to get a foothold.
Do you think that Mac users are safe from Flash based malvertizements? Nope, they're not. Mac users are hijacked just like everybody else BUT Windows users are protected from some (no, not all) of the fraudware that the malvertizements expose them to because their antivirus detects it - Windows antivirus software also can detect malicious SWF that is used at some stages of the hijack process AND can even block access to known bad domains that are used to facilitate browser hijacks, phishing and fraudware attacks. What protection does the Mac user have?
Macsweeper (the fraudware, not the legitimate Mac Sweeper) and Cleanator (fraudware that targeted the Mac and which was spread by malvertizing that even appeared on high profile sites such as msn.co.uk, groups.msn.com and Hotmail) may be defunct at the moment, but that doesn't mean that others will not take their place.
macsweeper.com's WHOIS details reveal that the Registrant's email address was firstname.lastname@example.org - that email address has been used for 29 domains, being adsraise.com, adszedo.com, advertisingcdn.com, antispywaredeluxe.com, antivirus-2009-pro.com, antivirusdeluxe.com, av2010.net, best-antivirus-scanner.info, best-online-antivirus-scanner.info, cleanator.com, clenator.com, download-antivirus2010.info, download-best-antivirus2010.info, fheadsoftware.com, imunizator.com, internetsecuritydeluxe.com, kivvisoftware.com, mac-imunizator.com, macsweeper.com, maxconvert.com, megaplexer.com, megarotator.info, pcsweeperpro.com, pidosoftware.com, promoplexer.com, spywaredestructor.com, thesecuritybundle.com, trackads.net and unicastads.com.
Now, many of the domains in the above list may be defunct now, but they are only a few of the tens of thousands of domains that have been registered by the purveyors of fraudware. The point I am trying to make is that regular readers will recognize some of those domains as being associated with some very persistent crooks who use malvertizing in an attempt to infect Windows users. In short, we are not dealing with script kiddies or amateur troublemakers trying to make a quick buck. We're talking about a criminal industry that is pulling in millions of dollars in ill-gotten gains.
Ok, so why do I ask if Apple was negligent in summarily removing the Knowledgebase article in question? Well, let's consider the perception that such an action creates. And let's consider the "Macs don't get viruses" misperception that is encouraged by videos such as the one here.
It is all well and good for some Apple spokesman to acknowledge that "no system can be 100 percent immune from every threat", but his quiet words are being drowned out by Apple's Mac-v-PC videos, by the suddenly removed Knowledgebase article, by the salespeople who tell potential purchasers that a Mac doesn't need antivirus software, and by an Apple userbase who scoff at the very idea or, even worse, make "serve them right, they must have done something stupid" comments about people who do get infected. For what its worth, such comments really irritate me - there is a big difference between "stupidity" and a lack of experience or educational opportunity - we don't learn about "safe hex" via some sort of mysterious osmosis and, let's be honest, the Mac fanbois and incidents such as the removal of the Knowledgebase article are not contributing to the educational opportunities of less sophisticated Mac users.
Case in point - who has heard about the Vimax advertisements that have been appearing on random sites, but only when the site is being viewed by somebody using a Mac? I have - I have received several emails:
6 November: "Sandi, have you seen copies of the Vimax malware yet; the one that replaces ads? I just got a report that a customer has seen it on a Mac now. I’m still trying to get more details."
19 November: "We have received some reports of malvertizements running in sites such as nationalgeographic.com and tvguide.com but were not able to find these "male enhancement product ads". All we can come up is this article regarding vimax http://discussions.apple.com/thread.jspa?threadID=1749920&tstart=7 . We are unable to find out where these ads are trafficked or if they are really ads at all. I hope you can post something in your blog that would help us solve this mysterious malware/trojan."
So, I took a look at the discussions.apple.com thread that was referenced by my correspondent, and I saw the very first sentence typed by "Mulder", an apparently experienced Mac user who has been a member of the forum since 2005 and who has posted over 5,200 messages during that time. He said "There is no infection, so it's useless to start thinking that way." And then later: "There are no viruses for Mac OS X, so purchasing or using Antivirus software will accomplish nothing other than wasting time and money. You cannot defend against or remove something that doesn't exist for the Mac." Seriously, that sort of advice has to STOP. Yes, we can get into technically semantic arguments about "what is a virus" and "what is a trojan" and "did the user do anything or did the infection happen automatically" but that is all beside the point. Just because the bad stuff being discussed is a Trojan does not mean that antivirus is of no use.
Bad stuff is happening to Mac users - bad stuff that can be detected and stopped by antivirus software - so can we please stop telling victims that antivirus is not needed, or will accomplish nothing? The new Trojans being designed for the Mac are too dangerous to ignore. Take the example of OSX.RSPlug.D. According to Intego the malware is "a downloader, and it contacts a remote server to download the files it installs". This means that the bad guys can change the functionality of the software being installed at any time.
Edit: I see that Paul Thurrot says:
"Also, I would say that while I don’t use OS X regularly anymore (who would with Windows Vista and 7 around?), I would never install AV on that system, ever. And that’s true even if I were using it 24/7. It may not last, but for now at least, Mac users don’t need AV. That’s the simple truth."
To say that I am shocked that Paul would say something so... wrong... is an understatement.
Edit 2: Here's another site that is spouting the "Macs do not need antivirus" theme. I strongly disagree with the author's "low risk" argument against antivirus for Macs, and especially these two statements - "Unless you are either specifically targeted by a knowledgeable bad guy, or spend a lot of time downloading software from risky sites, the odds are extremely low you'll ever encounter malicious software." and "there's simply no reason for non-enterprise users who avoid risky behavior to bog down their Macs with antivirus software". The day that the browser hijacking malvertizements for Cleanator and Macsweeper appeared was the day that Mac users could no longer hide behind the "I only visit safe sites" defense.
Anyway, there are other threads about the Vimax advertisements here and here, with no "The Mac does not get viruses" rhetoric. There is hope.
BTW, Sophos has published a "Mac virus timeline" that my readers may find interesting.