washingtonpost.com
Faster Forward: Mac spyware alert is not all that new

By Rob Pegoraro
Thursday, June 3, 2010; 12:45 PM

Over the last few days, you may have seen a story or two warning about a new form of Mac spyware. But there's nothing too novel about this malware.

The pest in question is an application that downloads and installs itself in the background when users add what they think is a free screensaver or some other freebie application. An alert by the Austin, Tex.-based security-software firm Intego lists the crimes of the software that it calls "OSX/OpinionSpy" (but which labels itself "PremierOpinion"): scanning your files and network traffic; injecting its own code into Safari, Firefox and iChat; copying and uploading unknown types of data.

Intego's blog post also contains this sentence, in which I've highlighted the most relevant part:

"This application, which has no interface, runs as root (it requests an administrator's password on installation) with full rights to access and change any file on the infected user's computer."

If you've been using a Mac for any length of time, you should know that most applications do not require you to type in your admin password. That is not the case in Windows (or, for that matter, in Linux), in which every application install requires additional consent--clicking through a "User Account Control" dialog in Windows, typing your password in Linux.

So for OSX/OpinionSpy to infect a Mac, you're going to have to do the equivalent of handing over your house keys first--when normal software is content to knock on the front door and wait for you to let it in. That's nothing new in the Mac market; see, for example, this 2007 explanation of an earlier trojan of this type.

The authors of OSX/OpinionSpy may, however, deserve credit for a different sort of innovation. Intego's post says the host applications for their malware were listed on such widely-cited Mac-software directories as VersionTracker and MacUpdate. At any of these sites, poor user ratings should suffice to warn off users. At MacUpdate, which says it rates and reviews every application before posting it, a trojan theoretically shouldn't have even showed up.

(MacUpdate chief operating officer Misha Sakellaropoulo e-mailed to say that the site hadn't noticed an issue until its users began discussing problems with these downloads in March and noted that Intego's own software didn't flag this problem until May 31.)

The relative obviousness of this one Mac trojan doesn't make Apple's platform invulnerable--for evidence to the contrary, see the successful attacks demonstrated against fully-patched versions of OS X at the annual Pwn2Own security conference.

But there's security in a worst-case scenario and there's safety in everyday computing. And it remains true that your odds of picking up malware are dramatically higher on Windows--due both to such OS X features as requiring an admin password for anything that would monkey with core system routines and to Windows' higher market share. If you use an older version of Windows or don't update your browser, your risks escalate dramatically. But if you think somebody's gunning for you in particular, you can't count on your choice of software alone to save you.

A Financial Times report on Monday that Google was moving away from Windows in favor of OS X or Linux on its own desktops and laptops illustrates all those dimensions of computing security and safety (if the story is true; Google declined to comment). Yes, Google employees will face fewer random threats on a Mac or in Linux. But if Chinese hackers craft precise attacks against its systems, Google will need to step carefully no matter what operating systems it installs--and failing to keep its browsers up to date, as reports have suggested it did before, would represent an indifference to risk that amounts to computing malpractice.

Post a Comment


Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.

© 2010 The Washington Post Company