Does The Mac OSX Worm Pose A Substantial Risk?

mac-osx-malware-virusWhile some argue it to be as much a Trojan as it is a Worm, just days after I wrote that “While I’ve always denounced people who claim virus infections are impossible in OS X as ignorant, and I still stand by that, the current risk to Mac clients is substantially lower than it tends to be on Windows machines.” it seems that Sophos are trumpeting their discovery of a Mac OS X worm.

F-Secure are talking about it too, so this isn’t just Sophos acting up. It seems the chance of infection is very low if you understand how to practice safe computing, and very low indeed if you don’t use iChat. Of course, after years of not having to worry about this kind of thing, and arrogant assumptions that their platform was somehow magically immune to viruses, I wonder how many Mac users will be able to get into the “safe computing habit“.

May we continue to live in interesting times..

It seems that this has ignited a lot of debate in the Mac community. Comments on message boards range from “The Sky is Falling” types to “What’s the problem?”. Both responses are wrong in my opinion. The sky isn’t falling, but this is a noteworthy event. A “Proof of Concept”, if you will. Every single currently active malware vector out there started as a proof of concept.

There is an issue here – it can’t be ignored or wished away. I’m still unsure in my own mind as to whether this is a trojan or a worm, but in either case it is here. Its infection method is manual and trojan-like, and requires the user to “do something silly” – but those of us who have been working with Windows based users for years know that isn’t a problem. Its method of spreading to other users works more like an email (actually IM in this case) worm once it is in place.

We’re already starting to see other apps that behave in ways the users didn’t expect but which still managed to get themselves installed. The fact is, OS X users have become accustomed to the idea that nobody targets their platform and hence not enough question why applications ask for admin rights at certain times and these users are just conditioned to supplying the appropriate username and password on demand.

With thanks to Andrew Welch who posted a good “neutral” description of this trojan/worm’s actions. Symantec’s writeup is pretty good too (I know, me with something good to say about that lot… shocking!) and includes instructions for manual removal.

Clam AV also includes detection for ‘Trojan.Leap.A” in its up-to-date definitions for those who are running ClamXav or similar and want to scan their systems.