Posted by: David Harley | April 19, 2010

Mac Malware – not actually that funny

At one time, when I used to be regarded as being something of an expert in Mac malware, I sometimes compared that particular field of expertise to be the owner of a champion racing snail. The point being, of course, that even in the 1990s, before OS X came off the drawing board and onto the desktop, the volume of Mac-specific malware was pitiful compared to the avalanche that threatened the unwary Windows user. Today, when my colleagues in the ESET labs tell me that they’re seeing way, way more than 100,000 unique binary samples of malware per day (maybe twice that much), that quantity looks even more pitiful.

So I can see where John E. Dunn is coming from when he says that the truth about Mac malware is that “It’s a joke.” And on the basis of the list of named Mac malware with which he says BitDefender supplied him, he might have a point: as he says, he won’t need a very big notebook to catalogue each example. He is, however, missing a point or two.

The old model of one detection = one virus/one variant long ago ceased to hold true in the world of Windows, and is far less true than it was in the world of Mac malware. The growth of generic/heuristic/proactive technologies has seen to that. Counting “viruses” is meaningless because every vendor detects and counts differently: the more proactive a detection (a signature, if you must)  is, the more families, specific threats, variants and subvariants it will address. (See and

Forget the antique malware like Init29, the HyperCard infectors that he doesn’t list, even the multitudes of MS Office macro infectors, which aren’t, of course, Mac-specific: while there are still systems around that are capable of supporting them, despite Apple’s decreasing interest in backward compatibility, that vintage of malware is nevertheless hardly ever seen in the wild today. AV products still detect them because you can never say that a given malicious program will never, ever be seen “in the wild” again. (By that I don’t mean epidemic: I mean found on at least one end-user’s machine, as opposed to in a virus researcher’s laboratory.)

The curious fact is, though, that in the age of the OS X Trojan, our collections include hundreds of unique malicious binaries. That’s not very impressive compared to those many millions of Windows binaries, but it’s no joke. Unlike Snow Leopard’s signature detection of a handful of malicious programs, which constitute a fraction of the OS X malcode we know about. But that’s not funny either, if you were ever misled into thinking that was a serious anti-malware measure. If you still think it is, you might want to check the information in this (still valid)report by Intego:

It’s mildly ironic that Dunn is clearly no Mac Fanboi, since there’s a good chance that his post will be taken up by MacMyopics as proof that “even Windows users know that there are no significant Mac threats”. Just as there’s a good chance that this post will be picked up somewhere as “AV researcher says Mac and macro viruses don’t matter”, ignoring my real point, which is that OS X malware is out there in significant numbers and increasing.

Actually, a lot of PC users do buy into that assumption, but that doesn’t make it true. I’ll be talking about that at InfoSecurity Europe next week, if you happen to be passing.

Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:


  1. […] BLOGS: Mac Malware really isn’t that funny April 19, 2010 Kevin Townsend Leave a comment Go to comments David Harley comments on John E Dunn’s statement that “The truth about Mac malware – it’s a joke” by suggesting that if so, it’s “not actually that funny“. […]

  2. […] Security And The Power Of Perception” in the Business Strategy Theatre (but if you read my earlier blog, you already knew that). Yes, I think it went quite well, thank you for asking. It was […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: