Apple’s Covert Anti-Malware Ops

Graham Cluley reports that Apple’s new system update to OS X 10.6.4 includes an update to its rudimentary anti-malware capability (it should now pick up – in certain limited contexts – the malware that ESET detects as OSX/HellRTS, and Sophos detects as OSX/Pinhead-B).

The AV industry has been less than enthusiastic about Apple’s rather half-baked countermeasure, of course, as mentioned in my recent paper with Pierre-Marc Bureau and Andrew Lee, and in Intego’s year end report here. As Graham says, “although I welcome Apple doing something to reduce the malware problem on Mac OS X, I don’t consider it a replacement for real anti-virus software.”

Clearly, Apple is still in (semi-)denial: this countermeasure still addresses only a handful of the totality of threats now known to be out there, and it’s been silently slipstreamed into the world, so that Apple retail stores can still assure their customers that “”Macs never get viruses, it’s impossible. Don’t even worry about it.” Tip of the hat to IBM’s Ian Whalley for that quote . Yes, Graham also mentioned this, but I’d already seen it. 🙂

It’s nice to see Apple taking any notice of the OS X malware issue (I won’t call it a problem at this point, but it’s not imaginary, either), but they have a long, long way to go.

It would be interesting to know if they’ve addressed Intego’s point that some of those detections will never work in the real world because Apple didn’t understand the importance of vector and execution context. I may look into that, in my copious free time. Any year now…

SC Magazine’s Dan Raywood has also commented here.

David Harley CITP FBCS CISSP
Mac Virus Administrator
Small Blue-Green World
AVIEN Chief Operations Officer

Also blogging at:
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com