Posted by: David Harley | March 12, 2018

Elk Cloner to Coldroot and beyond

Thomas Reed, who has been writing on Mac malware and security for a good while and nowadays writes for Malwarebytes, offers a report on The state of Mac malware, in which he offers some interesting information on four recent threats. Which put me into a mildly nostalgic mood. Perhaps because that title reminds me a little of my first ever Virus Bulletin paper: Macs and Macros – the State of the Macintosh Nation. But that was in 1997, and a lot of things have changed in the malware landscape since then.

Or have they? Well, I don’t have much to do with Mac malware nowadays – which is why I gave up maintaining the timeline pages on this site quite a few years ago. And the last time I wrote a major paper about it –  Mac Hacking: the way to better testing? – was 2013. (It was another Virus Bulletin paper, co-written with my colleague Lysa Myers: in fact, when we presented the paper she’d just migrated from Intego to ESET.) But one thing that doesn’t seem to have changed as much as you’d expect: as Thomas puts it, “Unfortunately, many Mac users still have serious misperceptions about the security of macOS.”

Well, it can certainly be argued that there are no macOS (or iOS) viruses. Quite a lot of other examples of malware, though, even if the total number of malicious applications to have affected Mac users over the years doesn’t begin to compete with the volume of Windows-targeting malware we see nowadays in a single day, even if you count all the pre-OS X stuff and the macro viruses. And most of what we do see affecting macOS and iOS users falls into the adware or PUA categories, and they just don’t have the glamour of a fast-burning worm or a ransomware epidemic.

One thing that Thomas mentioned did particularly pique my interest: that is, his mention of Elk Cloner, often claimed to be the first in-the-wild virus. Well, maybe, though in fact there were a couple of other Apple II viruses circulating around the same time at Texas A&M. It’s because it was Apple II (i.e. pre-Mac) malware and only worked ‘reliably’ on disks in AppleDOS 3.3 format that I’ve never – as far as I remember – written about it here. And I guess it’s a bit late now: a timeline for Apple II malware would be very short indeed, and I think Elk Cloner’s author has reaped quite enough publicity from that youthful prank over the years…

David Harley


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: