I recently had the opportunity to look into the anti-malware world of Apple OS X. One of our clients moved to a new office in late October 2011. As part of this move they also moved from Microsoft operating systems and software to Apple OS X systems and software, making a clean break from all things Microsoft. While researching their question about anti-malware for OS X I found that the world of anti-malware for OS X is just as fraught with information and disinformation from Apple fans, Apple opponents and anti-malware vendors as the world of Linux seems to be at times with its fans and detractors. I came to the following conclusion which is paraphrased and expanded from the e-mail I sent our client.
After a lot of research over the past month I have come to the conclusion that costly Unix, OS X and Linux anti-malware programs, such as Norton anti-virus on OS X, are a waste of money. It is not that unix-like systems are invulnerable to attack, but that the types of attacks I have seen mentioned over this month will get right through most anti-malware software on systems that are vulnerable. All these anti-malware solutions seem able to do is protect your Microsoft using friends and clients to whom you might forward an infected e-mail sent to you from someone else using an infected Microsoft Windows system.
The fact that Microsoft software is perceived to have the largest installed base does mean there are many more attacks against Microsoft systems on the desktop space. But, just because a system is highly targeted does not mean it can be successfully targeted. The flawed core design of all Microsoft operating systems, desktop and server, means more successful attacks. The “designed with security in mind” unix-like systems are much less likely to experience a successful attack on the desktop or the server. This is not to say they will never be targeted, they will. Just that the incidents of successful attacks are likely to be much lower than that of Microsoft’s systems. Of course, any desktop system that has a user interacting with it can be successfully attacked through social engineering. User education is the only solution to social engineering attacks.
Unix-like systems are typically not susceptible to traditional Viruses such as those found on Microsoft Windows. However, they can be susceptible to social engineering, Worm and Trojan Horse attacks. Here are some basic definitions:
Virus – Self-replicating malware that attaches to executable files. The infected program has to be run for the virus to spread. Typically viruses will seek out system programs that will start when the system starts. Or they will seek out specific software that is ubiquitous across the platform on which the virus is designed to attack.
Worm – Self-spreading malware that attacks un-patched, vulnerable “services” on networks. These usually are a “rootkit” running on an infected system that will attack print servers, name servers, web servers, file servers, and the like. All modern desktop operating systems are likely to be running a service of some sort. Server systems will definitely be running some services. These malware only succeed if the service is vulnerable due to not being patched or up to date. A successful attack will then install itself as a new “rootkit” on the infected system and start scanning a network for more vulnerable systems it can successfully attack from the newly infected system.
Trojan Horse – Embedded malware that requires the end-user to install an application that is pretending to be something it is not. This is the most prevalent attack these days. In some cases it preys on a users ignorance by using social engineering to get the user to install malware. Fake anti-virus pop-up messages from infected web sites are the most common infection vector. In other cases deliberately infected source install files from “strange” web sites is the other attack vector. A Trojan Horse may include a virus, a worm or both.
For more detail see this: The Difference Between a Computer Virus, Worm and Trojan Horse
All anti-virus software is retroactive. In other words, for all of these, the anti-virus software has to already “know” about specific malware to be able to prevent it. In the event of web site pop-up malware, most, if not all, anti-virus software will happily let one install the software that is masquerading as anti-virus software. In some cases the end-user might get a warning that the software is malicious. But often no warning is given, even with web scanning enabled in the anti-virus software. Then the uneducated, gullible user clicks on the dialog and essentially, but unknowingly, agrees to infect the system.
Here is one example of a successful Trojan Horse web based attack on OS X systems:
If you are new to unix-like systems and have not yet purchased anti-malware for your Linux, Unix or OS X, here is what I recommend. Do not buy anti-malware for unix-like systems as you will likely just be wasting your money. Instead, use a “free” anti-malware package if you feel you must have one. Keep your unix-like systems up to date. Then educate yourself, your friends, your acquaintances and your employees about these web based Trojan Horse attacks. Think long and hard before you download and install any “strange” software from “strange” web sites. Ultimately the human mind considering the pop-up message on the screen or the program download from a “strange” site is the last line of defense against these attacks. An educated, cautious mind is the best defense against a social engineering malware attack.
Finally, we all know there are some people for whom no amount of training will suffice. Not all brains are equal in their ability to process and store information. These folk may listen politely to explanations about malware, nod that they understand, then go ahead and click the [Install] button on a malicious pop-up dialog and follow the instructions to completion. There are also people who refuse to learn anything they perceive to be “inconvenient”. They remain willfully ignorant of malware threats as a result. These people will always be the weak link in the chain when attempting to protect personal and business systems from malware. The malware clean-up businesses will still have a strong future with these people using computers, no matter what operating system they use.