Latest in Features

Image credit:

Mac malware 'explosion' missing in action


The appearance of the MacDefender trojan back in May provoked a lot of back-and-forth between various tech writers (including your humble correspondent). Was this a sign that the good times were ending? That the Mac platform would come under ever-fiercer attack from malware authors? That soon we'd all be running resource-sucking virus scanners and a-fearing every link we clicked?

Well, in a word: no. It wasn't. And I've got some science to prove it.

A primer on "malware definitions"

If you're unfamiliar with the concepts at work here, it'll help to understand my results if you know exactly what a "malware signature" is. The primary way a malware scanner works is to examine files on your computer -- sometimes all files (the so-called "deep scan" approach, which usually takes hours) and sometimes only specific files that are known to be targeted by viruses, trojans, and other malware. Scanners also usually stay running in the background and scan each and every file you open and program you run right as they load, as an extra level of always-on protection. This last mode is what often causes computers to feel sluggish after you install anti-malware software.

So what does this "scan" thing entail, exactly? Glossing over a lot of technical details, the scanner will run the file it is examining through a hash function of some kind. This is a sort of ultra-strong fingerprinting algorithm that creates a unique identifier for the file (a 'hash') that can definitively match data or code segments. The malware definitions list is a catalog of hashes that have been generated from known malicious files; if a file on your system matches one in the list, then boom, You've Got Malware.

An example of XProtect's signatures for MacDefender.

For this setup to have any value at all, it's crucial that the definitions list is kept up-to-date. Things can move fast in the malware world; new threats emerge suddenly and (even more insidiously) malware authors tweak their existing programs to have a different signature, making them undetectable by the scanner. These "variants," as they are called, result in a rapid cat-and-mouse game between developers of malware software and developers of malware scanners.

This is what happened to Apple back in early June. The MacDefender trojan prompted Apple to start aggressively pushing out updates to its own in-house malware scanner, XProtect. This, in turn, prompted hackers to start releasing new variants of MacDefender that bypassed the new check, then another new check from Apple, another new version of MacDefender, and so on. Many commentators wrote long posts with varying degrees of pessimism and optimism about how this would end. Would the hackers win and Apple be overwhelmed, or would they be defeated by Apple's vigilance?

My methodology

Two months ago, I tried to come up with a way that we could answer that question definitively.

I wrote a small script to download Apple's malware definitions file every hour and permanently store each unique version. I started this script running on June 2nd, capturing version 2 of the file; since then there have been 22 further versions, each adding new malware definition signatures to the scanner. I now have all that data at my fingertips.

Before I show you what I've discovered, let's consider what this script hasn't taken into account. It's not really measuring how much malware exists for the Mac, of course. It's measuring how much malware Apple has identified -- whether MacDefender related or not (there is other malware listed in the file, like OSX.HellRTS.) However, I think that's not too useless a metric: we know that Apple put considerable effort into staying on top of the situation with MacDefender, sometimes releasing updates to the definitions file just hours apart. We can also assume that Apple, with its world-wide support staff, can do a better job than anyone else at keeping its ear to the ground for new threats. It seems reasonable to assume that the state of that XProtect definition file is a good proxy for the state of Mac malware in general.


The following and graph shows the number of unique malware variants listed in the file as each new version was released.

There are two occurrences where the graph goes down, i.e. a new version of the file lists fewer definitions than the older version. This happened when Apple found two new variants, wrote signatures for them both, then later found a single signature that covered both variants. My script records this as a variant "disappearing" because there are fewer signatures overall. It doesn't mean that protection actually decreased.


For a period of several weeks, we see the rapid cat-and-mouse game predicted by people like Ed Bott. Variants of MacDefender appear at the rate of about one a day, and we see a corresponding update of the XProtect definitions file once or even twice a day also. This keeps going until we reach the 21st version of the definitions file, which detects 15 distinct variants of MacDefender (labelled OSX.MacDefender.A through to OSX.MacDefender.O) using 12 different detection signatures.

And then... nothing. No new updates to the file since the 23rd of June.

There are two ways to look at this. It's possible that the malware kept coming, and Apple either failed to notice it, or just gave up trying to keep up. If that were true, though, we'd expect to still be hearing about it, both in the general press and from TUAW's contacts throughout the Mac ecosystem of developers and support staff. But we've heard nothing.

The other option, then, is that the malware has stopped evolving. The MacDefender authors gave up trying to issue new variants, and nobody else has (so far) taken their place. The Mac malware scene is... well, if not dead, then asleep. Stunned. Pining for the fjords.

I stand by my earlier cautionary note. There's no magical protection against malware in OS X -- there's solid engineering, but that's not infallible. All computer users, regardless of OS, should remain vigilant: don't run software from untrusted sources, don't fall for web browser popups screaming that you have viruses, think twice before entering your iTunes or online banking or email password into an unfamiliar website.

Still, for now, I think Mac users who were worried about MacDefender can partly relax. The wolf is still not at our door.

Footnote: regarding Lion's version of XProtect

The recent release of Mac OS X 10.7, Lion, appears to have brought some changes to XProtect as well as overall enhancements to OS security. The URL that is probed for new malware definitions has moved (from here in Snow Leopard to here in Lion) and the file itself contains quite different signatures -- there are signatures in each version of the file that do not appear in the other. Furthermore, although the Snow Leopard version lists MacDefender.A through to .O (15 variants in all), the Lion version only lists .A and .B. The .B definition list, however, contains many more signatures. It doesn't necessarily mean that XProtect doesn't detect as much malware as it did before.

My guess would be that the new OS has brought with it internal modifications to how XProtect works that has caused these changes. Again, however, I do not feel that this invalidates my results. Snow Leopard remains a supported OS that will still have a large install base for some time to come, and (we can assume) Apple will continue to release security updates for it in as timely a manner as it ever did -- including XProtect updates.

From around the web

ear iconeye icontext filevr