Mac and the State of Malware

I want to start a discussion of the state of malware on the Mac.

I have always understood that software, of any sort, could not run without action first on the part of the user. That action may be an email attachment with a self running macro in Word or Excel. Still, you would have to open the doc first AND allow an application to automatically run a macro without asking first.

It may be downloading AND INSTALLING software you don’t know.

Can malware be installed, without user action, from a website popup window? Can it be installed, arriving as an attachment on spam email, that you don’t open? What if you do open the email but not the attachment?

I’ve used different anti-virus and anti-malware software in the past, but never kept any of it up to date, thinking that by practicing safe computing, I was safe. I’ve been malware-free using Macs in our office since 1985. Still, my wife recently has had a horrid infection with malware installed

What do other people know? What prevention software are you using, if any?

I gave up on anti virus software when a company I worked for that used Macs caught a virus around 1997 or so, even though they used Norton. Since around that time, Apple’s software updates have also focused on regularly including very effective antivirus and malware measures. I’m very mindful about not clicking on anything that might be in the slightest bit suspicious, either in an email attachment or link, a browser page, or something on a memory stick.

When I did use Norton, it really slowed things down on the Macs I was using. I’ve never missed it.

Here’s Josh’s swan song about the latest Mac update:

That’s not quite true in that one type of malware called Virus has the capability of both infecting by itself and spreading to other devices without user interaction. There hasn’t been an instance of a Mac or iDevice virus since the introduction of Mac OSX and iOS. That doesn’t mean there could be such malware developed in the future.

Possibly, using javascript, but the popup window wouldn’t be necessary, simply a distraction. This is generally known as a drive-by infection and there have been a very few instances with macOS. Probably been patched by now.

Both doubtful. I’m unaware of either happening.

I would only challenge the use of “very effective” there. It took a very long time for Apple to guard against any kind of adware, which has been the most common Mac malware for a decade or more. And they were always days or weeks behind on countering zero-day infections. With the recent introduction of XProtect Remediator as a replacement for MRT, they may have cut that down to two weeks or less and the promise of “Rapid Security Responce” being tested now, that has the potential of being as fast as the various Anti-malware apps are at keeping up today.

I’ve been using ClamXAV for years, and set it to update virus signatures daily. I don’t use it to scan hard disks regularly, but it’s set to scan automatically everything that goes into the Downloads folder - which is where Mail saves attachments to, and where all browsers store downloaded files.

The cost is about 30€ for 2 years, although I think that’s cheaper as if you’d get it now, as I was grandfathered in for a cheaper tier due to owning the app before it became a subscription service.

In the 7 years or so I’ve been using it, it has caught something 2 or 3 times, if memory serves. And at least one of those wasn’t a virus but an adware-infected, but otherwise legitimate, software. So, I’m not sure how great the risk is to Mac users that are discerning where they surf and what they click to begin with, but the piece of mind is certainly worth €1.50 per month to me. YMMV.

Great idea. Get ready for 10,000 different views. :) I use:

1. Malwarebytes, free and run it manually.
2. Virusbarrier Intego free from Macapp store and run it manually.
3. DetestX Swift and run it manually.
4. XProtectMediator or whatever it is called.
5. Lulu, Oversight, BlockBlock, Ransomewhere all I think from Objective-see.org
6. CleanMyMacX > Protection > Malware Removal occasionally
7. I never run any of them at same time.
   Best, Patrick

From a theoretical point of view, we already know that this can happen. Pegasus at one point famously used (uses?) a specially-crafted SMS message that the user never opened, never viewed, that still infected an iPhone to the point that the user could be tracked to the minutest detail.

I think that Messages and phone calls are special on iPhones - there are parts of the firmware that handle them outside big iOS, as I understand it - but I think that MacOS is more open, less locked down than iOS and wouldn’t be surprised if there is some sort of attack vector, discovered or unknown, that could be taken advantage of in a similar way. We know that there can be junk filtering and rules processing of mail messages before you even view them on MacOS mail - perhaps there os a way to take advantage of something like that. (Windows in the past was attacked in a similar way as it used IE as a web view engine, and there were attacks that used malformed mail messages to take advantage of IE vulnerabilities even without viewing a message.)

So probably one of the best things we can do to prevent something like that is to keep MacOS updated as soon as Apple publishes security vulnerability updates. I know some hate what Ventura can’t or won’t do, or won’t do anymore, and it’s possible that adding new features/APIs adds new possible vectors for security vulnerabilities, but at least we know if Apple finds out about them, they will patch them as soon as they can, and I have less confidence that they will do so for older versions of MacOS.

Assume you do have Lulu, Oversight, BlockBlock & Ransomwhere running all the time, otherwise they are not effective.

You may want to consider one and only one that runs in Real-TIme/On-Access background mode to prevent malware from being installed. None other than the aforementioned Objective-See apps you list are capable of that. Either Malwarebytes for Mac Premium or Intego VirusBarrier X9 will do that, as does the previously covered ClamXAV and others that may or may not bog down your Mac.

Thank you. Yes, all Objective-see apps are continually running. The others are manual. Best, Patrick

Installed from a browser without interaction? As far as I know, all modern web browsers have features to prevent something like this.

You should always configure your web browser to never auto-launch downloaded content. For Safari, be sure to uncheck the “Open safe files after downloading” box on the General tab of the preferences:

Screen Shot 2022-11-26 at 00.34.07880×618 99.4 KB

Assuming your web browser allowed something to auto-execute (e.g. an installer of some kind), there is also the system permissions feature that will prevent a non-administrator from copying any content to the /Applications folder without getting you to provide an admin user name and password. Without that, it could still install something to your home directory, but that can limit the damage to your login, and probably protect the rest of the system.

Finally, there is Gatekeeper, which forces you to authorize any downloaded application the first time you launch it. If you’re not logged in as an administrator, you will need to provide an admin user name and password in order to do this. If the app is not digitally signed, Gatekeeper will refuse to let you launch it at all (although you can manually right-click on the app and select “Open” from there to authorize an unsigned app.)

So, there are several layers of protection that are designed to prevent software from auto-installing without your knowledge.

But all systems have bugs, so it would be foolhardy to claim that such a thing is impossible. Apple and other reputable software vendors will fix these bugs as they are discovered (which is why it is important to keep apps up to date), but sometimes they are exploited before they can be fixed (so-called “zero-day” exploits).

WRT anti-malware software, I have an installation of the free edition of Malwarebytes. I run a manual scan from time to time, when I think it’s been a while. So far, it hasn’t found anything, but I am very careful about what I download and where I download it from. I have never run a background-scanning app on my Macs. (I run Microsoft Defender on my Windows PCs, and don’t bother to run anything on my Linux systems, but that’s a different topic.)

re Ulf D comment …but it’s set to scan automatically everything that goes into the Downloads folder - which is where Mail saves attachments to, and where all browsers store downloaded files…

Many browsers such as Safari and Firefox and . . allow setting preferences for downloads to either a different volume or simply to desktop. Which then makes it easy to separately scan or evaluate and erase before doing damage. Yes the desktop folder is part of the user folder on the normal system disk. And even mail can be set via an ’ alias’ program AKA ‘symbolic linker’ ;to separate disks or volumes, reducing the ability of infecting the main software disk.

My own observations and short ddiscussions with knowledgeable types
seem to indicate that mail and ad stuff is the most common way to sneak in malware. Even answering a simple email from a known friend with correct name and email address - such as from " jim at xyz mail " " "joe- are you going to store today ? " so knowing your friend jim in the same apt building – you respond "Yes, what do you need " can trigger a major phishing email or worse within a few minutes. And it was NOT jims email system hacked or yours, but someone else you had both communicated with at sometime in the past.

With 11 plus BILLION emails addresses being exposed, its a good bet yours was at sometime in the past thru NO fault of yours.

Actually, that is not where Mail stores attachments, unless you open a message and use the paper clip icon in order to save the attachment, then point it to your download folder. Otherwise the attachment remains in your ~/Library/Mail/ directory, either still embedded in the message itself or in a separate “Attachments” folder if you have either opened it or it is an image you viewed when you opened the message. Sorry this is so confusing, but Apple had decided to make it so.

Also note that ClamXAV is configured to not scan emails:

# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
ScanMail no

I phrased that badly - what I meant is “The Downloads folder is where I have set my mail and browser apps to store attachments and downloads”, precisely so they will be scanned upon saving.

There are zero-click exploits in existence. They require no interaction from the user, and are usually targeted attacks, which means you are safer if you are a nobody. Any incoming traffic to your device, (mail, messaging, browser data, file transfer, network traffic) could be an avenue for zero-click attacks, but they are currently the rarest of threats. The Pegasus exploit of iOS is a well known example of a zero-click used to breach targeted iPhones. Apple closed that particular hole in iOS 14.7

Wondering if this board has a view on the antivirus app called Sophos. It is a cloud based solution that works on multiple machines. I have been been using Sophos home version after I experienced a lot of slow downs from Norton.
BTW, I am a former user of ClamXV and thought it was good. After I moved to Sophos, I removed Clam, or so I thought. When I run EtreCheckPro, it reports I still am running multiple antivirus programs–and I am sure that is not good if true. But I think I have removed ClamXV and its affiliated items. Thoughts?
Many thanks.

I had it installed for many years, but on at least three occasions it took over the CPU and caused my Mac to become almost unusable. In each case a total removal and re-install appeared to fix the issue, but on the last removal I gave up on it.

ClamXAV has a built in helper. When you drag ClamXAV.app to the trash; after a few seconds you’ll should have seen a message asking if you would also like to uninstall the scanning engine.

If this doesn’t happen or it doesn’t appear to have worked, you can download the uninstaller and run it manually. The uninstaller will remove the scanning engine, preferences and any schedules you’ve got set up.

Not sure what version of macOS & Mail you are using that provides a way to store attachments outside of ~/Library/Mail, but the only preference available to me through Big Sur is for Downloads, which must be manually initiated.

As I said earlier, all attachments remain embedded within the message or if viewed are placed in a separate “Attchements” folder next to the folder where the original message is stored.

That wasn’t my understanding of exactly how it works/worked, so I’ve spent a few days trying to find a description that reads that way, but can’t find anything even close.

Everything I’ve read in trusted sources available to me say that you not only have to open the text message, but must then click on an included url link in order to be jailbroken and infected by the NSO spyware.

If you can point me to something matching your description, I would greatly appreciate it.

Sure. There are a few articles, but here’s one detailing two (now patched) zero-click chains of exploits:

There are a few links to Citizen Labs in that article to more detailed info.

[edit] And FORCEDENTRY was apparently effective against MacOS. FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild - The Citizen Lab

I have always understood that software, of any sort, could not run without action first on the part of the user.

Unfortunately, this isn’t entirely true. Although they haven’t been used often to drop widespread malware on Macs, there are always vulnerabilities that can be used to execute code without user interaction. These are called “remote code execution” vulnerabilities, and they can happen on any system.

In 2019, there was a well-documented case of a Firefox zero-day vulnerability (called “zero-day” because it was unknown prior to it’s use in the attack) that was used to target Coinbase employees. By simply visiting a website, users were infected with two pieces of malware: OSX.Mokes and OSX.Wirenet (aka NetWeird aka NetWire).

If you look at Apple’s release notes, in recent years, you’ll often see mention of vulnerabilities being fixed that Apple notes are known to have been exploited. Most of these have never been documented publicly, and are probably the work of some threat actor targeting specific people, similar to what’s been happening with the more well-known Pegasus infections. These kinds of attacks are happening all the time.

There are some things you can do to protect yourself. These are particularly important if you’re someone who might be targeted by a powerful organization - for example, if you’re a reporter documenting human rights abuses by a powerful nation-state.

• Keep macOS and iOS fully up to date… and I mean fully, not just minor point updates! You may not always want to, but install any major new versions, such as macOS Ventura or iOS 16, as soon after release as you can. Apple has documented that older systems will not always receive all fixes.

• Consider using Lockdown Mode in the latest versions of macOS and iOS. This will impose some restrictions, and it’s not a guarantee, but it reduces the attack surfaces used by attackers to infect Macs and iPhones via zero-day vulnerabilities

• The far more likely infection vector is via downloading and manually running something. Be cautious what you’re downloading, and don’t be fooled by a website telling you something is wrong and offering something that can “fix” the “problem.”

• Protect your computer physically. Don’t let people you don’t know get physical access, if possible, and keep the hard drive encrypted with FileVault. Also set a strong login password, even if it’s not convenient, to keep people who do get physical access from guessing your password.

• Protect your online accounts by using long, strong, and unique passwords on each of them. Do not reuse passwords! Use a password manager, such as 1Password or LastPass, to remember all the passwords.

• Also protect your accounts with multi-factor authentication of some kind.

• Consider running some kind of third-party antivirus. I know, this is an unpopular opinion, but the built-in security features in macOS don’t catch everything. There is a reason that Apple developed the Endpoint Security framework and made it available to external developers. They put most of their energy into malware, but the far more common threats are adware and unwanted programs. These don’t sound bad, but they absolutely are, and they can leave your system more vulnerable to attack.