Malware on Mac 1 

Malware on Mac OS X

Marko Kostyrko

CEO - SubRosaSoft.com Inc

http://www.MacForensicsLab.com

February 29, 2008

 Malware on Mac 2 

Malware on Mac OS X

A white paper on the history and future of malware and how it can affect the Apple Mac

OS X platform.

This document discusses the technologies used in malware. These include viruses,

Trojans and worms. The specific intention is to bring forth detailed discussion on how this

affects the Apple Mac OS X platform. The document outlines a potential framework for a Mac

OS X malware suite. The document closes with recommendations on what Apple Inc, and users

of Mac OS X can do to defend against such technology.

This paper was created to outline the results of research performed by the

MacForensicsLab.com research and development team. These results are presented to the public

in order to raise awareness of the situation and to prompt the relevant responsible parties to

address the issues outlined within.

The MacForensicsLab.com staff and SubRosaSoft.com Inc considers it important to bring

such discussions out into the public and welcomes all opportunities to discuss the paper on

info@subrosasoft.com.

Apple Inc., and all third parties discussed in this paper, do not endorse this content nor

did they cooperate in the production of this paper. All trademarks contained within this paper

remain the property of their respective owners with all rights reserved.

Copyright 2008 SubRosaSoft.com Inc,, all rights are reserved.

 Malware on Mac 3 

Malware – The History And Future

 Malware on Mac 4 

The History

Hacking – The Use Of A System Outside Of Its Design

In the early days of computing the term hacker was used to describe those with a deep

understanding of the core functionalities that comprised a computer system. These hackers were

able to apply this understanding to enable computers to perform in a manner which was

previously unimaginable. Therefore, these hackers were a fundamental catalyst for the change

and growth of modern computer systems and the Internet.

 Malware on Mac 5 

The term has been degraded over time to be generally limited to someone who targets

system security and ways to get around it. In modern times it has come to include people using

tools they did not produce in order to cause damage or nuisance to computer systems.

Academia – The Study And Creation Of Malware

The academic world of computer science has been at the forefront of the discussion and

definition of malware since the first virus was discovered. Universities became perhaps the first

victims of malware and consequently the first defenders against them.

Some notable academics in the early days include:

1980 Jürgen Kraus, a computer science student at the University of Dortmund, wrote his

master's thesis on Selbstreproduktion bei Programmen, [Program Self-Reproduction]. This thesis

is the first study to show that certain programs can display behavior similar to that of a biological

virus.

1981- 82 Professor Len Adleman, of USC, employs the term virus to describe self-

copying programs when discussing them with Fred Cohen, his computer science student.

1981 - 82 Joe Dellinger, a student at Texas A&M University, writes several self-

reproducing programs for Apple II disks, naming them Virus 1, Virus 2 and Virus 3.
 Malware on Mac 6 

Apple Computer Inc. had a very strong presence in the academic community throughout

the early personal computing era. The use of the Apple platform in the development of malware

is an extension of its overwhelming presence in the academic arena.

Hax0r – The Growth Of The Script Kiddy Generation

As home computer use grew, a new generation of hackers arose. These young hackers

represented a fundamental change in ability, ideology and intent from their predecessors. The

new generation of hackers is referred to as script kiddies. The name script kiddies is a descriptive

term, popularized by the original hacking core, as a means to reflect their general disdain of the

new generation’s lack of understanding of the core concepts of computing and their inability to

create tools of their own.

 Malware on Mac 7 

An Apple User’s Perspective

Apple Computer Inc. was given the historic honor of being the first computer to bring

virus technology into the home[1] when Richard Skrenta wrote Elk Cloner in 1982. This

program attached itself to the Apple DOS operating system of the time and spread via floppy

disks.

[Figure 1 – The message shown on every 50th boot on disks infected by Elk Cloner]
 Malware on Mac 8 

Prior To The Mac

The story of the early years of Apple Computer Inc. and the relationship between the

founders Steve Jobs and Steve Wozniak cannot easily be told without including hacking and

underground technology. From the days of the BlueBox, a device designed to fool the telephone

systems of AT&T into providing free long distance phone calls, through the creation of the first

commercial home computer in a garage in what later became known as Silicon Valley.

Apple Inc. and the modern high tech lifestyle we all enjoy today were founded by (so-

called) old school hackers.

Figure 2 – This blue box, on display at the Computer History Museum was previously owned by

co-founder of Apple Computer Inc. [1] Steve Wozniak. Steve once used this to impersonate

Henry Kissinger in a prank call to the Vatican City. The Pope was reportedly asleep. [1]

Mac Classic

The Mac Classic operating system (any version prior to version 10, Mac OS X) enjoyed a

long life and a wide user base from the initial release in 1984 to the first desktop version of Mac
 Malware on Mac 9 

OS X in March of 2001. This operating system revolutionized the way we work with personal

computers offering many of the user interface concepts taken for granted today.

During the lifetime of Mac OS Classic many varieties of malware were developed to take

advantage of the user base including some very notorious viruses such as nVir in 1987. The nVir

author(s) released the source code for their work resulting in a large proliferation of derivatives

causing wide and varied effects in the field.

The wide spread introduction of viruses for Mac OS at this time brought forth the

corresponding large number of anti-malware tools that are still around today. These tools scan

for code found within known viruses and eradicating them when found.

Apple Computer Inc. made changes to the operating system to stop some of the methods

used by viruses on Mac. Perhaps the most notable change was to stop autorun, a technology still

present on Microsoft Windows that will automatically execute programs when a disk is inserted.
 Malware on Mac 10 

Mac OS X

All successful, and most plausible, malware attacks on Mac OS X have occurred in the

last 2 years with the last quarter of 2007 being particularly prolific. Market penetration and

overall sales of the Mac OS X system have directly mirrored development of malware, a

phenomenon also demonstrated with other operating systems such as Microsoft Windows. Based

on this data there is no reason to believe the trend will not continue as Apple continues to

increase their market share.

The concept of the economy of scale has historically meant that malware authors have

not previously considered the Mac a viable target. This protection is being eroded by the increase

in size of the Mac user base.

“IDC analyst Chris Christiansen is warning Mac users of the growing threat.

’Most Mac users take security too lightly. In fact, most are quite proud of the fact that they

don't run any security at all," Christiansen said. "That's an open door; at some point it will be

exploited.’”

(http://www.macnn.com/articles/07/12/31/mac.os.x.a.growing.target/)

“Apple users, your days of worry-free web surfing could be numbers. A Mac internet

security and privacy software maker has discovered what is believed to be the first professionally

crafted in-the-wild malware targeting the Mac Operating system.”

(http://www.scmagazineus.com/Trojan-targets-Mac-

users/article/58290/?source=PSGL1SCM1001&gclid)
 Malware on Mac 11 

The Future

A Change In Culture

This century has seen significant changes in the hacking community with an overall trend

away from the technology enthusiast to the organized crime rings committing mass fraud and

global extortion on the global digital marketplace. This change in culture has brought with it

many changes in focus for the modern malware author.

 Malware on Mac 12 

Theft

Malware is now being used to steal information, and thus property, from a user’s system.

These types of attacks range from simply extracting the requisite personal information to assist in

identity theft – to more complicated attacks known as phishing – whereby the malware pretends

to be a trusted service such as a bank or service provider in order to steal from an external

resource.

“Global Hackers Create a New Online Crime Economy”

(http://www.cio.com/article/135500/)

DDOS – Distributed Denial Of Service

Organized crime groups are using malware in order to extort payment from system

owners and operators. Large collections of infected systems can be used to cause servers and

systems to become inoperable by flooding their connections with traffic, thus cutting off

desirable traffic, or by overwhelming a systems resources.

“Bot armies capable of toppling big sites, some say”

(http://www.msnbc.msn.com/id/6436834/)
 Malware on Mac 13 

The criminals use malware to convert innocent users’ systems into virtual soldiers in their

army of computers. These armies are called bots, bot networks, or bot nets, and can sometimes

number into the tens of thousands [10]. This is generally done without the user being aware they

have joined into the network of bots.

Global Cyber Terror

This century has seen the rise in state-funded cyberterrorism. There has become a very

high potential for cyberterrorism to impact our economy and our society in ways that are difficult

to define.

“A Gift from the Islamic Faithful Network – Mujahedeen Secrets 2 Program”

(http://blogs.csoonline.com/node/590)
 Malware on Mac 14 

Malware – The Definition

 Malware on Mac 15 

Viruses

What Defines A Virus

A virus is a piece of software that attaches itself to another program (the host) then uses

the ability of the host program to self-replicate. Stephen Hawking once said that a virus should

count officially as a form of life adding [4] “I think it says something about human nature that

the only new form of life we have created so far is purely destructive. We’ve created life in our

own image.”
 Malware on Mac 16 

The name for this variety of malware is derived from the Latin word for toxin. The

medical community defines a virus is an infectious agent that is unable to replicate or grow

outside of a host cell.

How They Replicate

A computer virus will generally execute when the host program is executed. The first

priority is to look for additional hosts and to copy itself into them. The second priority is often,

but not always, to execute its payload. Payloads vary heavily from the harmless to full cyber

terrorism and have historically included such functions as erasing the entire system, stealing

personal information, or simply declaring their existence (digital graffiti).

Macs Are Vulnerable

The primary requirement of a virus is a host program into which it can write itself. The

Mac OS X platform makes little or no effort to protect the main applications on the system (in

fact, as discussed later, it actually makes it easy through the use of the bundle architecture.)
 Malware on Mac 17 

Trojans

What Defines A Trojan

A Trojan, or more accurately “Trojan Horse”, is a piece of software that contains a

hidden payload. The word 'Trojan horse' is generally attributed to Daniel Edwards of the

NSA[2]. He is given credit for identifying the attack form in the report "Computer Security

Technology Planning Study".

 Malware on Mac 18 

The name for this variety of malware is derived from the Greek legend where Odysseus

had a giant hollow wooden horse and hid his soldiers inside. The people of Troy believing it to

be a gift brought the horse inside their city and their defenses.

What They Do

In computing terms the concept is identical to the legend. The malware is able to enter

the users system and bypass security measures be pretending to be something the user wants.

Once the user executes the malware on their computer the hidden payload can perform the

function desired by the malware author.

Macs Are Vulnerable

The definition of a Trojan makes defense very difficult. The weakness in any system

defense starts with the user and a Trojan defines its attack by exploiting that weakness.

Early versions of Mac OS X had little or no protection against a Trojan attack. The effect

a Trojan could have on the system was limited to the user’s data and the applications installed on

that computer.
 Malware on Mac 19 

OS X 10.5 Leopard introduces new sandboxing technology to show a dialog box to the

user before running any new program downloaded from the Internet. Software downloaded from

the Internet, both from the mail and from browser applications, is marked as suspicious and will

not be executed until the user clicks on a confirmation dialog box to explicitly allow it to run.

SubRosaSoft.com Inc. extended this paradigm to sandbox all applications, not just ones

downloaded from the internet.

Other commercial software vendors (such as Symantec, McAfee, and Intego) offer

varying technologies to assist in this area. More information can be found at the companies’

respective web addresses:

Intego Virus Barrier for Mac (http://www.intego.com)

 Malware on Mac 20 

McAfee VirusScan for Mac (http://shop.mcafee.com)

Norton AntiVirus for Mac (http://shop.symantecstore.com)

SubRosaSoft FileDefense (http://www.SubRosaSoft.com)

 Malware on Mac 21 

Computer Worms

What Defines A Computer Worm

A computer worm is similar to a virus in that it is self-replicating, but different in that it

does not require a host program to exist. The first computer worm was defined and produced by

researchers Jon A. Hupp and John F. Shoch at Xerox PARC in 1978. The worm was created to

search a network to find idle processors so that they could share the processing load of large

operations across an entire network, but was “self-limited” to their own network to avoid

accidental global expansion.

 Malware on Mac 22 

What They Do

As with other forms of malware the worm matches many of the characteristics of its

biological equivalent. A worm will work its way through a network of computers and resources

leaving a copy of itself wherever possible to assist in the dissemination process.

Macs Are Vulnerable

When combined with Trojan and virus technologies worms can infect entire Mac OS X

networks. For example if an initial victim is attacked using a Trojan which infects them with a

virus that reproduces the worms throughout their system, thus threatening the entire network.

These worms, when executed by automated or viral functions, can be used to reinitiate the

Trojan attack on other users’ Mac OS X Address Book, and the unprotected Applications folder.
 Malware on Mac 23 

Malware – How It Can Affect Mac OS X

The Situation

The current Apple Mac OS X environment has some strengths and weaknesses. It has

become an abnormally biased situation in that the strengths are very strong and the weaknesses

are becoming increasingly obvious.

 Malware on Mac 24 

The Problems

Complacency

Users of Apple Mac OS X have been encouraged by media advertising to believe their

systems have never been exposed to malware. This culture has grown to a point where many

users believe their systems are invulnerable to malware and always will be.
 Malware on Mac 25 

“I run Mac OS 10 so I don’t have to worry about spyware and viruses”

(Apple, Inc,. Television Advertisement

http://movies.apple.com/movies/us/apple/getamac/trustmac_480x376.mov)

Common attitudes behind this complacency include;

i) You need a system pass to infect my Mac.

ii) There are no malware problems on a Mac.

iii) Macs are immune to malware.

The result of these ill-founded beliefs is a complacency that seriously compromises the

ability of the user to make informed decisions when dealing with a malware threat. This

complacency can potentially nullify the effectiveness of the new sandboxing technology in OS X

10.5 Leopard.

Hidden Extensions

A file extension is designed to tell the system and the user what kind of file they are

dealing with. Some examples of system extensions are .exe (a Windows executable program),

.app (a Mac OS X executable bundle), and .jpg (a common digital photo format).

Both Microsoft Windows and Mac OS X offer the ability to hide the extension from the

user. This is often used to disguise the true nature of file from the user. If this hiding is combined

with a less technically-oriented user (the majority of all users) then a Trojan can exploit this to

hide its own true nature.

 Malware on Mac 26 

The Bundle Architecture

What It Is

Applications on the Mac OS X system are structured using an architecture called a

“bundle”. A bundle is a special folder that pretends to be a single file. The advantage of this, for

programmers, is that it allows multiple resources to be contained in one single folder that is, from

the users’ perspective, indivisible.

It should be noted at this point that Apple Inc. also use the bundle format for many of

their pro tools to save documents.

 Malware on Mac 27 

Programmers use these special folders to allow certain resources to be treated as part of

the program without the risk of those being separated from the main executable code of a

program. Some examples are:

i) Multiple executables for different platforms such as Classic Mac OS, PowerPC or

Intel-based computers.

ii) Multiple language files so that a single copy of the application bundle can be used in

different countries and appear in the native language of that country.

iii) Graphics, buttons, and media resources used within the application.

iv) Help files, manuals, etc.

 Malware on Mac 28 

A user is presented with an object that looks like (for example):

[figure 3 – iTunes.app as it appears to the user]

The underlying bundle appears to the operating system as follows:

[figure 4 – iTunes.app as it appears to the operating system]

 Malware on Mac 29 

How This Assists Malware

The structure of the bundle architecture makes it easier to piggyback executable code

within an existing trusted application by simply renaming the existing executable iTunes found

in the MacOS subfolder and inserting a second executable into the MacOS folder with the

original’s executable name.

When the user executes the bundle (in this case iTunes.app) the virus code would execute

instead. The virus would then launch the renamed iTunes executable so that the user would not

be aware they had run the wrong program.

Mac OS X also makes use of the bundle architecture for storage of user documents in

many modern applications such as iMovie, iDVD, and the many pro tools. These bundles

typically have their file extension marked invisible so it is possible to disguise an executable

program as a data “file” for such a tool. These bundles can open both their own malware code as

well as the desired real application whilst conserving the look and feel of the real data.

This technology makes the process of creating a virus easier since the bundle architecture

greatly assists the process of installing multiple executables into one “program”. Reproduction is

greatly simplified since the same architecture is used on most OS X applications.

 Malware on Mac 30 

Unprotected Application Folder

What It Is

Traditional UNIX systems protect their key executables by using file permissions and

storing them inside protected folders (such as /usr/bin).

Mac OS X systems maintain their operating system files in the same protected method

that traditional UNIX systems use. The programs (commonly known as Applications) that a user

relies upon and considers part of their system such as iTunes, iChat, Keynote, etc. are stored

unprotected inside a folder called “/Applications”. Any program running on a Mac OS X system

can write to this folder and to most of the contents therein.

How This Assists Malware

Most common applications running on your Mac can be modified, either by replacing the

core executable of that program or adding piggyback executables (viruses) without leaving an

obvious trace due to the nature of the bundle architecture.

 Malware on Mac 31 

Centralized Open Address Book

What It Is

A Mac OS X user enjoys the convenience of the Address Book. This centralized database

keeps track of all other contacts the user communicates with including their instant messaging

addresses, email addresses, phone numbers, physical addresses, etc. The database is open to

access from all programs running on the Mac OS X computer.

Programs running on the Mac OS X system can read, write and delete addresses from this

database at will.

Side note: Addresses that are deleted are not actually removed from the database. Instead

they are marked for deletion so that the computer can notify other devices such as cellphones,

iPods, and PDAs that the user wants that address deleted.
 Malware on Mac 32 

How This Assists Malware

The worm known as “ILOVEYOU”, the “Love Bug worm”, or “VBS/Loveletter” started

arriving in email boxes with an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs” on May 4th,

2000 [9]. This worm spread itself by interrogating users’ contacts and emailing copies of itself to

everyone it found. On its journey it is estimated that it infected 10% of all internet-connected

personal computers and caused more than 5 billion dollars in damage.

The “ILOVEYOU” worm only infected computers running Microsoft Windows but the

mechanisms for dissemination exist on Mac OS X:

i) A user base believing themselves safe

ii) Available open database of contacts

iii) Ability to write to the Applications

Microsoft implemented a user-controlled system that sandboxes new applications and

warns users they are about to run a new application. Apple recently introduced similar

technology. It should be noted however that the user is already complicit with the operation at

this point so should not be considered a reliable security measure.

 Malware on Mac 33 

Anatomy Of A Mac OS X Malware Suite

Purpose

For the purposes of this discussion this section will be limited to descriptions of malware

that does not have a “payload”. No attempt will be made to damage a users’ system or gain any

resources. All technologies will focus on the delivery mechanism that could be used to attack

Mac OS X (and other) users. The aim and purpose here is to outline how a suite might work so

that recommendations can be received on how to stop such a suite from being successful. The

reader is invited to contact Apple Inc., and/or SubRosaSoft.com Inc. with

suggestions.
 Malware on Mac 34 

Initial infection (First Wave) - The Trojan Attack

For a successful infection there would be two goals required by the malware author. First

the infection should distance the author from the first wave victims while simultaneously making

that first infection as wide as possible.

Primary consideration in the production of a Trojan horse would be placed on making the

user want to accept the Trojan.

The Latin epic poem “The Aeneid” [5] describes events between the time of “Homer’s

Iliad” and “Homer’s Odyssey” surrounding the Trojan War. This legendary war between the

cities of Sparta and Troy had resulted in a deadlock whereby the defenses of the city were equal

to the challenge of the attacking army. The attacking leader, Odysseus, needed to create a gift the

defending leader would voluntarily accept inside the city defenses. Realizing the men of troy

revered the horse he had a mighty wooden horse made large enough to allow his soldiers to hide

inside it and left it at the gate of the city.

“Do not trust the horse, Trojans. Whatever it is, I fear the Greeks even when they bring

gifts.” (Virgil, Aeneid, Book 2, circa 19 BC)

“Naught from the Greeks towards me hath sped well. So now I find that ancient proverb

true, Foe’s gifts are no gifts: profit bring they none” (Sophocles 496 – 406 BC, Ajax)
 Malware on Mac 35 

In computing terms this same ruse would be used.

The creation of a helpful freeware tool containing a version of a virus that will infect

once then lay dormant to a later date can be hosted on a public site then advertised using one of

the many freeware distribution sites such as http://www.VersionTracker.com or

http://www.Downloads.com.

In keeping with the primary consideration of this step a malware author would leverage

public popularity of fashionable technologies of the time, make a small but helpful enhancement

for that technology, and then distribute that tool for free. For example, a small freeware utility

that assists in the management of SMS text messages on an iPhone.

The malware author’s intent is not to fully disseminate the malware suite but to get a

wide enough secondary infection wave ready on a time-delayed basis. This methodology follows

the concept of the “sleeper cell” as defined in the Al Qaeda training manual [6][7]. The virus

contained within this Trojan would infect only the system where the Trojan was executed and

make a copy of the virus component into all of the unprotected application bundles on that

system. This virus would then sit in a dormant state, execute then quit without further action,

until a predetermined later date.

 Malware on Mac 36 

The malware author would ensure that once the Trojan has completed its own initial

infection that the Trojan application itself self-inoculates to cover the source of the second

(main) deployment wave.

Before the main wave of attack is initiated the author should repost and allow for

dissemination of a vaccinated version of the Trojan. At this point the number of suspect

applications have been greatly increased while simultaneously removing base suspicion from the

originating Trojan. Many of the newly infected applications (hereinafter called the second wave

Trojans) are, in fact commonly trusted applications such as the Apple tools and third-party tools

found on most computers.)

This attack infrastructure delivers a ready supply chain for the second wave in much the

same way as the Ho Chi Minh Trail [8] provided for the North Vietnamese. It does so by

forming a relatively complex web of available infection points that the malware author can

control. It also provides for a significant level of overlap and duplication should any one conduit

be closed.

Reproduction (Second Wave)

The malware author’s goal for the second wave is to greatly increase the number of

infections. This wave would be repeated on a fixed schedule until the desired infection ratios

have been achieved and the desired payload can be implemented.

 Malware on Mac 37 

The second wave would not proceed until sufficient time has passsed from the first wave.

This time could be determined remotely by having the virus check an online source for a code to

proceed. This approach would give the most flexibility, but also offers the highest risk of

discovery. Checking system date and time and waiting for a predetermined moment could also

determine this time. This approach would give the most protection from discovery, but also

offers the least flexibility.

The malware author would use the users’ data to prepare ammunition for the second

wave. This would contain packages made from their own data that are disguised using the bundle

architecture. It might also contain sample programs from the users’ machines that are determined

to be small freeware downloads newly infected by the malware code. Because these payloads are

prepared on the users’ own machines they would not trigger the sandbox protection code found

in OS X 10.5 when executed on the users’ machines.

Now that the malware author is sufficiently distanced from the second wave Trojans, the

primary consideration moves to mass production of malware. Traditionally this was achieved by

at least two separate methods. In this case the malware author uses both methods together and

separately for maximum effect.

i) The Virus Approach – The malware should look for attached devices and network

volumes and infect every available application bundle with its own code.

ii) The Worm Approach – The malware should send copies of itself to as many available

recipients as possible.
 Malware on Mac 38 

The virus approach would cause the malware to immediately deploy copies of the pre-

prepared payloads onto any removable media or network storage device.

The first application to trigger itself would make use of the open address book database

to find potential candidates to send a copy of itself to. Special attention would be made to

indicators that the potential recipient is a Mac user such as the content of the headers for

incoming emails in the victim’s inbox. The malware author would benefit from the inherent trust

of the secondary wave victim for the first wave victim.

This final dissemination would be done in such a way so as to temporarily self-inoculate

the application responsible and to carefully feed the outgoing mail to stop from flooding the

victim’s connection and alerting them. Alternatively it might be done in a massive full frontal

attack in the manner performed by the ILOVEYOU virus. This remains the prerogative of the

malware author, and our responsibility as an industry, to defend against.

What has been discussed in this section of the document covers the three main definitions

of malware and documents how each can apply to Mac OS X.

i) The Trojan Attack – Pretending to be a gift while hiding an intruder

ii) The Computer Virus – Self replicating programs dependent on a host

iii) Digital Worms – Producing and disseminating copies directly without a host.

It is this author’s hope that this will open learned discussion of the topic. It is in no way

intended as a manual on how to create such a suite of malware technologies. SubRosaSoft.com

Inc. would like to take this opportunity to point out that the dissemination of malware is not only
 Malware on Mac 39 

immoral, but also illegal. Please refer to Title 18 U.S.C. § 1030 “Fraud and related activity in

connection with computers” [11] for more information.

 Malware on Mac 40 

Recommendations

For Apple, Inc.

Control The Bundle Architecture

Apple might consider implementing a mechanism whereby a bundle cannot contain more

than one executable for any given “Contents” subfolder. This would reduce the ability of

malware authors to piggyback their code inside an otherwise legitimate bundle.

Apple may also wish to discuss disallowing multiple extensions inside a .app bundle.

This would reduce the ability of malware authors to disguise executable bundles as data files for

their pro tools.

 Malware on Mac 41 

Control Access To The Address Book

This paper recommends Apple should contemplate a similar system to the keychain

whereby the address book can be locked/unlocked and access to the address book can be

restricted to certain applications.

Control Write Access To The Applications Folder And Subfolders Found Therein

Apple may think about making it the default behavior for the system to require admin

access to write to this very important folder. Furthermore Apple should make an interface that is

easy, obvious, and non-technical to turn this access control on or off.

Extend The OS X 10.5 Leopard Sand Box Concept

Apple might consider extending the built in security functions found in OS X 10.5 to

include executable code that is created locally rather than the current restriction to download

content only. This would slow down the reproduction of code that has already been authorized

by the user.
 Malware on Mac 42 

For Mac OS X users

Read the security guidelines from Apple Inc. found at

http://images.apple.com/macosx/pdf/MacOSX_Leopard_Security_TB.pdf

Carefully determine the validity and source of any executables you wish to install and run

on your Mac OS X computer.

Install and utilize third-party utilities to monitor for malware activity. Care should be

made to avoid programs that specifically rely on scans for known malware as these tools do not

offer protection until it is potentially too late.

Some of the tools to consider include:

Intego Virus Barrier for Mac– http://www.intego.com

MacAffee VirusScan for Mac – http://shop.mcafee.com

Norton AntiVirus for Mac – http://shop.symantecstore.com

SubRosaSoft FileDefense – http://www.SubRosaSoft.com

 Malware on Mac 43 

References

[1] Jesdanun ,Anick. Computer Viruses Turn 25

http://findarticles.com/p/articles/mi_qn4176/is_20070903/ai_n19519520/print

[2] Anderson, James P. (1972), Computer Security Technology Planning Study

[3] Wozniak, S. G.; Smith, G. (2006), iWoz: From Computer Geek to Cult Icon: How I Invented

the Personal Computer, Co-Founded Apple, and Had Fun Doing It. W. W. Norton & Company.

ISBN 0-393-06143-4.

[4] Hawking, Professor Stephen W. (1994), The Cambridge Lectures

[5] Virgil, (19 B.C.), Aenid, Book 2, Translated by John Dryden,

http://classics.mit.edu/Virgil/aeneid.html

[6] US Southern District Court, US New York City Attorney’s Office, entered as evidence in

Africa embassy bombings. Retrieved November 17, 2007, Al-Qaeda training manual

http://www.fas.org/irp/world/para/aqmanual.pdf

[7] Decision Support Systems, Inc. (2001), Hunting the sleepers,

http://www.metatempo.com/huntingthesleepers.pdf

[8] Prados, John. (1998), The Blood Road: The Ho Chi Minh Trail and the Vietnam War, New

York: John Wiley and Sons

 Malware on Mac 44 

[9] Cert Advisory. (2000), CA-2000-04 Love Letter Worm, http://www.cert.org/advisories/CA-

2000-04.html

[10] The Honeypot Project & Research Alliance. (2005), Know your Enemy: Tracking Botnets.

Using honeynets to learn more about Bots. http://www.honeynet.org/papers/bots/

[11] Cornell University Law School, Legal Information Institute. US Code: Title 18 > Part I >

Chapter 47 > § 1030. Fraud and related activity in connection with computers.

http://www4.law.cornell.edu/uscode/18/1030.html