Antivirus vendor Kapersky has identified a new trojan horse targetting Macintoshes. It spreads a botnet based somewhere in China via an infected Microsoft Word document, typically sent as an e-mail attachment.
The spin is that if you don’t use Word on your Mac, you’re safe. That’s true–this week. But going forward, it’s going to take more than that.
Calling this a virus is an oversimplification, but the layperson probably doesn’t care. Whether it’s a virus, a trojan horse, a worm, a botnet, spyware, adware, or any other form of malware, you don’t want it on your computer.
Of course, since this attack uses a Word document as the attack vendor, people are blaming Microsoft. And it is very easy to bury malicious code in Word documents, especially Office 2007 and 2010 documents. That problem is one reason my current job exists.
But this is just wave 1 of the attack. It also happens to be very easy to bury bad stuff in Adobe Acrobat (PDF) documents. And OS X has the ability to open PDF files built in. Right now I don’t know of any existing vulnerabilities in OS X’s PDF reader, but there was one patched on February 3, 2012. When a new problem is discovered, that will be a potential attack vector. Additionally, since many people have Adobe Reader installed, Adobe Reader could be a potential attack vector.
I’m not comfortable saying whether it’s safer to open a PDF file using OS X’s built-in reader or with Adobe Reader. Neither can be considered 100% safe.
Planting the botnet into a PDF is no more difficult than planting it in a Word document. In fact, if whoever is operating this botnet doesn’t get what they want from this attack, I would expect a sequel, probably implanted in a PDF file. Even without a newly discovered vulnerability, it’s possible that planting PDFs using that vulnerability patched in February would be effective, since not everybody installs their system updates.
Most of the Mac users I’ve known are relatively complacent about security. Apple has even used that as a selling point in the past.
This is the wakeup call. The party’s over.
The safety precautions aren’t especially difficult. Above all else, don’t open unexpected e-mail attachments. If you get an e-mail attachment from someone you don’t know, reply back asking who they are and what the document is. It’s not being rude, it’s being prudent.
For that matter, if you get an e-mail attachment from someone you do know, reply back and confirm before opening it if you’re not expecting it. I make a habit of letting people know that something is coming. Some workplaces, including mine, force you to digitally sign any e-mail with attachments before you send it, as an extra precaution.
That’s your first line of defense.
A second line of defense, more practical for home users, is to use a web-based e-mail service rather than something that lives on your machine. When you use Gmail or Yahoo mail, they scan all incoming and outgoing mail for viruses before it ever gets to you. That gives you another line of defense.
In addition to that, you should run some kind of antivirus software. It’s the socially responsible thing to do anyway, because any computer can be used to transmit infected files via e-mail and other means, even if they’re immune to it. Saying it’s not your problem if other people run Windows isn’t an acceptable answer. A risk accepted by one affects us all, as the United States Department of Defense puts it in their training.
ClamXav is a free antivirus program for Mac OS X. Download it, install it, and use it. If you prefer to buy something and use it instead, that’s fine too. But don’t use cost as an excuse to do nothing.
As an additional precaution, you can run Firefox, install Adblock Plus, and enable the Malware Domains subscription. This makes it far more difficult to pick up infections from browsing web pages.
And finally, install your patches. Apple periodically releases security updates, though not at predictable intervals like some other software vendors do. By default, OS X checks for updates once a week and installs them. So unless you’ve explicitly changed this, you’re updating and may not even know it. That’s fine. And at any time, if you want, you can click on the Apple menu and select Software Update to install your updates if you don’t want to wait. If you hear through the grapevine that there’s an update available for something–for example, Apple released an update for Safari on 7 March–you can use that process to get the update immediately.
The problem is people who, for whatever reason, disable this. There are Windows users guilty of this too. There’s no good reason to do it. All software has vulnerabilities and needs maintenance, so you need to do this.
The good news is that if you do these things, your chances of getting infected or spreading infections are minimal. Regardless of what operating system you use.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
Sadly, most Mac users will still claim that their OS/hardware is more secure than Windows even if their computers were completely loaded with malware. Windows security has a lot of issues, but at least Windows users understand that malware is a real risk to their systems.