Understanding the Different Types of Mac Malware
Posted on October 12th, 2009 by Peter James
In the minds of most computer users, the term “computer virus” includes many types of “malware”, not all of which are actually viruses: Trojan horses and worms, for example, work in different ways, and do not always replicate like viruses do, yet most people tend to include them as part of the virus family. While these programs are malicious, and can seriously damage your computer and your files, they function differently. (Intego VirusBarrier protects against all these types of malware.)
A real virus is a small bit of computer code, or programming instructions, that can be executed, or run, on the type of computer it targets. For this reason, viruses written to attack Windows computers have no effect on Macintosh computers, and vice versa. (Though if you are running Windows on an Intel-based Macintosh, you will have to consider protecting that operating system as well.) Intego’s Dual Protection product line offers protection for both your Mac and for your Windows installation.
A computer virus is a small program that acts like a parasite, living in a host file or program, that is capable of infecting files and applications, reproducing itself, and spreading to other computers through infected files and applications. It is no surprise that people use terms originally used for diseases to speak of computer viruses—they work in a very similar manner.
Viruses that attack your system are among the most lethal. The damages they can do are such that you may need to reinstall your system entirely, and even reformat your hard drive and check all your backups to make sure they are disinfected.
File viruses are different from system viruses in that they attach themselves to data files, rather than applications, and their hosts depend on specific programs to do their damage. These viruses often come in attachments to e-mail messages, which, when opened, activate their malicious code.
Some viruses act very quickly, while others are set to go off at a certain time. Some merely content themselves with spreading to other disks and volumes, but all system viruses can potentially cause damage, such as erasing all your files.
The name Trojan Horse comes from an episode in the war that opposed the Greeks and the city of Troy, several millennia ago. The Greeks built a huge, hollow wooden horse and gave it to the Trojans, apparently as a gift, before supposedly sailing away and ending the war. While some of the Trojans were skeptical about it, the horse was taken inside their stronghold. That night, Greek warriors emerged from the horse, opened the city gates, and Greek soldiers from outside stormed the city.
It is obvious that the Trojans were never told not to open attachments. The Trojan horses that we are worried about are programs that look innocent and claim to do a certain task, but actually contain malicious code or viruses. In many cases, Trojan horses can be even more dangerous than other viruses. One example is the RSPlug Trojan horse (also known as DNSChanger), which Intego’s Virus Monitoring Center discovered in 2007. This malware, disguised as a video codec—software needed to view videos on a web site—changed the DNS server on a Mac to hijack its web traffic. Another recent example is the iServices Trojan horse, that Intego discovered in January, 2009. This Trojan horse opens a backdoor and connects to a remote server to download code, and add infected Macs to a botnet. In fact, Trojan horses are currently the most serious threat to Macs.
Worms are one of the oldest forms of viral programs on computers. They spread by methods other than attaching themselves to files and applications, and can be very difficult to find. They spread over networks, and, once they find new hosts, can carry out malicious actions.
Many programs provide the ability to create macro commands. These simple programs use the internal functions of an application or helper program to “record” and “play back” commonly used sequences of commands. Other applications provide a more powerful macro language, which includes both menu commands and a programming language. Programs such as Microsoft Word and Excel, for versions prior to Office 2008, base their macro functions on Visual Basic, which is similar to the Basic programming language. Several thousand macro viruses have been found, most affecting Microsoft Word and Excel.
The real danger of macro viruses is the fact that they are cross-platform viruses. A macro virus that can attack Microsoft Word for Windows can also damage Word on a Mac. One of the reasons that macro virus writers target Microsoft programs is that these applications allow users to embed macros in data files. In the past, one worried only about viruses coming through applications, since, for a virus to act, it has to execute, and only applications could execute. But the Microsoft Visual Basic approach is different—if you wish to use a macro, you can either run it from your template, or add it to a data file. This surprised users at first, since they thought that nothing was “executed” when opening a word processor or spreadsheet file. But these files can indeed contain “programs”, and do things you would never expect.
If the macro language provides the possibility to modify files, a macro virus will be able to copy itself into other files used by the same application. This then allows the virus to spread when you open other files, create new files, or pass files on to someone else.
Macro viruses can do many things: some may simply alter their program’s environment, such as changing or removing menus or commands. Others can corrupt or delete files, hide certain application functions, and even more. And, on top of all that, they are cross-platform viruses, which can do damage both to Macs and PCs running Windows, as well as Windows running on a Mac.
It is important to note that macro languages are very powerful tools that can be extremely helpful. Not all macros are viruses. While Microsoft Word and Excel include a preference to alert you if there are macros in any documents you open, this defeats the purpose of having a macro function. The real problem is that the macros are stored in data files, rather than, say, in separate macro files. Users could easily exchange macros, and be certain that the files they open contain only data. Unfortunately, this approach to a macro language leads users to be far too worried about macros, instead of using them for their function-enhancing properties.
Intego VirusBarrier detects all known Word and Excel macro viruses, and is updated when new macro viruses are found.