David Harley

Job title:
CEO, Small Blue-Green World, and independent author

Areas of expertise:
Apple security, malware, anti-malware testing, psychosocial aspects of security, user education, email management, social media, medical informatics

The Apple Security Blog, by David Harley David Harley, CITP, FBCS, CISSP, is an IT security researcher, author and consultant living in the UK. He has worked in IT (largely in medical informatics) since the 1980s, increasingly focused on security and anti-malware research since 1989. Between 2001 and 2006 he managed the UK National Health Service’s Threat Assessment Centre, and since 2006 he has provided authoring and consultancy services to the anti-virus industry. Since 2009 he has been a director of the Anti-Malware Testing Standards Organization (AMTSO). He runs the Mac Virus website and AVIEN (the Anti-Virus Information Exchange Network), and is a Fellow of the British Computer Society (now the BCS Institute). He was principle author and technical editor of “The AVIEN Malware Defense Guide for the Enterprise” and co-authored “Viruses Revealed”, as well as contributing to many other books including “OS X Exploits and Defense”. He has a daunting back-catalog of research papers and articles, and also blogs for Mac Virus, AVIEN, ESET (where he holds the title Senior Research Fellow), (ISC)², and numerous other websites.

Tag Cloud



OSX/Flashback isn't Necessarily the Newsflash


As the pseudonymous Old Mac Bloggit – my colleague at Mac Virus – has already noted, there’s some interesting Mac-related content included in the Sophos Security Threat Report 2012 (some of it already summarized in an Infosecurity article here: Malware set to take a big bite out of Apple in 2013.
According to Forrester Research analyst Frank Gillette, enterprises are planning to increase the number of Macs issued to their personnel by 52%. Sophos believes that the risks are increasing, and we’ve certainly seen significant increases in volumes, not only in the numbers of infected machines (OSX/Flashback would have a bearing there...) but in the number of new malware families and variants.
However, something particularly grabbed my attention that doesn't seem to have been commented on elsewhere: that is, the figure on page 22 of the PDF (which has some data that aren’t shown on the webpage). It’s a snapshot view of Mac malware detected by Sophos between August 1–6, 2012. As you’d expect, given that OSX/Flashback (or OSX/Flshplyr, as Sophos calls it) infected several hundred thousand machines (700,000, according to Kaspersky) at its peak earlier in the year, it still constituted 3.2% of the detections recorded that month. More surprisingly, perhaps, was the makeup of the rest of the detection names. OSX/FkCodec-A is a fake installer that claims to install a video codec but actually serves adware and monitors browser activity (it’s actually a Safari extension). With a hairy 26% of detections...
It seems that the fake codec trick is still working nicely for tricking Mac users into running malware – well, why not? It was always successful on Windows... – since DNSchanger and Jahlav were still well represented. The real surprise, though, is that most of the other detections seem to be Fake AV, which we don’t hear much about any more. There’s a slight similarity here to the situation with Windows malware, where malware classified as some variation on INF/Autorun continues to dominate detection statistics even though Autorun behavior is no longer a default on Windows machines.
It’s not really the same situation, though. Autorun detection is a good example of a generic detection of a particular malicious technique. In fact, though, current malware that exhibits that behavior doesn’t rely on that technique: it’s just one of the techniques it uses to take hold. It’s not, however, a reliable indicator of how many machines are infected that way.
Which goes to show that malware naming in a time of glut – AV labs may process more than a hundred thousand samples a day, even on quiet days – can be pretty misleading for the casual reader. And that old malware never dies, it just drops off the WildList... Ah yes, WildList. Now there's a blog topic for another day. ;-)


Posted 07/12/2012 by David Harley

Tagged under: David Harley , OSX/Flashback , Mac Virus , Sophos , Apple , mac malware , Forrester , OSX/FkCodec-A , WildList , INF/Autorun

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×