As the pseudonymous Old Mac Bloggit – my colleague at Mac Virus – has already noted, there’s some interesting Mac-related content included in the Sophos Security Threat Report 2012 (some of it already summarized in an Infosecurity article here: Malware set to take a big bite out of Apple in 2013.
According to Forrester Research analyst Frank Gillette, enterprises are planning to increase the number of Macs issued to their personnel by 52%. Sophos believes that the risks are increasing, and we’ve certainly seen significant increases in volumes, not only in the numbers of infected machines (OSX/Flashback would have a bearing there...) but in the number of new malware families and variants.
However, something particularly grabbed my attention that doesn't seem to have been commented on elsewhere: that is, the figure on page 22 of the PDF (which has some data that aren’t shown on the webpage). It’s a snapshot view of Mac malware detected by Sophos between August 1–6, 2012. As you’d expect, given that OSX/Flashback (or OSX/Flshplyr, as Sophos calls it) infected several hundred thousand machines (700,000, according to Kaspersky) at its peak earlier in the year, it still constituted 3.2% of the detections recorded that month. More surprisingly, perhaps, was the makeup of the rest of the detection names. OSX/FkCodec-A is a fake installer that claims to install a video codec but actually serves adware and monitors browser activity (it’s actually a Safari extension). With a hairy 26% of detections...
It seems that the fake codec trick is still working nicely for tricking Mac users into running malware – well, why not? It was always successful on Windows... – since DNSchanger and Jahlav were still well represented. The real surprise, though, is that most of the other detections seem to be Fake AV, which we don’t hear much about any more. There’s a slight similarity here to the situation with Windows malware, where malware classified as some variation on INF/Autorun continues to dominate detection statistics even though Autorun behavior is no longer a default on Windows machines.
It’s not really the same situation, though. Autorun detection is a good example of a generic detection of a particular malicious technique. In fact, though, current malware that exhibits that behavior doesn’t rely on that technique: it’s just one of the techniques it uses to take hold. It’s not, however, a reliable indicator of how many machines are infected that way.
Which goes to show that malware naming in a time of glut – AV labs may process more than a hundred thousand samples a day, even on quiet days – can be pretty misleading for the casual reader. And that old malware never dies, it just drops off the WildList... Ah yes, WildList. Now there's a blog topic for another day. ;-)