Last week I was in Barcelona for this year's Virus Bulletin conference (the 21st, which makes me feel very old even though I wasn't there at the beginning!). The first time I presented there was in 1997, when I talked about the Mac threatscape at that time . At that point, I was working in medical informatics – albeit with an increasing focus on security – but the organization I worked for had a very large population of Mac users, macro viruses were a big cross-platform problem, the Autostart worm was just over the horizon, and we were all wondering what OS X was going to look like.
Strangely enough, I don't think I've really talked about Apple at VB since (this year, I presented with my good friend Larry Bridwell on AV testing) but it was good to meet up with other researchers with similar interests (notably Nicholas Raba and Nicholas Ptacek, neither of whom I'd actually met in person till now) as well as old friends like Paul Baccas, Chet Wisniewski and Graham Cluley of Sophos and, of course, Methusela Cebrian Ferrer, whose presentations in that area have become a regular feature of VB conferences in the past few years.
Methusela's paper on Cyber attacks: how are Mac OS X and iOS users playing the role? was packed with more information than anyone could reasonably be expected to cram into half an hour, but she's promised to make it available in due course, and I'll put up a pointer here when she does.
One of her conclusions concerned the "interesting trend, where individuals have started to develop and build expertise in the Mac." And indeed, it does seem that malware is continuing to develop along similar lines as regards OS X to those we've previously seen in Windows. Today, for example, F-Secure flagged a small but significant feature introduced in the malware variant they detect as Trojan-Downloader:OSX/Flashback.B. It includes a routine to check on whether it's running in a virtualized environment (specifically, under VMware): if it is, it quits running. Under Windows, such calls are often used to make AV researchers' lives harder by forcing them to analyse malware on a real machine rather than in a virtualized environment. This development does, as Brod suggests, seem to indicate that malware authors are expecting that AV researchers looking at Mac malware will start to make more use of virtualized environments.
The use of virtualization is in itself a response to the ridiculously high volumes of malware seen daily in the Windows arena: so is this an early indication of Mac sample glut over the horizon? I don't know about that, but it certainly doesn't suggest a diminishing trend...