posted by Thom Holwerda on Fri 20th May 2011 20:37 UTC
IconI have personally tried to pretty much let the whole MAC Defender trojan thing pass by, since we're not a security website. However, we have an interesting turn of events this week. An article over at Ars Technica quotes several anonymous Apple Store employees as saying that the infection rate of Macs brought into the Apple store has gone up considerably. More interestingly though, Apple's official policy states that Apple Store employees are not allowed to talk about infections to anyone - they're not even allowed to inform Mac owners if they find the infection without the customer's knowledge. Another interesting tidbit: Apple mandates the use of Norton Antivirus on company Macs, according to one Apple Store genius.

Security on the Mac is always a touchy subject. Since widespread infections have never occurred - until now, perhaps - the real-world security track record of the Mac is pretty much spotless. However, for years now, we've had article after article stating that once the Mac became really popular, malware infections would follow as a natural consequence. While the Mac isn't much more popular if you take the entire world into consideration (and hence, why Steve Jobs tends to use US figures only during his keynotes), here in the western world it has been doing pretty darn good. So, are we seeing a rise in infections?

Ars Technica decided to investigate, and contacted 14 Mac support specialists, including several Apple Store geniuses. Their tales are basically all over the place - while independent Mac support specialists saw no spike in malware infections since the arrival of MAC Defender and its many variants, the Apple Store geniuses did reveal there has been a notable spike in malware infections among machines brought into the Apple stores - so much so in fact that Apple has found it necessary to instate a 'don't ask, don't tell'-policy.

"In the last 6 months, only one of my clients reported a possible malware [scenario]. I have consulted with other Apple services and the rate is basically the same: one or two people out of 750-1000 in six months," a Chile-based Apple Certified Help Desk Specialist named Pablo Toledo told Ars Technica, "Mac users here tend to be alert and informed, and only very basic users fall into the trap."

This low infection rate was confirmed by the other independent support specialists, but when Ars spoke with several Apple Store geniuses, who understandably want to remain anonymous, the picture is entirely different. "MAC Defender has changed everything," one Apple Store genius told Ars Technica, "We probably get 3 or 4 people with this per day. Most of them only got as far as installing the program and haven't entered their credit card details." MAC Defender is what is called scareware; it claims your computer is infected with malware, and will then give you the option of cleaning it for you - for a fee. It can has credit card number plez?

"This always sparks a debate at the bar on whether antivirus software is necessary on the Mac," the genius continues, "This is difficult, as the store sells several antivirus products implying that Apple supports the idea, but as many customers point out, the sales guys aren't shy in making the claims for Mac OS X's security. Internally, Apple's [IT] department mandates the use of Norton Antivirus on company machines."

This is an interesting little tidbit. Of course, it's only common sense to have antivirus installed on corporate machines - if only to pick out malware attached to emails sent to colleagues using Windows - but it's still somewhat embarrassing that the company who continuously bangs on about how secure the Mac is actually mandates the use of antivirus software itself.

A genius from a larger Apple Store (I'm calling him genius II), which services a few thousands Macs per week, gives more specific numbers. Up until three weeks ago, about 0.2 percent of Macs brought into this store were infected with some form of malware. Since about three weeks, however, this percentage has risen to 5.8 percent, consisting almost exclusively of MAC Defender infections and its many variants.

What is more shocking, perhaps, is how Apple deals with it. Ars Technica managed to get its hands on internal Apple documents which impose a 'don't ask, don't tell'-policy when it comes to MAC Defender infections. Apple Store geniuses are prohibited from talking about MAC Defender; they're not allowed to remove it if found on a machine, and in fact, they're not even allowed to inform the customer if the malware is found without the user knowing.


Part of Apple's internal memo. Courtesy of Ars Technica.

"With regard to how the company is dealing with it, the answer is not very well," genius II told Ars Technica, "As you know, OS X requires an admin user to authenticate and OK the install for pretty much anything that's not drag and drop. The response has been a case of 'they installed it, so it's not our problem.' Until something that makes use of a zero-day exploit hits, I really doubt that we're going to do anything, technology wise, to address this."

Genius II praises Mac OS X's security model, and laments the fact that users seem to ignore it anyway. "I can't help but be frustrated that people inherently trust everything they're prompted to do on their machines. The beauty of Mac OS X is its security model. That people blindly enter a password is going to be the undoing of it," he told Ars Technica.

Yeah well, welcome to the real world.

All in all, the rise in malware infections on Mac OS X is definitely real, all thanks to the first truly sophisticated trojan to hit the platform. However, the number of infected machines is still low. What's far more troubling, however, is Apple's official stance - a 'don't ask, don't tell'-policy doesn't sound like a company that has any experience with handling these kinds of situations. It would seem that Apple cares a whole lot more about its image than about its customers.

e p (5)    76 Comment(s)

Technology White Papers

See More