Free anti-virus for Mac - 150,000 active users and plenty of malware found

Filed Under: Apple, Malware

Apple and worm
We currently have a stonking 150,000 active users of our free Mac anti-virus product, downloading updates from our servers.

Sophos Anti-Virus for Mac Home Edition was launched on November 2nd, and proved instantly popular. At its peak we were seeing one download almost every second (to be precise, 3032 an hour at the craziest point!). It's also made the list of top products downloaded on the Apple site, and is listed as the most popular download in their Networking & Security section.

What we've also been trying to determine, is a list of the most commonly encountered malware that these Mac users are seeing:

Top malware reported by Mac users

The above top 20 chart shows the percentage of malware reports by users of our Mac product. [Update: Some folks have asked how many malware reports this chart is based upon. We counted just under 50,000 malware reports from the Mac users during the time period]

There are some interesting entries in there.

Firstly, we should deal with the one that's top of the list. As The Register describes, Mal/ASDFDldr-A is how Sophos detects malicious files that use the scripting capability of Microsoft Media Player to force your web browser to visit an infected site instead of playing the video you were hoping for.

Normally the infected media files are blank (no music, no video) but they are distributed posing as music from Lady Gaga, ABBA, Madonna, etc.. They are several megabytes in size due to null padding. So there's definitely nothing to lose and everything to gain by erasing them.

You'll also notice a lot of Java-based attacks in the list, these are obviously cross-platform and may have been found in internet caches by users who were hit by a drive-by attack. Many of these might have been designed to download further Windows-based attacks to computers, but they could easily be adapted to download Mac-based threats too.

You'll also see some Mac OS X-specific malware in there (OSX/Jahlav and DNS Changer). These are well known Mac Trojans that are typically disguised by hackers on BitTorrent sites, or planted on websites as alluring downloads or plugins to view videos.

Sophos Anti-Virus for Mac detecting OSX/Jahlav-C

It's also interesting to see the infamous Conficker worm edging its way into the top 20 chart in 19th place.

Conficker, of course, cannot infect Macs but it does spread via USB drives - so I imagine that Mac users are encountering this when Windows users share an infected thumb drive with them. That's a good opportunity for Mac users to feel good about themselves - even if they couldn't have been infected by Conficker they can feel a bit smug that their Mac anti-virus was able to show up an insecure Windows user. :)

Aside from these stats, we've received a fair amount of anecdotal evidence that Mac users who have never scanned their drives before with an anti-virus are finding suspicious files.

For instance, here's a message from Graham Lee who was at a Mac User Group meeting, and tweeted the following last night:

(Full disclosure: Graham Lee used to work at Sophos)

We don't see as much Mac malware as Windows malware. Not by a long shot. But that doesn't mean that Mac users can afford to have their heads in the sand about about protecting their precious computers.

And, unfortunately, so long as Mac users don't properly defend themselves they will increasingly be perceived as a soft target by cybercriminals.

If you still need some convincing, check out some of the videos of Mac malware caught in action that we've posted in the past.

Our free Mac anti-virus product for home users is available for download from http://www.sophos.com/freemacav

, , ,

You might like

31 Responses to Free anti-virus for Mac - 150,000 active users and plenty of malware found

  1. Rupert Goodwins · 1401 days ago

    No absolute numbers, G? And most of this is just junk which won't harm a Mac flea. How much actual, active, Mac malware has your 150,000 downloads found?

    My personal DNA is full of fragments of ancient viruses that got smushed way down the line and no longer apply (I think there are four known HIV-like fossils in everyone's genes), and they don't bother me. I do wonder if you're being a bit over-enthusiastic...

    Rupert

    • Hi Rupert

      We counted just under 50,000 malware reports from the Mac users during that time period.

      I've updated the article to reflect this. Thanks.

      • Martin · 1401 days ago

        So just to get the statistics right in my head....

        There were 50,000 malware reports and of those reports 0.98% had the OSX/JahlavC and 0.95% had the OSX/DNS-Cha-E malware in installed on their Macs.

        i.e. There were 490 Macs with OSX/JahlavC and 475 Macs with OSX/DNS-Cha-E.

        Or is the % against the overall number of different types of viruses found? So the actual number of Macs infected with the Mac malware would be lower?

        • Total number of individual malware reports - just under 50,000. That doesn't necessarily mean 50,000 people reported malware on their Macs to us. Hope that helps with the maths - I've just got back from the Computer Weekly blog awards (yes, we did rather well - thanks all!) so my mind isn't up to the arithmetic. :)

        • GRH · 1394 days ago

          You have a point. I note the graph range is only to 5%. This makes it look visually more 'scary' than it would if you ran it over a range of 100% (which would be more honest) as 4.62 out of 5 looks a lot whereas 4.62 out of 100 looks less so. Also, how many people reported more than one incident on their computer. I think the best way to report this would be the Baldrick equation: 2 beans in one hand and 2 beans in the other = some beans. Hence out of 50,000 reports how much malware was there? Answer = some malware.

  2. Graham,

    What I'm unclear of from the article is which of the above are actually an immediate threat on OSX, and which are threats which the Mac User could inadvertently pass on to other platforms?

    Thanks

    • That's hard to confirm.

      Some of them (like Conficker and Mal/ASFDldr-A) aren't direct threats to Mac users, but could pose a risk if passed onto Windows users.

      A lot of the Java-based attacks are designed to start a download of further malware from the net. The bad guys could change that separate download at anytime if they wished, making it Mac-specific.

      Of course the ones with "OSX" in their name are definitely Mac OS X-specific.

  3. I wrote about my experiences on my own blog (as well as one I write for the Houston Chronicle), and the article has also been published in our local MUG newsletter:
    http://newblog.etee2k.net/2010/11/09/infosec-901/

    @Rupert - yeah, most of this stuff is WIndows-specific. My experience has been the same. HOWEVER, I have spotted the recent variant of Koobface that targets OS X, and have held several conversations w/Mac users who have found themselves infected. They thought it couldn't happen to them, either.

    ~EdT.

  4. DjFIL · 1401 days ago

    I may run a scan just to check out the software... but seriously people, stop typing your admin password for these sketchy items... but then again with all this facebook spam "omg! look what this teacher did", it just shows how many people fall for the simplest tricks.

  5. marks · 1400 days ago

    Are there any documented instances of a home-based Mac OSX machine that has ACTUALLY BEEN HARMED by malware that did not require a password-authorized software installation? I have been unable to find any.

    Also, are your scans reporting OSX-capable malware that is INSTALLED, or do they also report OSX-capable malware that is merely PRESENT (eg, in a .dmg file)? There is a huge difference!

    • There's no differentiation between the two in our statistics. Sophos Anti-Virus for Mac Home Edition can scan inside DMG files.

  6. Ernst Mulder · 1400 days ago

    Not sure if I'm the only sysadmin doing this, but whilst testing new anti-virus software, the first thing I do is throw a folder filled with all the PC viruses I've collected over the years against it. Sorry to have spoiled your statistics... It did detect them all by the way, very good. The recommended manual removal instructions on most of them were wrong however. My Mac does not have a registry ;-)

  7. itguy08 · 1399 days ago

    Imagine that - a virus program catching Windows viruses on a platform that is immune to Windows viruses. And this coming from a company with a vested interest in continuing the notion that all computers require AV software.

    With non-Windows platforms, at this point (and for the near future), smart browsing negates the need for AV software. Sadly AV vendors must perpetuate the notion that all computers need it in order to stay in business.

    I'll take OS X, smart browsing and no AV thanks. It's been working great for me since 2002.

    • Like we said before, we just can't win can we?
      http://nakedsecurity.sophos.com/2010/11/12/free-m...

      • marks · 1397 days ago

        Will you respond to my request above for a case of OSX malware that DOES NOT REQUIRE A PASSWORD-AUTHORIZED SOFTWARE INSTALLATiON, and that is reliably known to have ACTUALLY HARMED HOME-BASED OSX USERS?

        If you do not reply, I will conclude there are no such cases known to you. I have also challenged David Harley, author of the blog Mac Virus, to cite such a case, but to date he has also not done so; see http://tinyurl.com/29cj685

        Mac users: DEMAND TO KNOW the answer to this question before installing any AV software!

        • There's no need to shout old chap.

          I think it would be a mistake to hang your coat too heavily on the argument that if someone has to enter their password to install malware, that'll be a good way to stop it.

          As we've learnt many many times on the Windows platform, malware authors will typically use social engineering tricks to fool users into believing they *do* want to install a program. In this way, they're not exploiting an operating system vulnerability, but a weakness in the users' decision-making process.

          The same is true with many of the Mac-based attacks we see too.

          My belief is that people are people, whether they're running a Mac or Windows - and if they have been tricked into believing they should install a plugin or program that many will do so happily - yes, including typing their password.

          After all, in my experience, it's not that unusual for Mac OS X to demand a system password. My guess is that many users type it in without thinking..

          See the recent video I made of the cross-platform Boonana malware for an example of this. http://nakedsecurity.sophos.com/2010/10/28/cross-...

          • marks · 1397 days ago

            Thanks for the reply. I have to conclude from your answer that you do not, in fact, know of any cases of harm done to home-based OSX users by malware that did not require a password-authorized software installation.

            You're entitled to your opinion that password-authorization is not an important defense against malware. As a relatively unsophisticated user, however, it makes a huge difference to me. I *know* that when I’m being asked to install something, I should be extra careful, and as sure as possible that it’s something I want to do. It’s a “red flag” to me that I should review how I got to that point.

            So it's important to me to know the level of threat from OSX malware that does not require a password-authorized software installation. From your reply, I have to conclude that this threat is almost nonexistent. Thanks for that key info.

            • widi · 1396 days ago

              It might be, that you - and a lot other users - know always exactely, what they are doing, and therefore never will install a malware in this way.

              BUT: If the mindset of many users is simply "I'm safe, there is no danger for my Mac", they won't question a plugin-request in their browser to visit a website and just do it.
              -> If many Windows users do so, while knowing about the dangers around Windows, how many more will do, if there is no sense of a danger at all...

              I work with users - regular, non-technical users - and I know, what they are able to do, resp. what they are able not to think at ;-)

            • Well, I am not a security expert, but isn't finding ways to circumvent the UAC (or mac alternative) and to execute code a central part of programming a virus? and haven't one of the worlds most prominent security experts claimed that exactly this is easier on a Mac than on a Windows PC? If so, one should think it is only a matter of time and market-share before Mac-users should be very vary of threats...

              P.S: Sorry about eventual misspelling and bad language. I am norwegian and tired...

    • Rowley · 1398 days ago

      Personally, I think its a great product and works so lightly on my computer.
      In this day and age I personally think its foolish to use any computer (including Mac) without an AV or other protection. If you use it for important work, or banking, its no good complaining after someone has cleaned out your account. Why not use a little protection to safeguard that?

      • martin · 1398 days ago

        But what _exactly_ is the AV actually protecting against on the Mac? Does it boil down to 2 pieces of Malware which requires admin password? Both which affects < 0.3% of all Macs installing the Sophos software. What would be good if Sophos gave a list of the real threats against a Mac and their vectors of spreading.

        I installed the Sophos software and after 12 hours checking against 4.5 million files. It found........nothing, nada, no Mac issues and no Windows malware. This is the first time I've run any AV software on my Mac since I ran Mac OS 9 nearly 10 years ago. So I must be doing something right or was I just lucky?

        Don't get me wrong, I think it's great that Sophos is offering this software for free and yes no OS is 100% secure but since the Sophos software could itself become another vector of attack just like Adobe software, until there's something more tangible the AV software needs to protect me against, I am still happy with Mac OS X own level of security and so have removed it. I don't need the distraction and a constant worry I get running AV software on a Windows machine.

        So here's to (hopefully) another 10 years of relatively secure and hassle free computing.

        • Glad to hear that you've kept your Mac malware-free so far.

          Sophos Anti-Virus for Mac Home Edition protects against all the malware that our other software detects. In other words, Windows malware, Mac malware, Unix malware, DOS malware, etc.

          Some of these types of malware may not be an issue on your own Mac (depending on whether you run non-Mac OS X operating systems), but may still present a threat if you share files with colleagues using non-Macs.

          Specifically there are differrent types of malware for the Mac. Most of what we see are Trojan horses, but there have also been viruses like OSX/Macarena and worms like OSX/Leap (neither of these are prevalent).

          Of course, there are additional vectors of attack such as malformed PDF files and cross-platform Java threats too.

          The "but you have to type in your password" thing is a bit of a red herring I'm afraid. Modern malware authors are experts at social engineering - and have found that humans can be easily tricked into making poor decisions. If they have been fooled into believing that they need to install a particular piece of software then they will happily enter their password without a second thought.

          Everyone's human, and humans make mistakes or unwise decisions sometimes. That's what most malware these days on the Windows platform relies upon... and I don't believe that the people who use Macs are inherently genetically smarter or less fallible than Windows users.

          Mac users are targeted less, of course. Which is great news. Lets hope it stays that way, and that cybercriminals don't believe that Mac users might be a soft target because they believe they are somehow immune to the malicious attacks that work so well against Windows users.

          • Rowley · 1397 days ago

            Sophos has found a couple of pieces of windows malware file on my pc, one in the java folder.
            Ok, that won't hurt my mac, but I have other windows computers on my network, and as my mac does all my secure important work, Sophos is my extra piece of security. Its my piece of mind and for me personally, thats priceless. Whilst I agree with Martin that its unlikely you will be on the receiving end, unlikely does not equal impossible. Each to their own, whatever you are happiest with. I am happier with Sophos on mine.
            My two penneth.
            My other thought...............if you don't run an av............how do you know you are clean?

            • Martin · 1397 days ago

              You have a good point 'if you don't run an av............how do you know you are clean?'

              Which is why I thought it's about time I should at least run the AV software after 10 years not running any!

              But since there appears to be only two 'dangerous' pieces of Mac malware at the moment to worry about, both require password access I can be pretty sure neither has got on my Mac(s). (It's not hard to keep track of what to look out for when the number of threats ares still so low)!

              So why did I remove the AV software once I checked my Mac? I've seen other companies AV software mess up other peoples Macs with one which created occasional kernel crashes! (i.e. originating from a Kext conflict of the third party AV software)

              My experience has shown that prevention on the Mac has (so far) been worse than any potential or existing (but still very) rare threat of any Mac based malware.

              Once the real threat out weighs the potential side effects of the cure, I'll install some AV software for 24/7 protection. I just don't think we are there....yet.

              It's been good to try out the Sophos software and it looks a lot less intrusive than the competition, by offering the software for free has
              certainly made me to consider them going forward.

  8. Simon · 1396 days ago

    High visibility and the cost of Apple products will no doubt inspire more malware coded to directly target Macs. It's enivitable!

    Also, it's a bit of a "I'm ok on my Apple Mac screw my mates using PCs" attitude. If a Mac is harbouring a Windows virus then surely it's best to be aware of it rather than send it to your mother in law's DELL laptop running "Windblows Fista". Surely the Mac is compromised at the point it has a virus at all!

    ... And it's free! What's the big deal? Step down from your Mac pedestals, nothing is 100% bulletproof.

  9. dc0de · 1393 days ago

    I'm amazed at the people responding here who think that just because Sophos' free software didn't detect any risks, that they are perfectly secure.

    This arrogance is exactly why the malware writers are going to step up the targeting for Mac. For those of you on your high and mighty throne, Mac is just another intel box, running a bastardized bsd now.

    The tower of roman empire fell, an so too will the Mac empire. It is truly inevitable.

  10. RJW · 1354 days ago

    I'd like to see an updated article on this data.

  11. Some interesting pointers here and I must agree with some of the points, especially the ones regarding mac users believing that they are never going to get a virus.

    As a platform becomes more popular, it becomes more popular to make viruses/exploits for. Also the average mac-user believes his/her system is perfect.

    Nothing is perfect :-)

    Ps. I dont say this to start a flamewar, I use several kinds of OS.. Like Debian, W7 x64, xp, etc. It's all good for what use you need it for. (I know, XP is outdated, but.. hey.. it's not that easy to get a huge organization to update the OS over night).

    A digression there, but my point is this:
    In 1999 (or so), I attended a LAN-Party with my brothers and some friends.
    One of my friends was very cocky and said: I've never had a virus, so I dont need a virus scanner.

    What we did, was to install a scanner on his PC. ( I know, not a MAC, but I'd say it's still relevant).

    We scanned his PC and it was filled with virus.
    Just comes to show: How do you know if you have any virus, if you dont have a scanner?

    Ps 2:
    Another friend on MSN (ebuddy) got his mac infected.
    (he had not been logged in to msn for 2 months and he was running a virus scanner).

    again: not saying this to start some flamewar, It's just to make people wake up.. Nothing is 100% secure! (not even the bank(especially in iceland)).

  12. Paul · 918 days ago

    I'm a MacBookPro user and have never had a virus/worm etc, and no antivirus softare in 5 years. (I admit to surfing some dodgy sites at times, whoops!) HOWEVER, as of late, I have noticed my one USB is full despite the "Info" section saying it's empty. After a quick cruise around the weblogs, everyone says "empty the trash properly", but it's absolutely not that. On my work W. PC, it also says it's empty, and no 'virus warning' comes up, but on both machines I can not load any more data on to the USB. I'm going to download your AV software tonite to scan it - thanks for that Sophos in advance. (Perhaps of significance, one nite after I had left the screen up, there was a really strange 'screensaver' that looked like swirling firballs, something from hell ... nothing that I'd ever chosen or even seen before - couldn't reactivate normal windows and had to 'forceshut' the machine.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.