When Apple released their most recent patch for OS X, 10.6.7, they slipped in a little extra feature. This time they have updated XProtect, their basic anti-virus component, to detect one more unwanted Mac application.
Apple keeps pretty quiet about this technology, only adding identities when some piece of unwanted software is having an effect on many OS X users.
Sophos has detected this sample since October of 2010 as OSX/Spynion-A. What does this sample do that has triggered Apple to decide to block it?
Well, it is an application that attaches itself to many "free" downloads. These include fancy screensavers, backgrounds and other adornments for your Mac.
When you install these freebies you are prompted to accept an End User License Agreement (EULA). This EULA asks for your permission to spy on your browsing habits, search behavior, online shopping and many other private pieces of information.
Of course you read the EULA right? You always do? I thought so...
But that is how most spyware and malware infects a Mac... by attaching itself to something you want. Let's say you didn't read the EULA and you clicked "I Agree".
You would expect a software installer to need your permission to update your screensavers, so you enter in your administrative credentials... You may get a shiny new screensaver, but you also just signed over your life to a "market research company" with spyware that cannot be uninstalled without a Mac guru.
While it's nice to see Apple trying to help, their protection still isn't really enough. As we have pointed out in the past, XProtect only scans for malicious content in applications that use LSQuarantine.
The primary way XProtect helps is when you are downloading a DMG or application through Safari/Chrome/Firefox/Mail/Thunderbird. If the archive you downloaded has PremierOpinion in the install package, OS X 10.6.7 will alert you, asking if you wish to proceed.
Apple does default to the "Move to Trash" option, but if the user has already accepted a license agreement that transfers their current and future earnings to a spyware program and has entered in their Administrator password, are they likely to choose the "Move to Trash" option?
Apple's acknowledgement of the threat is good news, but the protection provided in Snow Leopard is too limited to be of use. It's best to run a proper anti-virus product, like the free Sophos Anti-Virus for Mac Home Edition, to look for more than the handful of malicious files Apple detects.
Additionally, XProtect does not protect you from malicious content on BitTorrent or from removable media like USB thumb drives. Having a proper on-access scanner will detect malicious Mac malware regardless of its origin, providing for a truly happy Mac.