Virus scares on the Mac

Now that things are starting to become much more clear about the Oompa-Loompa "virus" (AKA, Leap.A), I figured I'd try to put things into perspective and give a few of my thoughts on the whole thing. For those who haven't heard, there has been concentration this week on reports of a new virus on the Mac. To start with, you can look at the pretty-good FAQ from MacWorld, or for the technically inclined, you can check out a very detailed account of digging deeper into the problem also on MacWorld, or you can go with the technical description from Ambrosia Software.

Now, many of us know that saying the Mac is completely impervious to malware (software that does bad things) is not true, but it is hard to get something onto a Mac without user intervention. In particular, you usually need to go through a series of "are you sure"s before you actually get software onto a Mac. In particular, when launching Macintosh Applications using the Finder, you get a message indicating that it is the first time that a program has been used and asking if you want to use it. Further, browsers like Safari do a good job of warning you when downloading. However, it is still possible to get a piece of malware onto the Mac the old fashioned way: by tricking people.

Leap.A is a program that looks like it was done as an experiment in writing a virus on the Mac. Among other things, it tries to send copies of itself to your friends, uses some strange hooks in the operating system to infect other applications and in general tries to figure out how to move itself around. Fortunately for most users, it does a pretty lousy job. Unfortunately, it's probably not the end of people trying to do this.

Again, there's a bright side here: on the Mac, there's still no good way to get a virus without doing something first, whether it's accepting a file transfer from a friend over IM, or downloading a file that says it's a series of pictures of Leopard (OS X 10.5). However, the increased targeting and the sophistication of this attack are worth noting by both users and Apple.

I'll also note that with the small number of malware packages on the Macintosh, any new one coming out gets a lot of press and a lot of attention from the technical community (including ideas on how to mitigate these problems in the future).

In the end, there are things you can do, but mostly they involve exercising common sense and being observant. If you are downloading a program from the Internet, check the sources to make sure it's really coming from where you think it should be. One of the advantages of Apple's Software Update system is that it's secure from end to end, so you know you're getting Apple's patches. If you are downloading a picture from the Internet, you shouldn't see a program open up when double-clicking on it (be especially suspicious if you suddenly get a terminal window when opening a picture, as an example). If you are corresponding with your buddies on AIM and you're not expecting a file, hit Reject when you get the choice to accept or reject the file. If your friend was sending you something important, let them warn you ahead of time, so you know it's safe.

If you feel that you must approach this with a software solution, I'd recommend looking at ClamXAV, a Macintosh port of ClamAV (the same anti-virus scanner used in Apple's OS X Server product for scanning email for viruses). This is a nicely done UI on a very functional piece of UNIX Open Source software.