I have my doubts as to how well, or even at all that they could actually be utilized.

Certainly we can look back on the past 3 or 4 years to stories surfacing in January that ‘THIS IS THE YEAR FOR THE MAC VIRUS” only to find exploits available, exploits ’supposedly’ IN THE WILD that never amount to anything. If it genuinely, fully is as easy to pwn (Ghod I hate l33t, it’s so 1993) an OSX machine then there oughta be millions of zombied macs out there happily buzzing away.

As for Trojans, I can’t see how any real defense can be made against them other than understanding you can’t download whatever the devil you wish from the Internet. The OS is SUPPOSED to run applications for heavens sake. Now, one can make sure certain vital organs are not dangling out to get hit by the Trojan’s sword and I think OS X does a reasonably good job doing so.

So what am I saying with this rambling missive?

I’m saying this, have the tools at hand, but don’t be an idiot! I ran on Windows for years with nary a security app and the like and never got hit. Behind OS X I might as well be behind a wall of armor plate steel compared to my windows days.

You may have missed something in the article. The last sentence indicates that Apple has hardened their update mechanism against a man-in-the-middle attack such as this. Just because these fools (the people who created Evilgrade) SAY they can attack OS X’s Software Update doesn’t make it so.

From the article (http://blogs.pcmag.com/securitywatch/2008/07/evilgrade_exploit_toolkit_atta.php accessed on 8/4/08):

“Krebs also reports that, contrary to the claims of Evilgrade’s authors, Apple has strengthened their update mechanism to defeat this attack. ”

Bot

http://blogs.pcmag.com/securitywatch/2008/07/evilgrade_exploit_toolkit_atta.php

As for ClamAV, yes, that’s for detecting Windows malware. Don’t even bother looking for something to detect OS X malware, though, as that hinges upon the assumption that there is OS X malware, which is, for all practical purposes, untrue.

I know OS X is generally more secure than Windows, but hearing lately about Quicktime vulnerabilities where code can be executed and what not makes me a little worried.

Reading ClamXav website, it doesn’t look like it’s a security software for OS X. It looks like it’s basically security software for Windows PCs that runs on OS X to make sure you don’t spread Windows malware. Can it even detect OS X malware? I’m looking for something that can.

In any case, I recommend uninstalling this software, as it is completely useless.

If you’re talking about a business-critical machine that handles sensitive data, sure, it’s better to be safe than sorry, as such a machine will be a juicy target for hackers or social engineers. On such a machine, it might make sense to run a rootkit scanner. But on any other machine, it’s a complete waste of resources. And it even might still be a waste of resources on such a sensitive, critical machine because I’m not convinced that any of the rootkits this software actually scans for even function on OS X.

Even if rootkits existed in the wild for OS X, and even if this software was proven to be able to detect rootkits on OS X, I still wouldn’t recommend that regular people use it. To have a rootkit installed on your system, you must a) run untrusted code, and b) provide your password. I would hope that people are smart enough to not type their password at a password prompt unless they know what the software is actually going to do with it. But even if they are not, the chances that a regular user would ever be exposed to a rootkit (assuming they exist and are infecting people in the wild) is so small that running this software is useless.

In short, I don’t have any reason to believe this software is actually capable of finding rootkits that even function on OS X, and running it is a complete waste of time.

HOWEVER, you should always keep your system up-to-date with the latest security releases, pay attention to news of any new potential exploits (such as the recent QuickTime holes), and simply exercise caution and proper judgement when running untrusted code or typing your password.

If you’ve looked at my some of my previous posts, you’ll see that I put security in the context of risk management. Clearly, Kevin’s risk analysis in his particular context gives him the conclusion that there is little-to-no risk for him. That doesn’t make my advice to use anti-malware software FUD. Furthermore, the existence of malware for any platform is not necessarily a factor in determining risk (I have supporting links if pressed for them…kinda tired tonight). When Windows security patches come out each month, many of them do not have public exploit code. Kevin’s argument can be extrapolated to mean the lack of such code is cause to not install those security patches (which would be insane, especially on that platform). [NOTE: @ex2bot is absolutely right when he encourages everyone to keep their Mac systems updated as well]

I reiterate that you may choose to accept the risk of running without anti-malware software if you are an experienced user who fully understands his/her computing environments, habits and exposure.

@Scott B is also right on target. Having been a programmer (Mac, Windows, Solaris, Linux, *BSD and *VMS*) and also now working as a security professional with developers I can say with some authority that programmers in general care little about security and even less about thorough software life cycle development. In many shops, it’s “code fast or die” and for open source, the mantra is release often (some might call that iterative development, I call it rapid bug fixing). In either case. Most software is rife with buffers waiting to be overflown (overflew?).

@march has a very good suggestion (anyone else on this thread remember tripwire?), but it’s not very practical for the average user.

@Graham: I’m pretty convinced to do a complete series on practical security solutions for OS X at this point. I’m as annoyed with the “OS X is a target” news in the feeds and in the press and one of the only ways to help make sense of it is to document what (good stuff) is available. Keep an eye out.

@Patrick, stick with ClamXav. @Mike, if you’re *really* interested, I can build a command-line only version for Tiger.

again, apologies for the subscription foible…I’ll try to remember to click the checkbox next time.

Have you ever seen an OS X box with a root kit? Have you ever actually heard of this happening in the wild? I sure haven’t. In fact, the only malware I’ve ever actually seen was the Merry Xmas Hypercard virus which only affected Hypercard stacks under the classic Mac OS and was about as benign as a virus could possibly be.

The differences between installing a root-kit on Windows and one on OS X is people actually write root-kits for Windows. People don’t write them for OS X. Testing for existing root kits under OS X is quite pointless if they don’t actually affect the system, which is what the Rootkit Hunter seems to be doing.

People have been saying “when” an exploit occurs for years and years, and yet, OS X is still incredibly secure. I’m not saying don’t practice safe habits like being careful when opening attachments or downloads, or keeping the system up-to-date. I’m saying using tools like Rootkit Hunter is a complete waste of time, because I can guarantee it’ll never find anything. If you actually see confirmed reports of a rootkit being found in the wild on OS X systems, at that point it may make sense to start using a tool like this. However, even then you can avoid any trouble by simply being smart about what you launch. Unlike a virus, a rootkit still needs the user’s help to be installed.

In short, I guarantee this tool will never find anything on your system. Don’t bother.

Why do you think this is FUD? It is possible to root-kit MacOS X. It is not a proof of concept. Any script kiddie can download a root-kit, gain access to a MacOS X system, and install a root-kit. The difference between installing root-kit under Windows versus MacOS X are the access control mechanisms that make it more difficult to do so under MacOS X.

Those of us who are information security professionals know that it is a matter of time before issues occur. Apple has increased the risk by using an application level firewall and suppressing the built-in BSD firewall to be accessible by techies who are not afraid to use Terminal.app. Looking at the risk, we infosec professionals say “when” an exploit occurs.

Unfortunately, many of the risks we find are the result of programmers not understanding the side effects of their coding. From buffer overruns to hard-coding passwords, programming short-cuts are our biggest headache. Rather than attacking the writer, why not try to understand the risks so that we can all ensure elimination of all issues!

More general security tips:

Using a router between your Mac and the Internet is a good idea since it acts as a firewall.

Don’t open attachments unless you are absolutely sure they are from trusted sources. The general security motto is “Don’t open attachments. Period.”

Do we Mac users have to run security suites at this point? Debatable. If you depend on MS Office documents with macros, you probably should run one. Otherwise, it’s not as clear-cut as with a Windows machine.

Bot

If (and I say If, not When) the day comes that OS X starts getting some real malware (meaning not the occasional little proof of concept that doesn’t do anything), on that day you can start using antivirus/antirootkit software. But until that day comes, you’re just wasting resources, not only on your computer, but on the computers of everybody who follows your advice.

And I’m speaking as a Mac computer programmer, not as just another user.

I’m willing to run this Rootkit Hunter and ClamXav as it seems relatively painless, but I want to know if I’m defending against an existing problem or a potential problem.

Thanks!

ClamXav (http://www.clamxav.com/) is another great, free security tool with *nix origins and an even better OS X front-end. TAB did a mention (http://theappleblog.com/2007/01/30/5-tips-for-a-new-mac-user/) of them last year and it may be time for a detailed comprehensive review of commercial (and qualified open source) anti-virus solutions for OS X.

I would highly recommend using ClamXav over OS X Rootkit Hunter as a baseline layer of security.