Ann Arbor Area Business Monthly
Small Business and the Internet

Snakes On A Mac

June 2011

By Mike Gould

I just finished driving the snakes out of a client's Mac. The reptiles in question were a variety of viruses, all of them Windows flavor, yet one did some harm to the client's Word files. This is the first virus infestation on a Macintosh computer I have seen in around 10 years, and it happened at the same time as a new species of malware for the Mac was found in the wild, so this seems a good time for some new cautionary tales.

A Word to the Wise
I got the call that Word files sent as attachments to others were getting bounced by the anti-virus software installed on the client's ISP's email system, rejected as virus-infected. I was dubious, but I jumped in the Mac Mobile and roared off to check things out. It turns out that I was up against a problem I've seen before: old, old versions of software running in an old system, infected by an old virus. In this case, Word for Macintosh 2004 ensconced in System 10.4, attacked by a virus from 1997. This older version of Word is ever so much less secure than the current version, Word 2011. In this case Word was 2 versions out of currency (Word 2004, then Word 2008, then Word 2011) and System 10.4 was also 2 versions out, having skipped 10.5 and the current 10.6.

The main culprit was a virus called WM97/Marker-DG, a Word macro virus. Back in the days of Office97, evil people discovered that you could pervert the Microsoft Macro language into a virus that could infect Word and Excel files and spread by file sharing. Flash forward 14 years and old files can still infect newer ones, even on other platforms. Someone with an infected PC had emailed an old Word file to my client, and upon opening the file, the client had infected his Mac Word app, resulting in damaged Word files. Using an older, less-secure version of Word, and NO ANTI-VIRUS PROTECTION, he got bit.

Anti-Venom
The fix was to install the free Sophos Anti-Virus for Mac Home Edition, which tracked down the infected files and cleaned them up, and removed the snaky part which had attached itself to the old Word app. And to order and install Office 2011 for Macintosh, which does not run on 10.4, which necessitated an update to 10.6 as well. So now the client has Sophos protection to prevent future outbreaks, a less-at-risk, more modern Word, and an up-to-date operating system. And the Word file with his first 17 pages of memoirs was recovered.

The University of Michigan chose Sophos years ago as the supported anti-virus software, so I was happy that a free version is now available for the non-UM folks I support. Sophos also identified a bunch of other malware, all Windows-only serpents that were included in various attachments my client had received over the years. These were tracked down and removed as well. They wouldn't have affected his system, but he could have unknowingly passed them on to PC users. There are of course other fine anti-virus apps out there for both Mac and Windows. Sophos is what I have the most experience in.

Conclusion: while Macs are several orders of magnitude less likely to get snaked, the danger is out there. To prevent this: install an anti-virus program, and regularly update your apps and system.

MAC Defender: Scareware
Back in the day, macro viruses and their ilk were created more as pranks than the truly evil identity-stealing vipers we have to deal with now. Nowadays we have to contend with all sorts of slithering slime, with new manifestations of infestation appearing daily. Case in point: MACDefender.

The snake-handlers who build this sort of thing have now decided that there are enough Mac users out there to make it worth their time to develop Mac-only malware. And the point is not to mess things up, but to extract credit card numbers.

Here's how it works, as described by the antivirus firm Intego:

When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file. In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open "safe" files after downloading in Safari, for example), will open.

Once the demo installer has been initiated (which requires an OK from the user), a very valid-looking Mac install screen appears and directs the user to do the install. Once installed, the program pops up various fake virus alerts, and the user's browser starts opening up porn sites at random. All this to convince you to buy the program, which will involve your credit card number, identity theft, and so on.

Note that in order to infect yourself, you need to: Go to an iffy website
Click on an installer which has a miss-spelling (MAC, not Mac)
Give the installer leave to do the install, which requires an administrator-level permission level
Have your browser set to automatically open anything downloaded

Nothing like the macrovirus, where opening an innocuous-looking Word file sent by a friend can do you in.

As Intego explains it:

The scam here is to charge users for a program that doesn't do anything; the virus warnings presented are bogus, and after paying, they no longer display, so users think the program has done something useful. It is also possible that these credit card numbers, given via an unsecure web page, could be used for other purposes.

Moral:
Turn off the "Open Safe Files after downloading" box in your browser's preferences. Don't trust anything on the Web, the Internet as a whole, or anyone, anywhere, anytime. Well, at least do some research before you hurt yourself. Google can get you into trouble like this, but it can also help you avoid problems. Even on a Mac.

Intego site:
http://blog.intego.com/2011/05/02/intego-security-memo-macdefender-fake-antivirus/

Sophos Anti-Virus for Mac:
http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition/features.aspx

Mike Gould was a mouse wrangler for the U of M for 20 years, runs the MondoDyne Web Works/Macintosh Training/Digital Photography mega-mall, builds lasers into lunchboxen, performs with the Illuminatus Lightshow, and welcomes comments addressed to mgould@mondodyne.com.

MonodoDyne <M> The Sound of One Hand Clicking...
734 904 0659
Entire Site © 2016, Mike Gould - All Rights Reserved