Mac Virus/Malware FAQ

[stridemat]

Credit should go to GGJstudios for the original text.

You DON'T have a virus on your Mac!
If you want to know why this is true, read on.

The term "virus" is commonly but erroneously used to refer to all types of malware, adware, and spyware programs that do not have the reproductive ability of a true virus.

The bottom line is this: as a Mac user, your chances of being affected by a virus, trojan or other malware are extremely slim, unless you've been careless about where you get software and when you enter your administrator password.

If you're experiencing a problem or unexpected behavior with your Mac, there's better than a 99.9% chance that it's something other than a virus or other malware.

MALWARE TERMINOLOGY

From Symantec:

What is the difference between viruses, worms, and Trojans?

What is a virus?

A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:

• It must execute itself. It often places its own code in the path of execution of another program.
• It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.

What is a Trojan horse?

Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet.​

What is a worm?

Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm.​

What is a virus hoax?

Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. Following are some of the common phrases that are used in these hoaxes:

• If you receive an email titled [email virus hoax name here], do not open it!
• Delete it immediately!
• It contains the [hoax name] virus.
• It will delete everything on your hard drive and [extreme and improbable danger specified here].
• This virus was announced today by [reputable organization name here].
• Forward this warning to everyone you know!

Most virus hoax warnings do not deviate far from this pattern. If you are unsure if a virus warning is legitimate or a hoax, additional information is available at the Symantec Security Response online database.​

​

What is scareware?

Another type of hoax is referred to as scareware. It's a bogus virus warning that pops up when visiting some websites, and looks something like this or this (on iPads). If you take a close look, you'll see the popup refers to a Windows system, which obviously doesn't relate to Mac OS X. It can't harm your Mac at all. Just close the site, clear your browser's cache and cookies, and you'll be fine. Sometimes these scareware sites will generate a never-ending loop of popups, to the point that you must Force Quit your browser. Such scareware sites are usually intended to lure a Windows user into clicking the links to install bogus "antivirus" software, which is typically a trojan. Even if you click the links on a Mac system, it can't install anything, because Windows executable files can't run on Mac OS X.​

There are NO viruses in the wild that affect Mac OS X at this time.

If this changes, I will update this post. According to noted computer virus expert Paul Ducklin, in order for a virus to be considered in the wild, "it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users." This definition excludes "proof of concept" code that is used in a testing situation under strictly controlled conditions, and which poses zero threat to average computer users.

In the past, there have been a few viruses that ran on older versions of the Mac operating system (Mac OS 9 and earlier), but they do not run on any version of Mac OS X. Like every other OS, Mac OS X is not immune to malware threats, this situation could change at any time, but if a new virus is discovered, the news media, forums, blogs, etc. will be instantly buzzing with the news. See update below.*​

There are trojans that can affect Mac OS X,

but these must be downloaded and installed by the user, which usually involves entering the user's administrator password. Also, Mac OS X will give you a warning when you first launch an app you downloaded from the web. Trojans can easily be avoided by the user exercising common sense and caution when installing applications. A common source of trojans is pirated software, typically downloaded from bit torrent sites.​

ANTIVIRUS APPS

Having virus protection software on your Mac is pointless, as far as protecting your Mac from true viruses, since current antivirus software cannot detect a Mac virus that doesn't yet exist, because they simply don't know what to look for. It is possible to have a virus-infected file reside on your hard drive, but since a Windows virus (like any Windows program) can't run in native Mac OS X, it would be harmless to your Mac and could not spread.

If your situation requires you to run a 3rd-party antivirus app:

• ClamXav is one of the best choices, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges. You can run scans when you choose, rather than leaving it running all the time, slowing your system. ClamXav has a Sentry feature which, if enabled, will use significant system resources to constantly scan. Disable the Sentry feature. You don't need it. Also, when you first install ClamXav, as with many antivirus apps, it may perform an initial full system scan, which will consume resources. Once the initial scan is complete, periodic on-demand scans will have much lower demands on resources.
• Sophos should be avoided, as it could actually increase your Mac's vulnerability, as described here and here... and here.
• iAntiVirus has a bogus malware definitions list, making their detection accuracy untrustworthy. They also make inaccurate claims about the existence of Mac malware, in order to hype the need for their product. This post will give details.

WHAT SECURITY STEPS SHOULD I TAKE?

• DON'T install pirated software, or software from untrusted or unknown sites.
• You can't infect your Mac simply by visiting a website, opening an email attachment, or connecting to a network. You should, however, exercise reasonable caution when doing these things.
• Be careful about giving others access to your computer, as they could download and install malware.
• For Safari users: go to Safari > Preferences > Security > Enable Java (leave this unchecked, unless you're visiting a trusted site that requires it)
• Make sure you install software updates when they're released, including OS X and apps
• Only install updates from an installed app, the Mac App Store or directly from a software developer's site. Never install an update to software when prompted to do so by an advertisement on a website or an email.
• Use ad-blockers to minimize exposure to malicious sites
• Use trusted DNS servers
• Go to System Preferences > Security > Firewall and make sure your built-in firewall is enabled
• Read Mac Security Suggestions compiled by munkery

WHAT ABOUT SENDING FILES TO WINDOWS USERS?

Some users choose to run antivirus such as ClamXav on their Mac to scan for Windows viruses (it also scans for Mac threats), so the Mac user can't pass a virus-infected file to a Windows user. However, a more prudent approach is for every Windows user to be protected by their own AV software, to guard against viruses from any source, not just those that might come from a Mac user.

Running anti-virus on your Mac to protect Windows users from malware is like covering your mouth when you cough in front of the kids, then sending them out without flu shots to a school where a flu epidemic is spreading like wildfire. Great! They might not catch anything from you, but you've left them vulnerable to the greater risk. It's wiser to make sure they have flu shots, so they're protected from infection, whether it be from you or from other people.

If you really want to help your Windows friends, encourage them to get their own anti-virus protection installed, or offer to install it for them.​

WHY AM I BEING REDIRECTED TO OTHER SITES?

Some users experience a problem with being directed automatically to sites that they didn't intend to visit. This may also occur when searching with Google. You don't have a virus! It's a problem with your DNS settings, either in your Mac or in your router. Try resetting your router. Here's how to fix the problem in Mac OS X:

1. Go to System Preferences > Network
   There you will see a padlock icon in the lower left corner and the note "Click the lock to make changes".
2. Click the lock and enter your administrator password, so you can change DNS servers
3. with your network selected on the left column, click the "Advanced" button
4. Click the DNS tab to see the listing of your DNS Servers
5. If any of the DNS servers are greyed out after entering your admin password, refer to this: 10.5: Disable DHCP-specified DNS servers
6. Click the "-" icon to remove all existing DNS servers
7. Click the "+" icon to add the following servers.
   You may choose either OpenDNS or Google servers (not both sets):
   
   OpenDNS:
   Primary DNS Server: 208.67.222.222
   Secondary DNS Server: 208.67.220.220
   
   Google:
   Primary DNS Server: 8.8.8.8
   Secondary DNS Server: 8.8.4.4
   
8. When you've completed your changes, click "OK" to close the Advanced settings window
9. Click "Apply" on the Network window to save your changes

*UPDATE - RECENT THREATS IN THE NEWS

As has already been stated, any appearance of significant new security threats to Mac OS X will make news headlines:

MacDefender or MacSecurity or MacProtector or MacGuard installation package

Apple has issued a knowledge base article on this issue, found here:

How to avoid or remove Mac Defender malware

A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender "anti-virus" software to solve the issue.

This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity.

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.

In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.

(to read the rest of the KB article, click the link above)

Further information on MacDefender:

This is not a virus or even a true trojan! MacDefender, MacSecurity, MacProtector, MacGuard and other variations refer to a software installation package that automatically downloads when viewing some images in Google search results. It may automatically launch, depending on your browser and settings, but it cannot be installed unless you actively continue the installation process, which may or may not include entering your admin password. The solution is simple: don't! If you quit the installation process without completing it, nothing on your Mac is affected. Simply delete the downloaded file, and your Mac is clean. To prevent these files from launching in the future, uncheck "Open "safe" files after downloading" in your Safari Preferences.

Be aware that there is animation on the website that appears that simulates scanning your computer for malware. THIS IS BOGUS. (read further in this post for information on "scareware") Nothing is being scanned and nothing is executing on your computer during this animation! It's no different than watching a video on YouTube or visiting any website with animation. The animation on the site would appear no matter what computer or OS you were using to view it. If you quit the installer that downloads and launches, nothing is installed on your computer. If you delete the installer after quitting, your Mac is completely clean of any trace of this installer.

For more info, read this article: New 'MACDefender' Malware Threat for Mac OS X and this thread.

trojan.osx.boonana.a Trojan

On Oct. 26, 2010, Mac security site SecureMac posted this security bulletin:

SecureMac has discovered a new trojan horse in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video.

When a user clicks the infected link, the trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system.

New Java-Based Malware Targets Mac OS X, But Threat Level Disputed​

As with all trojans, this requires the user to unwittingly invite the infection by deliberate action (in this case, clicking on a fake video link). You cannot be infected by this trojan if you don't click on the appropriate link. You can eliminate this threat by disabling Java in your web browser. ​

 

[brdeveloper]

Well, actually being virus-free is pretty easy even on Windows these days. When someone says "Macs don't get virus!" it looks more like an advertising than a preventive approach. Even Windows is almost virus free these days. The problem is software not capable of reproducing itself like adwares, spywares, trojans, rootkits, etc.

I'm a little bit afraid for never having got a malware on my Macs. Actually I don't know if something is being tracked by some hidden application/service.

 

[GGJstudios]

Well, actually being virus-free is pretty easy even on Windows these days. When someone says "Macs don't get virus!" it looks more like an advertising than a preventive approach. Even Windows is almost virus free these days. The problem is software not capable of reproducing itself like adwares, spywares, trojans, rootkits, etc.

I'm a little bit afraid for never having got a malware on my Macs. Actually I don't know if something is being tracked by some hidden application/service.

All OS X malware that has ever existed in the wild can be easily avoided by practicing safe computing. It is really quite rare to even encounter OS X malware, unless you're being reckless with where you get software that you install.

 

[squonk2]

A Trojan...?

Thank you for all your valuable information, GGJstudios. I'm a new member and have been reading all your posts on the forums regarding viruses and malware.

While I always use the safe computing practices you've described, my wife (not technically savvy) does not. I'm fearful she might have invited a Trojan without knowing.

She was attempting to send an Evite online (a site she uses frequently) when a shaded gray popup window asked her to enter the word/phrase displayed in that window into an open space below. This has never happened to her on this site before. Unknowingly, she entered the phrase and her entire iMac screen started flashing black & white. She immediately quit her browser. She relayed this story to me, so I did not see it but it all sounds concerning.

I am willing to run any recommended antivirus/malware software if warranted. Her iMac has been shut off since and I'm looking to the knowledge of others as to how I should proceed.

Thank you for any help/suggestions!

 

[GGJstudios]

She was attempting to send an Evite online (a site she uses frequently) when a shaded gray popup window asked her to enter the word/phrase displayed in that window into an open space below.

This is a security method that many sites use to make sure their site is being accessed by a real person, and not a bot (automated software). It's called a CAPTCHA test, and it's completely harmless.

Unknowingly, she entered the phrase and her entire iMac screen started flashing black & white.

It sounds like the site may have had a problem properly displaying the page. It doesn't sound like anything related to any known malware. Clear your browser's cache and cookies and try it again. Chances are very good that it's just a glitch on the site, and nothing to be concerned about.

If you need to run a scan for your peace of mind, you can install ClamXav and run a scan. I doubt it will find anything, though.

 

[squonk2]

Thank you, GGJstudios. I appreciate your expertise!

 

[satcomer]

Thank you, GGJstudios. I appreciate your expertise!

Tales really consider using a free personal account at OpenDNS because you can set it up to block known Trojan hosting sites with their Phisphing Protection.

 

[Dave Braine]

Shouldn't this be a Sticky somewhere??

 

[chown33]

Shouldn't this be a Sticky somewhere??

It should be a Sticky Wiki. Or a Wiki Sticky.

 

[2012Tony2012]

All OS X malware that has ever existed in the wild can be easily avoided by practicing safe computing. It is really quite rare to even encounter OS X malware, unless you're being reckless with where you get software that you install.

And what about if a person does not practise safe computing, how can that person protect themselves from getting nasties?

 

[GGJstudios]

And what about if a person does not practise safe computing, how can that person protect themselves from getting nasties?

Antivirus apps may catch some of the malware such a user might encounter, but not all. If a user is determined to be careless about how thy use their computer, there is no method of protection that will be completely effective. Given that safe computing is not cumbersome, why wouldn't anyone choose to not practice it?

 

[2012Tony2012]

Antivirus apps may catch some of the malware such a user might encounter, but not all. If a user is determined to be careless about how thy use their computer, there is no method of protection that will be completely effective. Given that safe computing is not cumbersome, why wouldn't anyone choose to not practice it?

So in other words....if someone doesn't practice "safe computing", then their Mac can indeed get infected?

 

[GGJstudios]

So in other words....if someone doesn't practice "safe computing", then their Mac can indeed get infected?

It is very unlikely that an average Mac user will ever encounter malware, unless they're regularly engaging in risky activities, such as installing pirated software. It is possible, however, for any Mac to be infected if the user doesn't practice safe computing, even if they have antivirus software installed.

 

[2012Tony2012]

It is very unlikely that an average Mac user will ever encounter malware, unless they're regularly engaging in risky activities, such as installing pirated software. It is possible, however, for any Mac to be infected if the user doesn't practice safe computing, even if they have antivirus software installed.

Interesting....so there are virus on Mac that someone may get if they do not practice safe computing.

And there are Mac apps that are virus', for example pirated apps for Mac?

 

[crjackson2134]

No, there is Malware, not Viri

 

[2012Tony2012]

No, there is Malware, not Viri

So not a single Virus exists for Mac?

 

[chown33]

So not a single Virus exists for Mac?

This is answered in the first post.

Read the definition of a virus by finding the "What is a virus?" heading.

Then find the words "in the wild" and read what it says there.

If the above doesn't answer your question, then ask a more specific question.

If you haven't read the first post completely, then please do that before asking additional questions. There's no purpose in asking questions that are already answered.

 

[Prplehz76]

There is a whole grouping of files I’ve found on my Mac that ‘cannot be opened due to no program exists to use it with’ could this be a “virus” or a program installed to gain access via sharing and cause havoc? I’m struggling with sharing process’s, tcp, AirPlay, airport, and netbios showing an open connection on my Mac even though all sharing portions are OFF, my WiFi, Bluetooth, etc are OFF, and.... my firewall is set to the highest possible setting allowed! Could this be a Trojan, or is this an actual remote user/spyware, or could this just be a bug in some code? I’ve gone from having plenty of room on my hard drive to having next to nothing available. Would just resetting the Mac back to default correct this and forget trying to surgically removing what’s gone wrong?
[doublepost=1530550493][/doublepost]Ps, I understand this post is dated 2014 but I’m looking for answers to save my Mac.....

 

[Gregg2]

There is a whole grouping of files I’ve found on my Mac that ‘cannot be opened due to no program exists to use it with’ ....

Well, do you think the problem is that these files are bogus? Or, do you think the files are good, and the apps you created with them are present? You haven't fully presented the problem.

 

[mpainesyd]

There is a whole grouping of files I’ve found on my Mac that ‘cannot be opened due to no program exists to use it with’ could this be a “virus” or a program installed to gain access via sharing and cause havoc...

If you have been updating macOS/OSX for several years it is likely that there are some old files hanging around are no longer associated with any apps. However the filling up of your hard drive is a puzzle.
I did have a problem a while ago where I found copying a file from one Mac to the external hard drive on another Mac created multiple copies of that file and I had to Force Quit finder to stop it. Have you looked for multiple copies of files?

EtreCheck.app is useful for diagnosing problems on a Mac.

 

[Prplehz76]

Well, do you think the problem is that these files are bogus? Or, do you think the files are good, and the apps you created with them are present? You haven't fully presented the problem.

Well to give some background I had moved with my bf at the time now fiancé from the city to a very rural area where there is no WiFi and we have to rely on our cell phones and hot spot. I’ve worked in the Silicon Valley for startups for over ten years and I’m an accountant but a computer nerd at heart and I actually handle the operations side of accounting, long story short Im not shy around computers and am the family IT person and for the past two years have had to learn networking because of all going on. We hired an IT person a year ago too. So like I was saying since we moved here it started with my iPhone 6 Plus at the time began acting strange. Freezing, icons at the top shifting. My passwords would stop working and it became a daily thing of resetting all passwords, I got a new phone 6s plus. It only got worse. My keyboard would delete words as I typed them. It was happening to all of us but mainly me. It started getting really strange. All our devices and email began to be inundated with porn and some was worth me calling a friend in law enforcement. My phones old and new on day just became disabled. Poof! My Mac would tell me someone was logged in, we talked to Apple, I’ve reset all devices more than once, replaced SIM cards, my Mac then was disabled (my boyfriend had an android and a surface if this matters. My car stereo was an android) I have been VERY conservative no 3rd party software, my devices were work related and so I kept them clean and updated. The IT guy said he’s never seen devices in such good condition. He reset everything but we got new phones 7plus and I switched carriers. Att to Verizon! It calmed down for a bit then it started again and Python has been installed(?) my iCloud account at times was inaccessible. I’ve learned command line and it’s th only thing that keeps me sane and Apple has confirmed there is some developer stuff being accessed but also a lot of native apple stuff. My MacBook Pro retina is a developer system my work gave me as a gift and so Xcode & Automater, text wrangler are all installed and I suspect they play a huge part in the problem. I can tell you that with WiFi off, sharing off, Finder has been rearranged magically, I’ve turned my firewall on highest settings, and I’ve attached a screenshot of my Mac presently. This is actually pretty quiet. Sometime each interface will show an established connection with everything off. And there are constantly signs of Microsoft programs or processes running my word and excel have become unusable. The newest since yesterday on my phone the app called ‘Mr Putt’ appears under Cellular but no where else. I do not own any app by this name
[doublepost=1530583494][/doublepost]I can’t upload the pictures showing my Mac right now but under Sudo in the terminal using NEttop or lsof -I interfaces lo0 process ‘node’ and Wifiagent have an established connection, awdl0 mDNS respnder is on. Web pages will be obviously spoofed. There is a ddglot of signs of DDos attack. My keyboard is being hijacked again. So let me know what I can provide to help pinpoint the culprit or is there a command I can use that will help me?

Also port 1720 is always open I can’t figure out what’s causing it.

Beam.smp.80 has 24 processes open under lo0 via tcp localhost

Launchd has 6 processes using both ups/tcp two of which are river rock and 4 are using a hidden ipv4 address *:625<->*:* the other s same but numbs inside of 138, Xcscontrol tcp4 via localhost.

S
Thank you!!
[doublepost=1530583733][/doublepost]

Well to give some background I had moved with my bf at the time now fiancé from the city to a very rural area where there is no WiFi and we have to rely on our cell phones and hot spot. I’ve worked in the Silicon Valley for startups for over ten years and I’m an accountant but a computer nerd at heart and I actually handle the operations side of accounting, long story short Im not shy around computers and am the family IT person and for the past two years have had to learn networking because of all going on. We hired an IT person a year ago too. So like I was saying since we moved here it started with my iPhone 6 Plus at the time began acting strange. Freezing, icons at the top shifting. My passwords would stop working and it became a daily thing of resetting all passwords, I got a new phone 6s plus. It only got worse. My keyboard would delete words as I typed them. It was happening to all of us but mainly me. It started getting really strange. All our devices and email began to be inundated with porn and some was worth me calling a friend in law enforcement. My phones old and new on day just became disabled. Poof! My Mac would tell me someone was logged in, we talked to Apple, I’ve reset all devices more than once, replaced SIM cards, my Mac then was disabled (my boyfriend had an android and a surface if this matters. My car stereo was an android) I have been VERY conservative no 3rd party software, my devices were work related and so I kept them clean and updated. The IT guy said he’s never seen devices in such good condition. He reset everything but we got new phones 7plus and I switched carriers. Att to Verizon! It calmed down for a bit then it started again and Python has been installed(?) my iCloud account at times was inaccessible. I’ve learned command line and it’s th only thing that keeps me sane and Apple has confirmed there is some developer stuff being accessed but also a lot of native apple stuff. My MacBook Pro retina is a developer system my work gave me as a gift and so Xcode & Automater, text wrangler are all installed and I suspect they play a huge part in the problem. I can tell you that with WiFi off, sharing off, Finder has been rearranged magically, I’ve turned my firewall on highest settings, and I’ve attached a screenshot of my Mac presently. This is actually pretty quiet. Sometime each interface will show an established connection with everything off. And there are constantly signs of Microsoft programs or processes running my word and excel have become unusable. The newest since yesterday on my phone the app called ‘Mr Putt’ appears under Cellular but no where else. I do not own any app by this name
[doublepost=1530583494][/doublepost]I can’t upload the pictures showing my Mac right now but under Sudo in the terminal using NEttop or lsof -I interfaces lo0 process ‘node’ and Wifiagent have an established connection, awdl0 mDNS respnder is on. Web pages will be obviously spoofed. There is a ddglot of signs of DDos attack. My keyboard is being hijacked again. So let me know what I can provide to help pinpoint the culprit or is there a command I can use that will help me?

Also port 1720 is always open I can’t figure out what’s causing it.

Beam.smp.80 has 24 processes open under lo0 via tcp localhost

Launchd has 6 processes using both ups/tcp two of which are river rock and 4 are using a hidden ipv4 address *:625<->*:* the other s same but numbs inside of 138, Xcscontrol tcp4 via localhost.

S
Thank you!!

Rereading this my keyboard was being hijacked or something and some of what I said was rearranged. Hopefully you guys get the gist of what I’m dealing with.

 

[hobowankenobi]

Here we go again...

One of three things:

• Trolling.
• Seriously in over your head, doing and troubleshooting things you have no business messing with.
• The North Koreans are coming after you very, very hard.

No matter which one it is, I doubt anybody here can solve your issues.

 

[Gregg2]

Perception of what the problem might be is still not clear. Rambling "response" to my questions did not address them.