WELL, MAYBE I’LL WAIT A BIT: I mentioned Snow Leopard’s [Mac OS 10.6] malware protection earlier, but this says it only scans for two trojans. [bold added]
Why would Apple bother to create a system that only scans for two pieces of malware? Well, firstly, the system is designed to automatically update using Mac OS X’s software update feature. More malware definitions can be added in the future.
Secondly, there are really only two pieces of active Mac OS X malware .
The article describes the two pieces of malware that Snow Leopard starts out scanning for: OSX.RSPlug and OSX.Iservice. Scanning for only two pieces of malware seems paltry by PC standards but looking up OSX.RSPlug and OSX.Iservice on Symantec’s threat list reveals that both are classified as having a known level of infected computers of 0-49 and known infected sites of 0-2. That is the lowest level of infection Symantec can set and as a practical matter translates into zero infected machines.
Symantec lists a whacking total of 13 known pieces of Mac OS X targeted malware out 9000+ listed. Of those, four are proof-of-concept programs written by security experts to study exploits. They don’t actually exist outside the lab. Of the remaining 9, four will not run on Mac OS 10.5 or 10.6 and/or have been patched out on earlier system versions.
All of the remaining six pieces of malware are trojans.
Malware is usually divided into three subtypes depending on how the malware spreads. Viruses work much like biological viruses, i.e., they hijack a program running on a computer and direct that program to propagate the virus. Worms are self-contained programs that copy themselves from computer to computer. Both viruses and worms can spread exponentially because they reproduce themselves as fast as the infected computer can communicate with other computers, and in doing so they require no human action.
Trojans, named by analogy to the Trojans’ bringing the Greeks’ wooden horse inside the city walls, require that that a human being load the software onto the computer. Getting infected by a trojan usually requires personal carelessness on the order of taking candy from strangers. Trojans pretend to be a copy of a useful or desirable piece of software, which the user then installs on the system. Most often they masquerade as pornography or “cracked” — i.e., stolen — software. Trojans cannot propagate quickly because a human has to go through the process of installing them on every computer they infect. If a virus or worm gets control of your internet-connected computer, it will automatically attack hundreds or even thousands of other computers within a few hours. If a trojan gets on your computer, it can only spread by sending messages to another human that somehow tricks that human into installing the trojan.
Of the six Mac trojans, the vast majority of infections are the result of OSX.RSPlug and OSX.Iservice. So, by including just two paltry malware definitions in Snow Leopard, Apple has protected 10.6 users from 90%+ of the already extremely minor risk posed by malware for Mac users. It’s like handing out helmets to people watching the Pleiades shower to protect them from the odd chance of getting hit by a meteorite.
Apple hasn’t even bothered to advertise the malware feature, because the malware threat is so trivial that they’d lose more business talking about malware protection — and leading some people to think Macs have a problem with it — than they’d gain by bragging about how they can prevent infection. As this very good article points out, the Mac malware threat is so trivial that a Mac user is more likely to encounter problems caused by anti-malware software than from malware itself. Nevertheless, it’s good to have a system in place in case a significant threat does raise its head in the future. Snow Leopard provides a safeguard against the day.
In the end, no matter how you cut it, the malware threat on Macs is so trivial it shouldn’t influence anyone’s upgrade decision.
[Update: Many claim that Mac OS X doesn't suffer from malware like Windows does because Mac OS X's market share is to small to attract the attention of malware programmers. I debunk that idea in my next post.]