X

F-Secure outlines the 2011 Mac malware scene

Despite increases in Mac malware, the overall level for OS X is relatively minuscule; however, analysis shows a potential break from malware increases following the Mac's market share trend.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

Over the past year we have regularly covered new malware threats that have emerged for OS X, which included attacks like MacDefender, BlackHole RAT, Flashback, and Revir, among a number of others.

While our coverage of these threats may make them appear significant, when looking at the overall Mac malware scene in review it's apparent that despite the increase in Mac malware prevalence, the threats for the Mac platform are still quite minimal. Additionally, data suggests Mac malware trends may not follow market share as many suspect it does.

Recently security company F-Secure released an analysis of the Mac malware that was released Q2 through Q4 of last year. Overall, there were a mere 58 new variants that were released between April and December of 2011, most of which were Trojan horse or backdoor attempts, and none being viruses or worms.

The breakdown of the malware shows that as with other platforms, social engineering is the primary means of spreading malware, but the main observation is that the overall number of 58 threats is nothing when compared to other platforms. According to UK-based security company GData, starting in 2009 the number of new malware threats for computers and Web-based services has surpassed 1,000,000 per year. Therefore, even though the threat level for OS X is higher than it has been in past years, when compared with the rest of the industry malware on the Mac is almost negligibly minuscule.

F-Secure's Mac malware analysis
F-Secure's analysis shows two general time frames where Mac malware was released last year, suggesting a break from an expected continuous rise that follows market share. F-Secure

An interesting point of argument that F-Secure's data does bring up is to the notion that the number of threats to the Mac platform will increase as its market share rises. While it might seem logical to expect that as the Mac becomes more popular one would see an increase in attacks, the data from F-Secure suggests this may not be the case.

F-Secure's analysis clearly shows two time frames where malware has been released for OS X: one instance around June and another instance around October of last year. F-Secure describes these as "opportunistic bubbles" sandwiched between periods of inactivity. This is different from the steady rise in the Mac's market share in the past year, which according to NetApplications has increased by 17 percent from February 2011 to 6.36 percent worldwide, and which has recently surpassed 12 percent in the U.S., according to Gartner.

This bubblelike malware trend in the face of steadily increasing market share counters the idea of a continuous rise in malware releases that one might expect from a steady rise in Mac malware; however, this interpretation may be a bit premature.

While it is possible that Mac malware could maintain a release pattern of "opportunistic bubbles," it is entirely possible that these bubbles could start increasing in prevalence and eventually blend into each other to form a steady increase of malware that is more continuous in nature.

So far there is not enough data to either support or refute this possibility, since right now we're observing this bubble trend with only 58 samples strewn out over the course of a year. Additionally, it's worth noting that successive releases of malware variants for one or two malware programs contributes to these bubbles, and not the release of multiple independent malware programs. For instance, BlackHole and FakeMacDef variants were released around June, and a number of Flashback and Revir variants appeared around October.

Some additional considerations against the notion of malware being released in "bubbles" is that this suggests malware developers somehow work in conjunction with each other to release their attacks in coordination, which is likely not the case. Additionally, it suggests that malware is released seasonally, which besides holiday scams, would be highly unlikely and does not parallel with the continuous nature of malware release on other platforms.

Despite these considerations, right now the data we have shows that Mac malware was released in two general timeframes, though whether this trend will continue remains to be seen.

Overall while these observations are interesting, ultimately it is important to keep in mind that despite the reports of malware throughout the past year, the level of malware for OS X continues to be minuscule when compared with the millions of malware programs released through the year.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.