Lessons Learned

Just days after spreading information about a new worm that affects the Mac OS platform, another worm is reported by anti-virus vendors. The Inqtana worm spreads between Apple systems through a Bluetooth vulnerability in the OS. Fortunately, that vulnerability was patched by an update released in mid-2005, so Mac users who have been keeping their systems updated with the latest security updates were never at risk of being attacked by this worm.

But it does begin to feel like the sky is beginning to fall for Mac users who have historically been able to virtually ignore virus and other malware threats on the platform. Those who have kept their eyes and ears open for this type of possibility have known all along that it was only a matter of time before threats finally started showing up on OS X systems.

Practicing good malware prevention applies to all platforms .And the rules are fairly simple:

1. Keep your systems up to date with the latest security patches.

2. Don’t open attachments from e-mail messages, especially if you weren’t expecting to receive an attachment from the sender, and even more especially if you don’t know who the sender is.
3. “Free” software is almost never “free.” Be careful what you download and run on your computer.
4. Run antivirus software on your computer and keep it up to date.

Follow these simple rules and you’ll avoid most of the malware threats that are out there, regardless of your platform.

Here’s a list of tools I use to do malware analysis and cleanup:

Trend Micro Sysclean package (command-line tool, scroll down to the Sysclean Package link) - http://www.trendmicro.com/download/dcs.asp
Virus pattern files for TM command-line tool: http://www.trendmicro.com/download/viruspattern.asp

XP Bootable CD - BartPE+XPE (reatogo build) http://www.reatogo.de

Spybot Search and Destroy - http://www.safer-networking.org/

Microsoft Anti-spyware (now called Windows Defender) - http://www.microsoft.com/athome/security/spyware/software/default.mspx

RootKit Revealer from Sysinternals - http://www.sysinternals.com/Utilities/RootkitRevealer.html

Sophos, Inc., an anti-virus software vendor based in the UK, reports that the first Mac OS X worm has begun to spread. The report, which can be found at http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html?pl_id=9&lang_id=1&lp_keyword=firstosx, details how the worm is spreading through the instant messaging client iChat, disguising itself as a file transfer from another iChat user.

Current estimates are that the spread of this worm is low, according to Symantec. Still, that does not mean that this threat can or should be ignored.

Macintosh users should still employ some level of virus protection, even through the number of Macintosh-specific viruses is small compared to the number of Windows/PC-based threats. Even if virus code cannot be executed on a Macintosh, the Macintosh can still be party to the spreading of a virus or worm by copying infected files from one source to another. For this reason, your Macintosh anti-virus software should be configured to do real time scanning of the disk instead of scanning the disk on a scheudled basis.

This worm will automatically spread itself though the iChat client, so if iChat is not installed on a workstation, it will not be automatically spread. The file could be manually sent to another user via another IM client, or it could be spread by saving the file to a shared file server and run by another Mac user. The iChat client is not required to receive the file containing the worm. The worm can only infect a system if a user opens the file - simply having the file on your system does not mean you are infected.