The Ten Most Dangerous Mac Viruses

One of my colleagues recently returned to a PC/Win after two years on Mac/OS X.

Tragically, it slipped his mind to install an antivirus on his laptop, and by day two his new computer was full of viruses: ads popped up without opening a browser, programs crashed constantly, performance slowed, and his blog sent phishing emails to visitors without his knowledge. OS X had made my colleague soft. 

Mac infections are so rare that for many of us who switch to OS X after years on a PC with Windows, it kind of feels like you're on a trip to Disneyworld: the OS is fun, clean, and safe. But just because Mac malware is rare certainly doesn't mean it doesn't exist, or that it couldn't surge to Windows-like proportions one day. 

To illustrate this, Trend Micro helped us pull together the ten most dangerous Mac viruses in OS X's history, based on impact and prominence. Starting with the OSX/Leap worm in 2006, you'll see how Mac malware has progressed to the present day to include DNS changers, backdoors, scareware, and spyware.

Most of the threats come from plug-ins and add-ons, like for browsers, which are usually distributed outside official app stores, says Jamz Yaneza, a threat research manager at Trend Micro.

"If its not in the Mac App or App stores, just don't download it." 

Apple itself is taking an early safety precaution by adding a 'Gatekeeper' security feature to the upcoming version of OS X 10.8 Mountain Lion, which lets users filter app downloads by source. Gatekeeper mimics an even tighter walled garden in Windows 8. 

Yaneza's advice to Mac users? The conventional wisdom still holds: stick to Apple's own app stores, and don't download anything from an unknown source. Following those two rules alone will block most Mac malware.

Power users can get additional antivirus protection with , , or . The latter two megabundles include Mac licenses. Now on to a brief history of Mac malware...

2006: Infected iChat Hides First Mac Worm
OSX/Leap was a Trojan-worm combo that spread through Apple's iChat instant messaging system. The infected file would pop up in a buddy's iChat window, claiming to have pictures of the then-upcoming Mac OS X Leopard. Once installed, the Trojan infects recently-opened applications with poisoned code, rendering them unusable:

2007 – 2009: Fake Codec Rewards Porn Seekers With Rootkits
OSX/DNSChanger, OSX/RSPlug, and OSX/Jahlav were Zlob Trojans that crossed over from PCs. These Trojans posed as video codecs required to watch porn videos. Once installed, they'd alter a system's Domain Name Server (DNS) settings to divert traffic to malicious websites:

2008: Mac Scareware Appears
OSX/MacSweeper, discovered by F-Secure, was the first rogue cleaning tool built for Mac. It mimicked the legitimate Mac Sweeper scanner and pretended to find problems on users' systems, then prompted them to pay to fix the problems (aka scareware). Soon after, a nearly identical piece of scareware called Imunizator started making the rounds. Imunizator would claim to find privacy holes in your computer:

2009: Fake iWork and Adobe Photoshop Install Backdoors, Spyware
OSX/Krowi was packaged in free, pirated versions of iWork '09 and Adobe Photoshop for Mac. It connected users to a remote server and waited for commands from a remote control center. In 2010 another backdoor, OSX/Hellrts, appeared in pirated versions of iPhoto. Both pieces of malware planted backdoors into users' Mac computers, allowing attackers to enter without having to type a password:

2010: Another Fake Codec Packs Spyware
In 2010 Intego researchers discovered OSX/OpinionSpy, a variant of Windows spyware from 2008 and the first major piece of spyware discovered on OS X. Users unwittingly installed this spyware by entering their username/password into a prompt disguised as a marketing surveyor. OpinionSpy collected IM conversations, email addresses, browsing history, usernames and passwords, and bank account details:

2011: Scareware Evolves
Last year researchers discovered more rogue software called OSX/MacDefender, and similar pieces of malware called OSX/MacProtector and OSX/MacSecurity. MacDefender was especially crafty, releasing new versions as quickly as Apple released patches. The MacDefender phishing attack used poisoned Google Image search results, and was very difficult for Mac users to remove because it attaches itself to a computer's launch menu and has no dock icon:

2011-12: 'Flashback' Lives On
OSX/Flashback, discovered in September 2011 by Intego, has 14 variants as of Thursday. The malware uses Java vulnerabilities to enter a user's computer when he or she clicks into a malicious link. It harvests usernames, passwords, and other data used to authorize banking transactions. The first version was packaged in a malicious Adobe Flash installer, while the latest version looks like a Software Update prompt (note: Software Update will never ask you for your password "to make changes). 

For more from Sara, follow her on Twitter @sarapyin.