Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

May 20th, 2011

Mac malware – a short history

There’s a groovy discussion in the world of Apple about the security of Mac OS. I’ve seen this kind of discussion many times and in most cases it had a quite similar scenario. We won’t go through this entire scenario (although it could be fun), we’ll just summarize the core of it with one phrase that pops up in all these debates: “There are no viruses for Mac OS.”

Let’s take a short excursion through the history of Mac infections.

1982 – A 15-year-old high-school student named Rich Skrenta wrote the Elk Cloner virus that infected Apple II machines. It was first large-scale, self-spreading, and in-the-wild virus ever created. Elk Cloner was a boot-sector virus that displayed following on every 50th boot:

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it’s Cloner!

It will stick to you like glue
It will modify RAM too

Send in the Cloner!

1987 – Nvir.A (aka nVIR) showed up. Its source code had been widely available, numerous variants have arisen.

1988 – HyperCard viruses started to spread. HyperCard was piece of software created by Apple Computer, Inc. Because HyperCard was able to execute scripts immediately on opening, it was one of first applications susceptible to macro viruses. Good description of few of them can be found here.

May 1990 – The first of four variants of MDEF virus were discovered.

1995 – Microsoft accidentally released Concept, the first Microsoft Office macro virus, infecting both Windows and Mac OS.

1998AutoStart 9805 worm appeared. AutoStart spread via the CD-ROM AutoPlay feature of QuickTime player. Description of this worm can be found here.

The same year, Sevendust was discovered. Descriptions of known variants can be found here.

2004 – Renepo script was found. It had the ability to disable a system firewall, and it would try to copy itself to /System/Library/StartupItems (password was required).

Also that year, Amphimix – an mp3 file launched in iTunes – was found, demonstrating how to execute code in this popular player.

2006Leap-A, the first ‘real’ Mac trojan appeared. Leap spreads via iChat by forwarding itself as a latestpics.tgz file to all the infected user’s contacts. Inside this archive is one executable file masking itself with a JPEG icon. When Leap-A is executed, it starts to infect all Cocoa applications. It uses Spotlight to find them and InputManager to infect them.

Also that year, Inqtana – the Java-based Bluetooth worm – was discovered.

2008 – The worm BadBunny came on the scene, dropping two Ruby scripts into the system.

That year, the RSPlug.A trojan also appeared. RSPlug.A changed DNS to point to malicious (mostly porn-distributing) machines. It spread as a video codec, downloadable from various porn websites, and it was able to update itself from the Internet. There are 17 variants of this trojan in the wild. Modifications of this trojan steal info about PayPal and other money-related services by redirecting DNS.

June 2008AppleScript.THT appeared. Once executed, it tries to disable security software, steal user’s passwords, turn on file sharing, take screenshots of the desktop, and via the built-in camera take a photo of the user.

That same year saw the emergence of the first Mac ‘rogue’ application (fake antivirus that misleads users by reporting many fictitious reports about infections in their computers). Its name was MacSweeper. While the infected user was browsing its ‘official’ website, MacSweeper installed silently and began to inform about many fictitious threats (even in Apple pre-installed applications such as iCal or Dashboard). When the infected user tried to remove infections, he was asked to provide credit card details and pay $39.99 for a “lifetime subscription serial key.”

2008Hovdy-A was discovered. This infection tried to install itself to /Library/Caches. When succeeded, rock’n’roll started. It disabled syslog and system updates, stole password hashes and started web server, VNC, and SSH. It also tried to get root access.

Late 2008 – Apple published a support advisory to use antivirus software (!). After massive media response, Apple removed the original advice from its website.

Early 2009 – A pirated version of iWork ’09 appeared on the BitTorrent network. Inside the package was virus called iWorkS-A (or also OSX.Iservice). When executed, the file iWorkServices created its copy to /usr/bin/iWorkServices and tried to execute one of two HTTP requests. Updated variants of this virus were later found in a pirated version of Adobe Photoshop CS4.

August 28, 2009 – Apple released Snow Leopard. It includes a basic anti-malware tool called XProtect, which – in version 10.6.0 – could protect a Mac against two (!) viruses (OSX.RSPlug and OSX.Iservice). Now, this tool (version 10.6.7) is able to find four viruses.

2010 – The Pinhead trojan was discovered. When installed, computer becomes remotely accessible. Disguise itself as iPhoto.

Also that year, the Boonana Trojan horse emerged as one of the latest threats for Mac OS. Boonana is a multiplatform trojan that spread via social media and email disguised as a video. Appearing as a link on social sites with the description “Is this you in this video?” it runs as a Java applet, which downloads its installer to the machine.

May 2011 – The fake antivirus MacDefender was discovered. It’s a typical Cocoa application ( that installs itself into the /Application folder. Does nothing to the machine, but it wants your money (aka scareware). Spreads through Google Images.


  • Michael

    I love this post. Apple has really put it into the heads of their users that they are free from everything that Windows users go through. That is just a false promise.

    Microsoft learned years ago that when your number one everyone will try to come after you, nothing is perfect it can all be broken into. Hence why they take security very serious and why companies like Avast are in business.

    The next generation of AV will not rely just on an updated file that will tell the program what to look for but will actual start looking and learning on it’s own. Read the code and see what it is trying to do.

    Again that is why Windows now ask are you sure you want to let this program make system changes. I recommend to all my Mac friends to get Avast, what will it hurt nothing what will it prevent the worst.

  • siddhesh

    Thanks for illumination guys… all this time i was thinking Mac OS was the safest OS.

  • LunarWolf

    There is no such thing as no virus for Mac. Welcome to the real world. :)

  • abdulahad949

    Mess with the bull, better get the horns

  • Michel Terpak

    There weren’t many viruses cuz the MS market was larger, so a virus maker would benefit more from infecting NS, cuz itll spread more and faster. But now, hackers are starting to realize Mac users consist of mostly richer people who don’t know about computers; they’re the easiest target. The whole time, Mac thought they were too good to get a virus but they actually werent worth it XD

  • guiyer

    I love Mc,
    but i’m not rich!

  • HackToHell

    Kaspersky have got an mac version !

  • James M Singleton

    James has been using and testing Windows for years and found out that Apple really does make good products. I will always use Windows because of the hardware and free software available. If you have Windows 7, then it’s about as good as it gets.
    James M Singleton

  • Michal Krejdl

    The word “virus” is a bit misleading. We should talk about a generic malware here, because self-replicating viruses are only a small fraction of the whole badware mosaic.

  • Hysteria

    Apple II is not a MAC.

  • Fernando Gregoire

    This is an interesting post. May be Xprotection considered as an AV product? If not, what advantages has Avast in Macintosh?

  • Johan
  • yanto chiang

    Hi Mira,

    What a wonderful articles, this is very good information to me especially to know much about malware attacks methods started from earlier of malware spread.

    Hope from your site, always educated such as this details information.

    Yanto Chiang