Mac malware – a short history

There's a groovy discussion in the world of Apple about the security of Mac OS. I’ve seen this kind of discussion many times and in most cases it had a quite similar scenario. We won't go through this entire scenario (although it could be fun), we'll just summarize the core of it with one phrase that pops up in all these debates: “There are no viruses for Mac OS.”

Let's take a short excursion through the history of Mac infections.

1982 – A 15-year-old high-school student named Rich Skrenta wrote the Elk Cloner virus that infected Apple II machines. It was first large-scale, self-spreading, and in-the-wild virus ever created. Elk Cloner was a boot-sector virus that displayed following on every 50th boot:

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!

It will stick to you like glue
It will modify RAM too

Send in the Cloner!

1987 – Nvir.A (aka nVIR) showed up. Its source code had been widely available, numerous variants have arisen.

1988 – HyperCard viruses started to spread. HyperCard was piece of software created by Apple Computer, Inc. Because HyperCard was able to execute scripts immediately on opening, it was one of first applications susceptible to macro viruses. Good description of few of them can be found here.

May 1990 – The first of four variants of MDEF virus were discovered.

1995 – Microsoft accidentally released Concept, the first Microsoft Office macro virus, infecting both Windows and Mac OS.

1998AutoStart 9805 worm appeared. AutoStart spread via the CD-ROM AutoPlay feature of QuickTime player. Description of this worm can be found here.

The same year, Sevendust was discovered. Descriptions of known variants can be found here.

2004 – Renepo script was found. It had the ability to disable a system firewall, and it would try to copy itself to /System/Library/StartupItems (password was required).

Also that year, Amphimix – an mp3 file launched in iTunes – was found, demonstrating how to execute code in this popular player.

2006Leap-A, the first ‘real’ Mac trojan appeared. Leap spreads via iChat by forwarding itself as a latestpics.tgz file to all the infected user’s contacts. Inside this archive is one executable file masking itself with a JPEG icon. When Leap-A is executed, it starts to infect all Cocoa applications. It uses Spotlight to find them and InputManager to infect them.

Also that year, Inqtana – the Java-based Bluetooth worm – was discovered.

2008 – The worm BadBunny came on the scene, dropping two Ruby scripts into the system.

That year, the RSPlug.A trojan also appeared. RSPlug.A changed DNS to point to malicious (mostly porn-distributing) machines. It spread as a video codec, downloadable from various porn websites, and it was able to update itself from the Internet. There are 17 variants of this trojan in the wild. Modifications of this trojan steal info about PayPal and other money-related services by redirecting DNS.

June 2008AppleScript.THT appeared. Once executed, it tries to disable security software, steal user’s passwords, turn on file sharing, take screenshots of the desktop, and via the built-in camera take a photo of the user.

That same year saw the emergence of the first Mac ‘rogue’ application (fake antivirus that misleads users by reporting many fictitious reports about infections in their computers). Its name was MacSweeper. While the infected user was browsing its ‘official’ website, MacSweeper installed silently and began to inform about many fictitious threats (even in Apple pre-installed applications such as iCal or Dashboard). When the infected user tried to remove infections, he was asked to provide credit card details and pay $39.99 for a “lifetime subscription serial key.”

2008Hovdy-A was discovered. This infection tried to install itself to /Library/Caches. When succeeded, rock'n'roll started. It disabled syslog and system updates, stole password hashes and started web server, VNC, and SSH. It also tried to get root access.

Late 2008 – Apple published a support advisory to use antivirus software (!). After massive media response, Apple removed the original advice from its website.

Early 2009 – A pirated version of iWork '09 appeared on the BitTorrent network. Inside the package was virus called iWorkS-A (or also OSX.Iservice). When executed, the file iWorkServices created its copy to /usr/bin/iWorkServices and tried to execute one of two HTTP requests. Updated variants of this virus were later found in a pirated version of Adobe Photoshop CS4.

August 28, 2009 – Apple released Snow Leopard. It includes a basic anti-malware tool called XProtect, which – in version 10.6.0 – could protect a Mac against two (!) viruses (OSX.RSPlug and OSX.Iservice). Now, this tool (version 10.6.7) is able to find four viruses.

2010 – The Pinhead trojan was discovered. When installed, computer becomes remotely accessible. Disguise itself as iPhoto.

Also that year, the Boonana Trojan horse emerged as one of the latest threats for Mac OS. Boonana is a multiplatform trojan that spread via social media and email disguised as a video. Appearing as a link on social sites with the description “Is this you in this video?” it runs as a Java applet, which downloads its installer to the machine.

May 2011 – The fake antivirus MacDefender was discovered. It's a typical Cocoa application ( that installs itself into the /Application folder. Does nothing to the machine, but it wants your money (aka scareware). Spreads through Google Images.


Threat Research, Security News, Avast News