[for-q-clinton]

[TheBattman]

Rather deceptive graphic. It says “Top Mac OSX malware found on Mac computers”...

Sophos 7-day snapshot of 100K Macs... What it appears to try to say is that 100% of Macs have malware... and the chart is breaking that down by the kind of malware. Yet it gives no information about where or how this “snapshot” was obtained... is it a blind guess in the dark? What 100K machines? Are they machines that are running the latest version of OSX with all updates? Or are these machines running older versions of the OS (that likely don’t have any patches)? Also - it doesn’t say infected, which would imply code that is active.

As I seriously doubt that Sophos has a Mac farm with 100K machines to test... where do they get this information? Are there 100K Macs with Sophos software installed?

I am looking for empirical data. Not guesses based on rumors and he-said, she-said or big claims by a company that has LOTS to gain by reporting such “findings”.

[Swordmaker]

for-q-clinton, the OSX/FakeAV is the Mac Defender scare ware that was sent out last year... a dead issue. It was also sent out as an email... under the false impression from it’s authors that, like Windows, it would be auto-run from the Apple Mail app. It could not. Hell, I have some of those emails on my computers... they are laughable. If I click on them, the System warns me they are a Trojan. That accounts for 17.8% of the “found” malware. Enough said.

[Swordmaker]

Let's look at RSPLug Trojan now... the one accounting for 5.5%... WOW that one is really scary for us Mac users... here is what Symantec says about it:

Discovered: October 31, 2007
Updated: November 2, 2007 7:14:05 AM
Also Known As: OSX/RSPlug-A [Sophos], OSX/Puper [McAfee]
Type: Trojan
Infection Length: Varies
OSX.RSPlug.A is a Trojan horse that runs on Macintosh OS X and changes the DNS settings on the compromised computer.

For further information please read: The Double Attack: Windows Attack and now also Mac Attack Antivirus Protection Dates

Initial Rapid Release version October 31, 2007 revision 051
Latest Rapid Release version April 17, 2012 revision 007
Initial Daily Certified version November 1, 2007 revision 003
Latest Daily Certified version April 17, 2012 revision 019 Initial Weekly Certified release date November 7, 2007
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage
Damage Level: Low
Payload: Modifies the DNS settings on the compromised computer. Distribution
Distribution Level: Low

Writeup By: Stuart Smith

Did you NOTICE the "Number of Infection"? ZERO to 49? That was true because the number in the wild was actually ZERO! None were ever found to have infected a Mac in the Wild... it existed in the wild, but it DID NOT WORK! That takes care of this one... they find it in emails... but it simply DOES NOT WORK... and in fact, it would have only worked, if it did, on PowerPC Macs...

[Swordmaker]

As for Trojan/OSX/JahLev, this was a "Yes, With Love" Trojan candidate that was SENT to F-Secure labs as a proof of concept back in November 26, 2008... and was NEVER seen in the wild. No other AV site ever saw it. IT never worked and the JAHLEV website it supposedly linked to never had any "malicious files" or any other files ever on it. In fact, Symantec does not even have a listing for it. The only thing found on searches on Macs are mention of its in files, which are removed... for safety purposes. The actual "trojan" is about 400 Bytes in length and was considered a joke at the time. IT is a joke... strange that Sophos finds it on 1.2% of Macs scanned. The other 0.4% are old stuff that literally doesn't pose a threat.

I've already covered WHY the 75.1% hit of the OSX/Flshplyr gets seen at all now... because Sophos disables the built in Apple anti-Trojan software to see anything at all!