Well, at long last, here we are. There now exists a piece of malware for Mac OS X that is sufficiently distributed that Apple has issued a K-Base on it.
This is a tough one to deal with, because it takes the proof-of-concept malware from five or six years ago and adds social engineering. Basically, to catch this, you have to:
1) Get a popup on your browser saying “YOU HAVE A VIRUS, CLICK HERE TO DOWNLOAD MACDEFENDER” or similar.
2) Actually click on it.
3) Actually GIVE IT YOUR ADMINISTRATIVE PASSWORD.
4) Actually TYPE IN YOUR CREDIT CARD INFO.
This is barely malware, people. This is practically the goddamn Amish Computer Virus. It relies entirely on social engineering, and it puts Apple in a tough spot: if this goes big, it will encourage people to think they need virus protection on their Mac…which in turn makes them more likely to succumb to the malware if they do run into it.
Once again, the problem is that Apple has made a computer that anyone at all can use…and that’s the chance you take. Plenty of people out there bought a Mac because they thought “it doesn’t get viruses” – and yet the first time a popup tells them they have a virus, they will believe the popup to the exclusion of ten years of history. But this is more likely to get traction because rather than taking advantage of a zero-day exploit or the kind of unified vulnerability that the Outlook/Exchange/IE monoculture gave us, it relies on human stupidity – a bottomless natural resource that can be easily replenished with unskilled labor. And all you need to know to prove it is that the problem is almost unheard of in corporate or otherwise-organized environments…but crops up daily at the Genius Bar.
Ah well. Still sufficiently bulletproof that if I could only have one computer to use for everything, it’d still be an 13″ i7 MacBook Pro. If this is the state of the art for Mac malware? COME AT ME, SON.