Monday, February 10, 2014

New Trojan.OSX.CoinThief.A;
New Anti-Malware Effectiveness Test Results

--


Thomas Reed has tested and described a new Mac Trojan horse named Trojan.OSX.CoinThief.A. You can read his analysis here:

New CoinThief malware

CoinThief.A was first reported by SecureMac here:

New Apple Mac Trojan Called OSX/CoinThief Discovered
+ + +

The Safe Mac's Anti-Malware Tests

Also of interest at Thomas's 'The Safe Mac' site is his recent article:

Mac anti-virus testing 2014

Thomas tested 20 anti-malware programs, from free to paid, against 188 Mac malware samples and compared the results. If you're looking for the best options in Mac anti-malware, his article is an excellent place to start.

I was pleased to see that Intego's Virus Barrier topped this list. It remains my favorite of the paid anti-malware applications for both usability and the dedication of their staff to Mac security. But I must point out that Sophos' free single-user anti-malware application did very well. Sophos also remains dedicated to Mac security.

I continue to be disappointed that the ClamAV project doesn't take Mac security entirely seriously. Everyone involved with ClamXav has done and still does their utmost to get every possible Mac malware signature into ClamAV, several times over. That includes Mark Allan and friends, such as Thomas Reed and myself. *sigh*


--

Security Spread's Anti-Malware Tests:

For further details, here is a whopping huge chart of various anti-malware applications versus specific malware samples, both inert and active:

http://securityspread.com/detection-rate-results/


If you're going to pour over their most recent testing chart, I suggest downloading its PDF first as it can be very annoying to read via web browsers.

I find some of the samples in Security Spread's testing to be unusual if not silly. For example, the 'Opener' script was never anything but a concept. It never qualified as actual malware. The list also offers no malware strain delineation. Then there's the inexplicable inclusion of anti-malware application MacKeeper, which I would never recommend as an option due to their predatory, deceitful marketing strategies as well as consistent reports of it being more deleterious than helpful to Mac usability. As usual, it pays to shop around and compare malware lists, test results and the reputations of the folks doing the testing.

Anyway, it's good to see Intego's Virus Barrier again was at the top of the list in Security Spread's testing.


--

Malware Lists:

Of slight interest, here is Security Spread's rendition of the history of Mac malware:

http://securityspread.com/history-of-mac-malware/

This list is by no means complete! The list of Mac OS (pre-Mac OS X) malware is worthless. Nearly 50 malware are missing. (o_0) Many of the listed OS X era malware were mere proof-of-concept malware, never found in the wild. Again, there is no listing of malware strains is provided. Their naming protocol for malware is incomplete and provides no transmission vector indication. And so forth. But it's a list of sorts and is therefore sort of useful. 

 Thomas Reed provides his own list of OS X malware at his 'The Safe Mac' website:

http://www.thesafemac.com/mmg-catalog/

I keep my own personal list of OS X malware, but it too is not perfect. I keep it in order to have a historical count of Mac malware as well as to provide a file system where I can store related malware articles as I find them. However, I've discovered that posting such a list is beyond the intentional scope of this blog, so I no longer bother to collate it for public viewing. Instead, Thomas Reed and I share notes and I leave the public list maintenance to him. (Thank you Thomas!)

Another drawback about such lists is that, with time, malware becomes inert on various versions of OS X. For example, anyone with OS X 10.6.8 and above has Apple's XProtect system installed as part of the system. XProtect has made a vast variety of OS X malware inert. This means that for those versions of OS X, there's very little active malware in the wild. The only reason I posted this article about CoinThief.A is that XProtect has not yet (as of this moment anyway) been updated to identify it on Mac systems. CoinThief.A and the newly discovered Crisis.C would literally be the only two OS X malware on any up-to-date active Mac malware list at this moment. Therefore, I prefer simple blog posting alerts about new malware.

Bored yet? I find this stuff interesting. Be glad I don't dump the gory details on you. Some of that stuff puts me to sleep. Happy dreams ~ ~ ~

:-Derek
--


[Credits: The creepy hand used in the Bitcoin graphic I concocted is by ze ice. The original can be found here:

No comments:

Post a Comment