Viruses? On Macs? Really?

Sophos Labs. Photo / Mark Webster

Shows you how us Mac users, perhaps, have had our heads in the sand as far as malware goes. I went to the headquarters of Sophos in Oxford, England to talk about viruses, having had a great chat with the firm's Graham Cluley the week before.

I couldn't believe it. Naively, I expected an office with 30-odd people in it working on antivirus and malware solutions (Sophos has a 25-year track record of enterprise solutions in the non-Mac sphere). What I found was a large, glassy several-storey structure housing hundreds of people. And it's the third building the firm has owned (having purpose-built this one) in Abingdon, Oxford.

I was welcomed by Sarah and introduced to Mark Harris for a run-through of their business and to learn more about the Apple Mac malware that surfaced recently.

Mark Harris joined Sophos from McAfee where, since 1997, he held the positions of director of engineering, chief software architect and senior development manager. Harris was responsible for a 30-strong team covering multiple sites, including, UK, India and Canada.

At Sophos, Harris leads the team of experts based in the UK, the US, Canada and Australia. This team issues 24-hour protection in order to ensure its customers' networks automatically detect and block new threats. Harris also manages proactive technology development, including Sophos's Genotype detection technology, which uses forensic analysis to identify suspicious patterns and characteristics unique to either a virus family or a spam campaign. Sophos reduces exposure to new threats and unwanted content by constantly analysing these Genotype patterns, along with other indicators.

The team in England hands off to Vancouver in Canada after eight hours and they, in turn, hand over to the Sydney team, and after eight hours this Australian team hands back to the UK staff as they arrive at work. This mean boffins are constantly mining and monitoring the worldwide data stream around the clock for trends, new viruses, malware, illicit access attempts and spam.

"And we oversee all of those things together, in one team." Harris believes this process gives Sophos a competitive overview across the entire malware scenario.

We sat in the control room of the large, restricted-access lab - it has two 100MB pipes feeding data in and out. Harris has 80 staff globally - 30 here in the UK, 30 in Canada, a few at a small branch in Boston (US) and the remainder in Sydney. Tech support is all handled by Sophos directly.

Automation plays a big role in Sophos' corporate and institutional work. They tweak embedded solutions remotely, aiming to cope automatically with new threats without troubling IT administrators on site. The Sophos labs constantly monitor and block spam - currently, over 35 million URLs are actively being monitored across the globe.

Sophos has web crawlers looking for unconventional and threatening code, plus technical partnerships (most of which are secret) to help in the constant vigilance required. Creepily, most viruses these days (virtually all) aren't even made by computer nerds. They're made with kits - 'Zeus' being prevalent - that you buy, and they can automatically churn out variants, which is why Sophos developed its 'Genotype' identification system.

I likened the Oxford lab to a war room, but Harris didn't endorse the analogy. But it really did seem to me they were battling unseen forces. Harris outlined the problem. They identify 90,000-95,000 new and unique pieces of malware and find 16,000-18,000 newly infected web pages each day. That's a rate of one every four seconds. (There had been 87 noted in New Zealand between the 1st and the 12th of May.)

The people in Sophos Labs who filter and monitor the data come from all different backgrounds - not just computer science, but also from maths, science and even the arts fields at universities. "They're my geniuses", says Harris fondly, waving an arm at them.

Until now, Sophos had been aware of Macs around the world passing on damaging code to PCs in mixed environments, noting a steady rise of this instance as Mac sales increase and mixed environments proliferate. In other words, your Mac can pick up code that will not affect your Mac, but when your PC using colleague gets it from you, they're in trouble - and they may, in turn, perceive no threat as it was passed from a Mac user.

An infected page might show a bogus ad or pop-up. Clicking on it can route your through as many as five of more countries before the payload (malware) ends up on your PC.

He showed me a typical scam. A web page might say malware has been detected on your PC (it hasn't) and would you like to scan for infections? Of course, you click yes. A 'scan' ensues - this is actually just a video running in Javascript with a progress bar. No scan has been undertaken. Whatsoever. In effect, you're looking at a mockup, in video-clip form, of what a scan might look like.

Inevitably, it will 'detect' a virus (remember, it's a preset video clip). Would you like to buy a solution? Of course! Typically, this might costs £79 - about NZ$160. You put in your credit card details. Thanks, thinks someone in Russia, South Korea, Australia, taking your money. No solution changes hands (it wasn't needed anyway). This, happening even a few times per day, can make a very tidy living. Worse, your credit card details often then get on-sold to other shady characters, perhaps many times ... and over 90 per cent of websites that might put you through this routine are actually legitimate sites that have been compromised by villains, due to ineffective or outdated server-side security, bad passwords and the like. (Sophos calls this 'SSP' - Server Side Polymorphism.)

Of course, viruses have not afflicted Macs for many blissful years (although the video will still play on web pages displayed on Macs, so some Mac users, particularly perhaps new users or switchers, have actually fallen for this).

But this has all been the thin end of the wedge. Tailoring such a scam to Mac users has been inevitable as Mac sales have increased. The word getting out (should that be 'clarion call'?) that there is Mac malware at large plays right into the hands of anxious Mac users, as the latest problem for us is malware disguised as 'Mac Defender' and variants - software designed to cope with malware on Macs.

It's not - Mac Defender is the malware.

Once the fake anti-virus is downloaded onto your Mac (this has been a PC threat for years already), the software scares you into believing your system is infected with threats that do not exist, and push you to purchase services to clean up these non-existent threats. The fake AV continues to send annoying and intrusive alerts until a payment is made.

Sophos has posted an assessment of the Mac threat here.

But a Mac solution to Mac Defender has been adapted from tried and true technologies developed by Sophos (I noticed several Macs around the place). But I asked why Sophos had made a free Mac anti-virus solution at all, with its long history of PC and corporate IT work.

"We think that the rise of iDevices poses several security risks. We are working on iOS security solutions already. We are also aware that institutions require a certain level of security compliance before popular iDevices can be used in these enterprise environments, and that's another aspect we are working on.

"So, essentially, we built Sophos Anti-Virus for Mac Home Edition to help raise consciousness in the Mac world about the work of Sophos."

I have installed it myself. You can get it from here (and it is absolutely legit!).

After you install it, make sure it's set to update automatically, to benefit from Sophos' 24-hour vigilance.

Sophos already has an iOS app out, free, BTW. Sophos Security Threat Monitor is designed for system administrators to identify where threats are coming from, but something of more general use will be released any time now.

So, an interesting day. And this time had to come.

And when I left, the extremely helpful receptionist had printed out the instructions on how to find the Anglo-Saxon horse carved into the hillside nearby. Nice!

- Mark Webster mac-nz.com