You've certainly heard people say that "Macs don't get viruses." And while it is generally true – most malicious software these days is not virus but other types of malicious software – Mac has a long history of malicious software attacks. Viruses, worms, Trojan horses; The Mac has seen them all. Here's an overview of the history of malware that has affected your Mac.
1982 – Elk Cloner
Even before the Macintosh arrival, Apple computers were affected by viruses. In fact, the Elk Cloner virus is considered the first computer virus to spread in the wild. Infecting Apple's operating system DOS 3.3, it was hidden in a game, and for the 50th time anyone played the game, the computer would display a poem. It infected the entire operating system and spread through floppy disks to other computers.
1987 – nVIR
The nVIR virus was first discovered in 1987, and it affected Macintosh computers running System 4.1 through 8.0. There were many strains of nVIR, and although not malicious, it was reproduced by infecting the system file and applications. It will either beep, or if MacinTalk was installed, let your computer say "Don't panic".
1988 – HyperCard virus
HyperCard was a development environment, released in 1987, that allowed users to create applications in "stacks" and distribute them to other Mac users. Shortly thereafter, viruses began to appear as infected HyperCard, spreading through stacks that users shared, especially on message boards. An early HyperCard virus showed a message supporting the US presidential campaign of Michael Dukakis.
Another, called MacMag, was an example of good intentions going wrong. It was written to MacMag magazine and was designed to display a message of peace when an infected computer was launched on March 2, 1988, and then deleted itself. Unfortunately, due to a bug in the virus code, it caused computers to crash when they were booted up before that date. It was also present on copies of the FreeHand app sold by Aldus, which caused the company to remember thousands of copies of their software.
Interlude – Disinfectant
With the increase in virus affecting Mac, John Norstad, of Northwestern University, created free antivirus disinfectant in 1989. The software was available online, on a variety of bulletin boards and archives with freeware, or you can send Norstad a floppy disk and a self-addressed stamped envelope for a copy.
Without commercial antivirus software available yet, Disinfectant was a must for people who downloaded software from message boards or who installed freeware and shareware from disks equipped with magazines. Norstad withdrew disinfectant in 1998 because the software failed to act on the growing threat of Microsoft Word and Excel macro viruses. At the same time, powerful commercial solutions were available and he could no longer maintain them adequately to ensure they were reliable.
1990 – MDEF and CDEF
Four strains of the MDEF virus were discovered in 1990 and 1991 in Ithaca, New York, and two strains of the CDEF virus were discovered in 1990, then in 1993. The author of these viruses became arrested shortly after the virus was discovered.
These viruses attacked applications and the system file, and could also infect documents and the Desktop file, which was an invisible file that was used on Mac OS before Mac OS X. None of the viruses were particularly harmful, but in some cases they could, damages applications and requires them to be reinstalled.
1995 – Word macro virus
Microsoft Office has a feature that allows users to write macros, or sets of commands to automate procedures. These macros can be stored in Word and Excel files and read when files containing them are opened. So if you send a friend or colleague a file containing a macro, their apps will read the macro. It doesn't necessarily run when you open a file, but some can.
In 1995, we began to see malicious macros that could not only damage your documents, or your Word and Excel applications, but could also cross the Mac-Windows barrier: they were the first truly malicious platform.
The first real macro virus found in nature was the Concept virus, which attacked Microsoft Word files. This was quickly followed by other variants, as virus writers saw the potential to do major damage through the ubiquity of this program. Later, macro viruses were written to exploit Microsoft Excel as well, although the Mac version of Excel first received macro support in 1998. In just a few years, thousands of macro viruses circulated in the wild, and was a serious threat; while less common now, thanks to the fact that Microsoft has added settings to prevent macros from running automatically, new macro viruses are still being detected.
1998 – AutoStart worms
In May 1998, the first worm to infect Macintosh computers was found. AutoStart spread rapidly around the world, and there were several variants of this worm.
This worm easily spread among Macintosh computers that had QuickTime's "CD-ROM AutoPlay" feature enabled. If an infected CD-ROM was read by the computer, the worm copied itself to the host computer, creating invisible files in different locations. These worms can cause serious damage, delete files, and corrupt data.
2004 – Renepo / Opener
The 2004 find of the Troep horse Renepo / Opener was a watershed for Mac malware. With Mac OS X, many changes made the Mac more resistant to malware. But Apple had to add more serious security features to Mac OS X to meet this challenge. Mac OS X 10.4 Tiger, released in April 2005, saw a number of new security features added to protect Macs.
This Trojan horse brought news around the world, and was even written in New Scientist, showing how Macs had become much more important than the previous decade.
2006 – Leap-A, or Oompa-Loompa
It was only a matter of time before a real Mac OS X virus was discovered. In 2005, Intego discovered Leap-A, or Oompa-Loompa, which spread through iChat over local networks via Bonjour. It required very specific conditions to spread and the impact was limited, but it showed that Mac OS X was not immune to sophisticated threats. Because the code had several errors, it was not very effective, but if it had been written more carefully, it could have been much more dangerous.
Interlude – 10 Years of Mac Malware, 2006 – 2016
Take a look at this infographic created by Intego in 2016, and summarize the malware threats that affected Mac for ten years after the discovery of Leap-A, or Oompa- Loompa.
There was a wide range of threats during this period, with Trojans, worms, fake security software (such as MacDefender) and more. Check out the infographic for more information.
2011 – Flashback
In 2011, Intego discovered Flashback, which was by far the most widely used Mac malware of the decade. Masquerading as a Flash Player installer, it installed software on Macs that could turn them into "zombies" as part of a botnet, affecting as many as 700,000 Macs over time. Hackers could access files and install software on infected Macs, and Macs are still infected with this malware.
2018 – Shlayer
Intego discovered Shlayer in early 2018. This Trojan horse masquerades as yet another Flash Player installer. Distributed on BitTorrent sites, this malicious software has not spread much, but it does have an interesting way of downloading additional software using shell scripts. You can learn more about Shlayer in section 28 of the Intego Mac Podcast.
Interlude – Flash Player
Flash Player was a target of Mac malware or many years. Not that the Flash Player app itself was targeted, but since users often saw alerts when they visited websites that used Flash and said they needed to update Flash Player, malware creators took advantage of this to create fake Flash Player installers.
Flash Player is being phased out and will be considered obsolete by the end of 2020. Do not install Flash Player and use the Google Chrome browser if you need access to Flash content since the browser has its own built-in version of the software. Update Chrome regularly, and you don't have to worry about Flash Player updates.
2019 – Linker and CrescentCore
Links appear to have been a proof of concept or test that attempted to exploit a vulnerability in macOS's Gatekeeper technology, which checks software for certain types of malware such as the Apple flag, or checking for the presence of a valid developer certificate. Intego found a number of samples, speculating that malware, although not in nature, was a test to see if it would be detected.
Another Flash Player Trojan horse, CrescentCore, tries to avoid antivirus detection using a sophisticated code. CrescentCore is widely distributed on file-sharing sites, but was also found on other sites that were near the top of some Google search results.
Learn more about Links and CrescentCore in Episode 88 and Episode 89 of the Intego Mac Podcast.
30+ Years of Apple Malware
This article only highlights over thirty years of malware affecting Apple computers; Many other types of malware have been discovered, most of which have little distribution in nature. Malware creators will not stop targeting Macs soon, and Intego remains vigilant, detecting new malicious software and ensuring that Intego VirusBarrier protects Macs.
About Kirk McElhearn
Kirk McElhearn writes about Macs, iPods, iTunes, books, music and more on his Kirkville blog.
He hosts Intego Mac Podcast and PhotoActive, and is a regular contributor to Mac Security Blog, TidBITS, and several other websites and publications.
Kirk has authored more than twenty books, including Take Control books on iTunes, LaunchBar and Scrivener.