Rare, but Real, Apple Mac OS X Virus Discovered

It’s not true that Macs don’t get malware, but it is true they don’t get viruses — at least not in the wild.

In the lab is another matter. For perhaps only the second time, a security researcher has managed to create a genuine Mac OS X virus, one that needs the presence of a host file to exist and to replicate itself.

Embarrassingly for Apple, the new bug, called “Clapzok.A,” exploits the same file vulnerability that an earlier Mac OS X virus did in 2006. That means the vulnerability’s gone unpatched for seven years.

“When the virus is executed, it looks for other 32-bit executables (either Windows, Linux or OS X native and FAT binaries) to replicate itself,” said Peter James of the French anti-virus firm Intego, which specializes in Apple security, in a company blog posting.

Pseudonymous hacker JPanic created Clapzok.A by taking an old proof-of-concept virus he (or she) had created for Windows and Linux systems and re-engineering it to infect Macs as well.

JPanic apparently studied the earlier Mac OS X virus, called MachoMan or Macarena, and added that bug’s workings to his own.

Clapzok.A is written in machine assembly language, which is only a step or two removed from the actual binary code computers use. The virus is designed more for a certain kind of processor — in this case, the classic 32-bit Intel architecture — than for a specificoperating system.

Clapzok.A won’t infect software written for 64-bit processors, although most 64-bit machines run a mixture of 64-bit and 32-bit software. Because Clapzok.A alters the code of the software files it infects, file-checking programs like Mac OS X’s Gatekeeper can block them.

Several pieces of malware have attacked Mac OS X in recent years, but none have been true viruses. Instead, most have beenTrojans — malicious applications that need to deceive humans into running them — orworms, small pieces of stand-alone software that spread on their own.

True computer viruses mimic human viruses. They can’t exist outside an infected file, and they hijack the workings of those infected files to infect still more files.

But because viruses were the first kind of computer malware to get widespread attention, “virus” in non-technical usage tends to mean any kind of malware. Of course, anti-“virus” software detects and destroys all forms of malware.

Even though Clapzok.A is only a proof of concept, malicious hackers could copy Clapzok.A’s methods and create a truly malicious Mac OS X virus to release into the wild.

“It is good to see some movement in the OS X virus arena,” said another pseudonymous security researcher, Fractal Guru, in his analysis of Clapzok.A. “It can finally shake up things and call for attention that it is not a safe platform as most people want to believe in.”