Intego VirusBarrier X5 10.5.5 Improves Scan Performance and Includes Other Enhancements

Intego today release an update to VirusBarrier X5, its acclaimed antivirus for Mac. This update improves performance in a number of areas and fixes bugs. All VirusBarrier X5 users should install this free upgrade using NetUpdate, Intego’s software update tool.

Read the full press release.

Apple Recommends Antivirus Software

Apple has issued a technical note about Mac antivirus software, and, for the first time, suggests that Macs need such software. The note says: “Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.” The note then goes on to mention three antivirus programs, with Intego VirusBarrier X5 listed first.

It is worth noting this, since Apple, especially in its recent “Get a Mac” ads, has always publicly tried to ignore the threat of malware to Macs, as well as other security issues. We can only applaud the fact that Apple has chosen to recognize that Macs face security risks and that they require protection.

Update: It turns out this wasn’t the first time that Apple had made this statement. The original web page was posted in June, 2007, and was only updated on November 21. But Apple has since pulled the page, saying it was “old and inaccurate”…

Apple Updates iPhone and iPod touch with Security Fixes

Apple has released software version 2.2 for the iPhone and iPod touch, containing additions to the Maps application, and the ability to download podcasts directly to the device. In addition, this 250 MB update contains a dozen security fixes, covering Safari, networking, the Office viewer, the Passcode lock and more. You can get this update via iTunes when you connect your device; click the Check for Updates button.

Note: if the update is not available, make sure to check Software Update and install the new version of iTunes first.

Microsoft “Morro”: Free Malware Protection for Windows, Coming Soon

Yes, you’re in the right place: this is still the Mac Security Blog. But a recent announcement from Microsoft is so important for the overall security industry that we felt it necessary to offer some thoughts.

This week, Microsoft announced a new, free anti-malware service for Windows. Codenamed “Morro”, this new service “will provide comprehensive protection from malware including viruses, spyware, rootkits and trojans.” Microsoft said that “This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs.” This suggests that Morro may eventually be adapted to other platforms than PCs; netbooks, OLPCs, and even perhaps a Morro for smartphones in the future?

Morro is due to replace Windows Live OneCare, a subscription service that Microsoft launched in 2006. Windows Live OneCare combined “antivirus, anti-spyware and firewall software with backup features and several tune-up tools for Windows PCs.” When it was released, it shook up the Windows security market by offering a radically lower price for such a service: at $50 a year, Windows Live OneCare undercut other Windows security vendors’ packages, which were averaging around $120 to $130, though the latter included additional services. Now, most Windows security prices have aligned with Microsoft’s price.

But the question is how these companies - Symantec, McAfee, Trend Micro, Kaspersky, etc. - will compete with free. One article points out that the major security vendors’ share prices dropped sharply after the announcement: “Symantec shares fell 9.44 percent to $11.23, while McAfee’s dropped 6.62 percent to $26.68.” This said, with the current bear market, it’s hard to tell how much of this drop was caused by the Microsoft announcement and how much was caused by the broader sell-off.

But beyond the profit-and-loss possibilities, what implications does this have for the broader security market? First, Microsoft has made a bold statement, suggesting that in order to ensure that Windows users be secure, Microsoft has to do the work. Offering this service for free is also a way of saying that security is both a right and a responsibility, so the more than 50% of consumers who are unprotected will no longer have a reason to remain so. It’s like vaccinations; society in general benefits when everyone is healthy, and Microsoft plans to give out the shots for free.

While Morro won’t be part of Windows, its release date - second half 2009 - corresponds with the likely release date of Windows 7, and it will fit perfectly with the new operating system. Microsoft will be able to tout the new operating system and its free security service together.

Whatever the results for Morro, it is clear that the Windows security industry - at least the divisions that deal with products for consumers - is going to have to rethink its strategy. Competing with free requires a premium product or service that has enough value added to convince consumers to pay extra. While Morro may be enough for most users, security vendors will have to come up with more innovative products to get users to pay.

Microsoft’s recent move has changed the entire security industry, and time will tell just how well Morro is accepted. Windows users are probably starting to think about saving money, and security vendors are back at the drawing board, looking for new ways to sell their products. With all this in mind, I’ll be one of the first to remove the antivirus software I currently use on my Windows installation and install Morro. We wish Microsoft, and Windows users, well in this new venture.

Sophos Just Can’t Get Things Straight About This Week’s Malware

We know it can be confusing when two pieces of malware are reported in one day, but it’s especially annoying to see another security vendor, Sophos, get things wrong. On a Sophos blog, one Graham Cluley claims that the malware that Intego calls OSX.TrojanKit.Malez, which other vendors are calling OSX.Lamzev.A, is a variant of the RSPlug Trojan Horse.

We issued two security memos this week: the first was about a variant of the RSPlug Trojan Horse, which exhibits some new characteristics, such as downloading its payload, which allows for that payload to be changed. The second is about a low-risk hacker tool that can be used to create Trojan horses. It is this latter that we are calling OSX.TrojanKit.Malez, and that other vendors have called OSX.Lamzev.A. This hacker tool has nothing to do with the RSPlug Trojan horse.

Intego discovered the OSX.TrojanKit.Malez back in August, but didn’t publicize it, because the risk is low. We released a security memo this week when we saw another vendor claiming that it was a Trojan horse, which it is not. Let’s hope that Sophos can figure this all out and get its naming straight.

Update: Thanks, Sophos, for issuing a correction.

Intego Issues Security Memo About a Hacker Tool that Can be Used to Create Trojan Horses

Reports have been circulating about a new Mac “malware” or “Trojan horse”, usually under the name “OSX.Lamzev.A”, which is claimed to open a back door on compromised Mac OS X computers. Intego discovered this hacker tool in August 2008, and determined that it was not a serious threat. Unlike true malware and Trojan horses, OSX.TrojanKit.Malez requires that a hacker already have access to a Mac in order to install the code. As of the present, no Trojan horses or other means of replication have been found in the wild using this tool. In spite of recent reports, this represents no serious threat to Macintosh computers.

This hacker tool can be used to create a “backdoor” on a Mac OS X computer. This backdoor then gives a hacker remote access to the computer. The code is added to an unsigned third-party application that is installed manually on a Mac, and, when the application is run, the backdoor is activated. It creates a file named com.apple.DockSettings in ~/Library/LaunchAgents, and the backdoor is launched at each login. The binary of the original application is placed in ApplicationName.app/Contents/MacOS/2, and the binary of the backdoor is found in ApplicationName.app/Contents/MacOS/1. The tool modifies the application’s info.plist file so it points to the latter location.

There are therefore only two modes of transmission of this hacker tool: the first is if someone sends another user an infected application, either in a .zip archive or a disk image, and the second is when a hacker obtains network access to a Mac and replaces an existing application with an infected version.

Read the full security memo.