It had to happen sooner or later. There's no glory in creating
Windows worms any longer - and script kiddie can do it,
and there are more holes in Windows than in a warehouse of Swiss
cheese.
No, someone finally wrote the first new Mac virus in nearly a
decade, the first one to specifically target OS X. Rumors lead us
to believe the malware was written by a disgruntled Windows
programmer at Microsoft who was sick to death of hearing how Macs
never got infected with viruses, worms, Trojans, and the like.
Or maybe it was just some hapless IT guy upset because one of
his clients switched from Windows to the Mac and no longer needs the
kind of support they did with the OS from Redmond.
Or maybe it was someone at one of the antivirus companies
upset that Mac users weren't buying enough copies of their antivirus
software.
Whatever, the Switchback virus exists, and it's
spreading like molasses in January.
Yep, that fast.
Switchback is one very clever virus, but it's having a hard
time distributing itself, so most of the world doesn't even know it
exists.
For a start, it can only infect Macs running OS X 1.2.5 or
1.2.6 (it's possible that 10.2.7 could be infected as well,
although we haven't heard about infections from any G5 owners yet). So out of 25-30
million Mac users, maybe 7-8 million tops are using the right
version of OS X.
Then they have to be using Safari 1.0 and visit a site
displaying affiliate ads for XGeeks.com. Although these ads are
presented as linking to a hot new mail order company
specializing on OS X, that's just a cover. Their prices are just
high enough to keep people from ordering, but the commission rate is
enough to get every Mac webmaster interested enough to sign up for the
program.
The ads aren't simple animated GIFs; they're JavaScript
programs that install an AppleScript on the user's OS X
Macintosh. When this AppleScript is run (it autoruns a few minutes
after startup), it accesses your Address Book through Mail and
sends itself to the first 100 users who have "mac" somewhere in their
email address. The email offers recipients a 15% discount on
their first order through XGeeks.com.
That's the clever part. They try to target just Mac users, and when
they visit the XGeeks site, they get infected - assuming they're
running the right version of OS X and Safari 1.0. And Switchback
then propagates itself again, assuming the visitor has Mail configured
on their computer.
Considering the size of the OS X installed base, the number of
Safari 1.0 downloads, and the number of OS X users who use Mail
rather than something else, we estimate that this virus could
potentially infect 5,000 to 20,000 users. And it could take
months to reach that level, since OS X users don't restart nearly
as often as Windows or classic Mac OS users.
It's only a start, but this is the first OS X virus
ever, so everyone should try to get their hands on a copy to see
what makes it tick. The next X-virus might actually do something
malicious. Consider Switchback a proof of concept that almost sorta
works.
Of course, with the latest Window worm on the rampage, nobody
but the Lite Side staff has even noticed
Switchback.
And why is it called Switchback? Because when you read the source
code, the first comment calls OS X users to give up their
nonconformity and switch back to Microsoft Windows.
