Harden your Mac against malware attacks

Last Modified: Jul 12, 2013 7:28 PM

Hello and welcome to my User Tip



See this here for the latest Security Issues


Security Issues Warning List





"Do I need to run anti-virus/anti-malware software on a Mac?"


Apple has installed OS X anti-malware now in 10.6.8 and above OS X operating system versions, there is no need to install anti-virus software and it wasn't very good at catching the rare malware we get anyway as Apple acts fast and has the benefit of the Software Update and background checks.


Third party anti-virus tends to cause issues when Apple issues OS X updates, so it's not advised to install them.


If you need more to clean the Windows files of their malware, I suggest installing the free ClamXav as that's a run as you need it.





Warning about online banking:


No computer or device is  100% secure, even Macs (especially older versions) but they are a lot more secure than Windows machines depending upon usage. There is a minor amount of malware targeting Mac's, driveby's and trojans mainly, so you take some pre-cautions in that regard.



Like with gambling, do not deal with amounts online that your not willing to risk losing.


Your bank will NOT issue a refund if a loss occurs, it's out of their responsibility what occurs on your machine. Far as they know, you transferred all your money to another bank and then withdrew it all or worse, they can claim you had a accomplice! So you see their position why they don't issue refunds, they would be scammed by many often.


It's rather easy to set up a secure savings account with more substantial funds and use a more accessible online/checking/debit account with less funds and transfer some from one to the other occasionally (but not via online banking of course) with either no or very limited overdraft protection, only keeping what one is willing to lose in the less secure accounts that is exposed to the world.


Entire bank accounts have been drained by hackers, the money wired overseas and withdrawn before the thieves are caught (if so) or even anyone even knowing it occurred. If the hack occurs on your machine, there is little recourse, the government is swamped and you may get little or nothing back, certainly be without for quite some time even if they do mange to get it stopped in time.


Is that really worth risking for the convenience of online banking?


Take some precautions, separate your funds, increase the security and reduce / eliminate the outside electronic access for accounts in higher amounts, and only gamble with online,  ATM, debit cards, checks etc., with what your willing to risk losing.


Don't completely buy the banks online banking game, they just love pushing it because it reduces their costs at your security expense, it can be used, but used WISELY.


See this:






Hardening your Mac and yourself to prevent future attacks



In the military there is a form of security called "compartmentalized security" and basically it's about not allowing anything to have access to everything, but rather to place more barriers, "hoops" and security checks in place before a target reaches it's goal, especially something of great value.


This method also reduces the attack surface area when surfing the web, sort of like channeling your enemy to have no other choice but to attack though one small door or limited opportunity, like only though the browser, instead of the browser + Java, JavaScript, QuickTime, Flash, Silverlight etc.


It assumes, like it should be, that the web is a hostile zone and you need to have no trust, until you establish that trust before lowering your defenses.


Unfortunately most web browsers and users today go around assuming the web is a warm, safe happy place, and one can click on and do anything.


"la la de da, I have a Mac and nothing can hurt me, because Mac's never get viruses" bad thinking.


Blackhole Exploit sites are just waiting to compromise your machine merely by visiting them or running a browser plug in on them, or clicking a link in a email or post on a untrusted forum.





You keep your security where your in the loop and keeping watch on things and the activity going on with your machine.



#1 Keep your OS X Software up to date by using the Apple Menu > Software Update also checking with third party software for updates.


Apple can't help you if you don't don't let them.




Attack methods of malware



Browser attacks


These depend upon a flaw in the web browser itself, which may or may not include the assistance of scripts or plug-ins installed in the web browsers.


Keep your web browsers updated by running the built in updater, via the developers site or for Safari via Software Update under the Apple Menu.


Obviously don't surf to websites that are going to attack your browser, even if there has been no exploits reported just for the fact that there are many that are NOT being reported.


If your going to engage in this sort of risky behavior visiting hostile sites, either use a virtual machine guest OS, "guest account" or another General User account, or even another computer that you don't care out wiping and reinstalling the operating system, and certainly don't install anything with your admin password on these potential hostile sites.


Have more than one browser on your machine, this way you can switch to another until a update for your primary one occurs or in case you have problems with  Safari.


Your alternate browser choices are Firefox (highly customizable, lots of add-ons), Chrome (more secure, but from a advertising company that tracks you online), Opera and some others.





Script & plug-in based attacks


Web browsers use JavaScript, Java, Flash, Silverlight, QuickTime and many others to do do things in your browser. You need to keep the ones you control updated.


If your not using any of these scripts on a constant basis then turn them off in your browsers preferences.


It's highly advised to turn off Java (not JavaScript) in all your browsers preferences (if installed) unless you specifically need it then only use it for trusted sites.


Flash (lots of security issues) and Silverlight (kept secret) is depending upon use, read about NoScript below.


JavaScript is used quite often, so you should leave that one on.


This handy online checker will inform you of outdated scripts, especially Flash and Silverlight which are the most commonly used ones that have to be maintained by the user.





Direct links to trusted source downloads:


Bookmark these links in your browser



Flash  - no matter what pops up in your browser etc., download and install from here,


Lots of websites have Flash content  http://get.adobe.com/flashplayer/


Uninstall Flash: http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html



Silverlight  - no matter what pops up in your browser, download and install from here, used for Netflix




Uninstall Silverlight: https://www.microsoft.com/getsilverlight/get-started/install/removing-silverligh t-mac.aspx



Flip4Mac - allows playback of copy protected Windows Media files on Mac's, optional install




Java, JavaScript and QuickTime


for these, just run Software Update under the Apple menu. Apple will take care of them, provided your on 10.6 or later that is.


Java should be disabled/removed on 10.5 and earlier machines if no update is available.




Virus attacks


Viruses are malware that attach themselves to known files and shared amongst users unawares. OS X based viruses are rare and so far non-existent in circulation.


A Mac can act like a Typhoid Mary and transfer Windows viruses to other Windows users on shared files, so perhaps it's would be good to clean these using the free ClamXav which you run as you need too.


Malware  has the opportunity of getting around before anyone knows about it. The reason Windows machines still get infected despite having anti-malware installed is the anti-malware is looking for signatures, definitions or behavior of what it's supposed to find. Since there isn't any for new exploits, the malware gets on and disables the anti-virus or worst, uses it to keep other malware off and trick the user into thinking they have a clean machine.


The user experiences heavy CPU load, assumes it's the anti-virus and doesn't even consider malware is on their machine. So most all anti-virus / anti-malware software is sort of like closing the barn door after the horse has already escaped, but can help stop the spread of malware eventually but it's not a preventative measure against new threats if they can spread rapidly enough and silently enough. Later down the tip here I will explain LittleSnitch, which can help "watch the backdoors" to alert you of strange outgoing network connections.


Malware writers use the same anti-virus software to "test" if their malware gets by it, also they have the ability to spread their malware far and wide before anyone picks up there is a problem. So you can see why it's important to employ a strong defense on one's behavior and machine to reduce the chance of malware getting on.


The best offense against malware is a secure operating system and third party software, which so far the Unix/Linux based operating systems are more secure, like OS X your using.


Windows 7 has done a much better job of catching up compared to previous  versions where malware outbreaks were a almost weekly occurrence, still not near as good as OS X, although no operating system or browser is 100% perfect. Apple has made some errors in judgement in regards to keeping OS X's security up to Unix's tough standards. Which I'm helping to assist you to overcome those weaknesses.


Problem with malware on the Mac's has mainly come from not viruses, but via exploits in third party browser plug-ins, driveby attacks, social exploits and Trojans.



Trojan attacks


Trojans are programs or files you think are one thing and turn out to be another, or do what they say but have sinister portions to it, you need to trust the source of your downloads. Check with many others about the developer, the site your downloading from etc., before committing.


Usually it's installing stuff from untrustworthy sources like from links on thread posts where there isn't a trust worthy site admin, P2P networks or other means like emails attachments, files and links and such avenues that it's hard to locate the person(s) responsible.


Apple has incorporated a Trojan check for all downloads, but again like viruses on Windows, it also suffers from the time delay with new ones.


A good rule of thumb is to wait and watch a site your thinking of downloading software from, usually if they are out to screw people over they won't be up for long or get bad reviews.


If you get a lot of files via e-mail, you may want to consider installing the free ClamXav to clean the filth, however most of them are going to be for Windows.



Social exploits, tricking the user attacks, phishing


If your asked for your password or to do something like install this or that "codec to watch this movie", or "update your Flash here" or Software Update window appears, or "OS X has found a virus" window appears while a web browser is open, consider not going ahead, rather exit the browser and reboot the computer to clear the memory.


Check the status of your plug-ins using the trusted Mozilla check or links above, or from a site you know is the developers site, run the Software Update from the Apple menu. You might find out that you were lied too, and the site you were on was trying to trick you into giving up your password.


Don't believe everything that pops up to notify you of something when surfing, I know Flash and Software Update does this so don't click on it or give it your password, Force Quit the browser by switching to the Finder and using Apple menu, reboot the computer and then check Software Update and Flash for updates yourself with the links I've provided above.


Browser scripts have the ability to mimic OS X looking and other programs windows, like the Flash updater.


Browser and scripts based exploits have the ability to access the Users files and upload them online. So if one has a plain file containing password reminders, private information, consider using a small third party program to encrypt files or folder, a encrypted USB key, Keychain Access, etc etc.


IMO you shouldn't be doing any online banking, or using credit/debit cards in amounts your not willing to lose, most anyone can be fooled to enter their vital details into a rogue website.



Driveby attacks


Driveby attacks occur simply by visiting a website which then take advantage of a vulnerability in a browser or plug-in, no tricking of the user is needed. This is how Flashback first attacks, silent and deadly using your third party plugins, this time it was Java before that it was Flash. Since Java isn't used too much at all online, I suggest you turn it off.


Firefox has the ability to turn off not only Java, but Flash, Silverlight in the add-ons menu. A much better arrangement perhaps than Safari which can't. Again the objective is to reduce the avenues of attack as much as possible.


The Firefox + NoScript method below will reduce your browser/script exploit possibilities as you surf the web as you enable scripts only on sites you trust.



Driveby downloads


A website can initiate a download simply by being visited, so say your surfing a trusted site and get redirected really fast to another site or click a trick link you think is something else but is actually a link to download.


A download occurs, (especially on a fast connection with a small file you won't see it sometimes) and there is a nice neat little package of pain awaiting your click in the Downloads folder. Could be named something your used to installing like Flash, or Silverlight, and here you go giving it your admin password to install, directly into root and your pwned.


Well to stop this you use a browser that  allows you the option to inform you before the download occurs. Firefox does if it's preferences are set that way.


Next you keep your Downloads folder clean and don't use it to store things or installers, move the trusted installer packages to a new folder somewhere else.  When you go to download something, make sure the Downloads folder is empty first.




Consider running as "Standard User"


There are four user permissions levels on Mac's. Root, , Admin, Standard and Guest



Root Level User - dangerous


This is the most dangerous user, it or anything else can do anything on the machine, it's disabled for a very good reason. Programmers work in root all the time (and offline mostly) as they prepare code, so for them having to enter a Admin password each time to gain Root is a pain.


Single User mode is Root, and used as a troubleshooting and problem solving means when the computer isn't functioning normally.


Running as root user all the time is suicide for most anyone else.



Admin Level User - very risky


When a Mac user first sets up a machine that account is called a Admin account. Most single users of the machine keep it this way either unawares or to facilitate doing things with the machine, installing programs and having Software Update automatically run.


Running all the time as "Admin" is a bit dangerous, as anything that gets in via the web browser or anything else has a lot of freedom to move around and wait to attack at the opportune time, even alter other programs.


However to gain root level it must ask for the Admin password, trick the user or alter another program to use a "sudo window" (super user do, aka "root") which gives it a few minutes to do whatever it wants to your machine, once in root, it's all over.


If you in Admin Level user and something asks for your Admin password, it means it needs root user powers, so if this occurs while surfing with a fake pop-up window looking like a Software Update, you can see how easily a user can be tricked (that's how one of the Flashback attacks works)


If malware attacks while your in Admin User, even without needing your Admin password, the cleanup efforts likely still will require a complete erase of the entire OS X with a "fresh install" of everything and returning vetted user files from a clean backup.


So essentially, Admin and Root user require the same cleanup efforts if something unawares gets on the machine.



Standard Level User - best security


The next level down is Standard User, this restricts some things one can do (and thus malware) unless one enters the Admin name and password to effect change outside the Standard User account.


Use the Standard User all the time in your daily use of the machine as a form of protection by restricting whatever gets on one's machine unawares to less privileges and permissions access of only the Standard User account.


One would have to consciously give further permission to the malware, so it reduces the potential for behind the scenes malware from gaining further access to programs or OS X,  forces the hidden malware to announce itself or try to deceive the user via a social exploit or Trojan to do so.


If one suspects a attack occurred, they can reboot the machine, log into Admin user and delete the Standard User account, reboot, recreate it. Restore clean copies of files from backup.


To convert your present Admin level user account to Standard User, simply head to System Preferences, create a new Admin account, (different password obviously) and then log out and into this new Admin User. Head to System Preferences there and change the first Admin account to Standard User, log out and into the Standard User and use that.


When one needs to do more things that isn't allowed in Standard User, like trashing or installing a program, a window will appear to ask for your Admin name and password just to make sure it's you making the change.


Run the Software Update manually once in awhile as it doesn't run automatically in Standard User. One must have at least one Admin User account on the machine, it's also beneficial to have another (admin) account on the machine for data recovery purposes if one can't log into their Standard user account.




Guest Level User - private browsing


This is a temporary user account given to those who want to let someone to use their machine for a short period with nothing saved when they log out. It has no access to anything and nothing is saved.




Dispelling the misinformation "it needs your Admin password to infect your machine"


Because code can run in any user account with any permissions level, malware can run there also and still do unseen damage without the tell tale "needs your Admin password" window to show itself or install.


It can upload your files, place malicious images, log your keystrokes and monitor your behavior. All right from Standard User which has the lowest permissions level on the machine.



If one is running as Standard User, the Admin name and password is needed for most malware to escape and make changes to Applications and System/root.


Of one is running as Admin User (the default setup on Mac's) then the Admin password is only needed to get root access.



If malware code runs in your lowly Standard User account, it can copy say a admin password requiring  program out of Applications (write protected, but not read protected) and paste it into a hidden folder in the Standard User, then change the program into a trojan and replace the Dock icon link with the trojan.


The next time you click the Disk Utility icon in your Dock, instead giving your admin password to Disk Utility, your giving it to the trojan which then can do anything it wants too.


If you don't believe me, go ahead and try it for yourself. Create a Standard User and then right click on a standalone program (one that is self contained) in Applications folder and click copy, then paste it into say your Movie folder, then replace the Dock icon with the copy and go ahead and click it. It runs.


Users of Firefox know that it auto-updates in the background without requiring a admin password each time it does, how is this possible right?


Since a web browser can log keystrokes and upload user files, so can malware all without needing the Admin password.


If it wanted to escape and make changes outside Standard User and/or into root, it certainly would require the password.



Patches not being applied fast enough


Browser exploits are the prime attack vector with the third party plug-ins vulnerabilities being the main cause. However any program that contacts the Internet is potentially exploitive, also there is no iron clad law that vulnerabilities will be immediately patched.


It's been widely known that once a vulnerability is discovered, sometimes the operating system maker is not told, or knows but intentionally doesn't do anything about it for some time. The vulnerability is sold and used as a means to gain access to people's machines by governments, it's only until it's widely exploited by malware writers that the problem becomes great and the vulnerability is closed.


I advise using browsers like Firefox that get more timely and rapid updates, disable as many browser add-ons that are not being actively used.




Getting at your files may be the objective of the malware


Sometimes malware is after your personal information, which if it is in the account your accessing the Internet with and a exploit occurs, is theirs for the taking. Law enforcement types have been known to try to trick criminals to rigged websites which then use a browser or other exploit to read/upload personal files, since the law can do this, it stands to reason so can the bad guys.


Filevault likely won't help much if the malware already has access to your account or even root, your browser certainly has read/write capability to your account, Filevault or not.


Enabling Filevault is not exactly so private, it's more for if you should lose your machine the bad guys can't get your data, that's about it. Because if you need your machine repaired, you have to give Apple etc., the password to fix your machine. Also law enforcement types will demand the password, along with Customs searches, court orders etc.


Filevault makes it hard to retrieve files or fix software on the machine in a indirect manner, like if OS X isn't booting for some reason. If you engage Filevault, make sure you maintain unencrypted backups someplace with physical security (like a safe) less you forget the password or other issue arises.


The fact that your machine may die at any moment and need repair, you might want to consider having a self encrypting external drive or USB (like a Iron Key) to store personal data on and off the machine at all times, and thus can take to any machine or program that can read the files. Hardware based encryption is more secure than software based which can be changed by malware.


You might want to consider less confining and more tailored alternatives.






Safari hardening



Most browsers allow the continuous running of all third party scripts, giving malware writers more of a surface area of attack to get into your machine if they find a exploit. So they can use Java, Javascript, Flash, Silverlight and even Quicktime to gain access to your machine.


Safari is a good browser, it's fast, it's designed like most all other browsers to be easy for users as it must cater to all user experience levels.


Safari does  have the ability to disable web plug-ins, but it's a all or nothing approach and you have to head to Safari > Preferences to do it.


Your Safari > Preferences > Security  should appear as such (ignore the Google Safe Browsing Service warning)


Screen shot 2012-05-14 at 11.41.11 AM.jpg



Safari improvements


Apple has updated Safari to disable Java if it's not used recently (if you have it installed). Also they won't allow older versions of Flash to run, displaying a update window if a newer version exists. These changes are welcome and should reduce some of the attacks via these vectors, however they still allow a exploit window of opportunity.



Safari 6 currently for 10.7 and 10.8 users only!


10.6 or prior users, use Firefox or Chrome instead as it gets updated more often.







Consider using Firefox web browser + NoScript


I'm  recommending a method that doesn't run the plug-ins and scripts all the time on every web site you visit, especially JavaScript which is heavily used online (and used for those deceptive popup windows), until you first decide if you trust the website your visiting, then you can enable that trust for that website, either temporarily (ideal) or permanently.


Firefox has the NoScript Add-on that's only available on that browser and I haven't found anything even close to it on any other browser. Install from here first.




Use the Firefox's > Customize Toolbar option to drag the "Temporally Allow All" NoScript button to the toolbar. That's all you need to do to get started, no need to mess with the finer controls.




NoScript is hands down the best "web cop" on the Internet and will protect one against web side based trickery and attacks. Instead of all the web browser scripts and plug-ins running all the time, and taking your chances as you visit various web sites, they  are turned off by default and only enabled as you need it. Once you trust the site and it requires it, then click the Temp button and the page reloads with the scripts on.


You'll be mildly surprised how little you'll use it, many sites run fine without any scripts running.


If you visit a site often and trust it completely, you can whitelist it in NoScript too. Also have NoScript allow scripts for all your Bookmarks. So you can control your security better as you surf.


If your surfing and get a "redirect" to a hostile site which can occur in a matter of milliseconds, your scripts are automatically turned off by default, reducing their attack possibilities to only the browser, instead of any of the scripts or plug-ins running in the browser which can be many for some.


If one had the NoScript method enabled and came across a MacDefender or Flashback malware attack, they likely went by unscathed and unaware a attempt was even made. Because Javascript was used to display a fake  OS X Software Update or Flash update window trying to gain further access to your machine.


I recommend you clean out your NoScript "whitelist" once in awhile and start over with a new one


Also enable the "Show downloads window" in Firefox preferences to alert one of unauthorized or accidental downloads as it gives a window and a button to proceed or cancel before starting, not automatically downloads any link a user clicks like some other browsers do.


Consider installing the WOT add-on for Firefox (Web of Trust) that flags each link for trustworthiness and opinions of other users around the web this way before you click a link it will tell you the status of that site via public opinion.


I also advise using Ad Block Plus and only enabling it on sites you trust, because advertising is fetched from other sites than the one your viewing, so it provides a nice attack angle for malware to get on many sites. Usually  quality sites will retain quality advertisers and poor quality sites with low character will care less about if their advertisements are infecting users computers.




Consider installing LittleSnitch (advanced)


LittleSnitch is a payware outbound firewall checker that loads upon boot time in root (kernel extension file: kext) and watches for outgoing network traffic. It's useful for the fact that it pops up quick window alerting you of the outbound network traffic. If a program that hasn't already been cleared with you attempts to contact the network or Internet, use a different port that you initially allowed. LS will stop that from occurring until you give it the clear and set the access.


Most web traffic occurs on port 80, however sometimes you load a video or a game into the browser and it can open another port, LS will flag this to make sure it's ok before allowing it out, as it could be malware.


If the malware uses the browser and port 80, then there isn't much LS can do obviously as it can't determine if the outbound traffic is malicious or not, but it's added another level of defense as it confines browser based malware to port 80 to hide itself, hacking/using another process or program that has another port access or gaining root access to disable LittleSnitch itself. To gain root access, it would have to trick the user into giving up their Admin password.


Modern computers have a whopping 65,535 ports, gives lots of places to hide and communicate to the world without your knowledge. A  remote port scan of all 65,535 ports to see if any are responding would take a very long time and have to be run frequently.


Only small fraction of these 65,535 ports are used for legitimate purposes which LS is default configured to match OS X and allow out (or your computer would act unstable) so LS watches everything else for any unusual behavior.


BTW, Flashback malware deleted itself if it saw LittleSnitch, not saying all malware will do this, but it didn't want LS to alert to it's presence on the machine or to those curious enough to inform others  unusual behavior.


OS X Crisis trojan can be reduced if your running as Standard User and using LittleSnitch (installs in root) to detect the background calls to the command server.



Deep Freeze  (advanced, restrictive)


Is payware software that does just that, it "deep freezes" your boot drive so when you reboot it returns everything to like it was before the freeze occurred. There can be "thawed zones" for users files, so those are allowed to change, but everything else can be frozen, thus no change to the boot drive is permanent. Apple uses this software in their stores where all the people fiddling around and then at night a shutdown and a morning reboot puts things right back where they want it.


One can use this type of software as part of a defense, to protect kids computers etc., however like anything, once the malware has the admin password it can gain root and do whatever it likes. Also since malware can run on the machine in the meanwhile or in a "thawed zone", despite not getting root, can certainly do a lot of damage in the meanwhile, grabbing or encrypting files (ransomware), gleaming other data etc., while it has control. Anyway it's something to consider, perhaps a whole machine frozen and user files stored on a external drive instead would work good with this type of software.


I advise this sort of defense tactic for Mac's with operating system versions Apple no longer supports (10.6 and earlier) and common area uses where a lot of people access the machines and thus make it difficult to track down who is responsible for the machines unauthorized changes.



Note: If your locking down the machine, and especially with 10.6.8 and earlier not getting Safari security updates, you might want also to  consider using Firefox + PublicFox add-on which will lock down the browser from downloads, changes etc.



Backup and prepare for the worst  (everyone)


Everything can be replaced except your unique users files, keep at least two copies of these on separate hardware in easily accessible formats (in addition to TimeMachine and bootable clones) so you can take your files to any machine, Mac or PC and go on with your life.


My view in regards to malware, since it can take a long time to discover, is to have a archived bootable clone(s), DVD's/CD's of your files, dated so you can go back before the malware started making the rounds. Your computer, operating system and programs can all be replaced, but not your personal files, so take the time to burn files to DVD's as a archive, you may need to use them someday.


Something learned about the Conflicker malware on Windows, the thing "hopped" to any rewriteable media, USB flash drives, hard drives, you name it, so it made eradication most difficult. Only DVD's archives of files, programs and operating system burned before the infection started were considered safe. CD-R and DVD-R (BlueRay-DVD's too) have the asset that once they are burned, they can't be changed later on by malware.


TimeMachine used as intended isn't going to protect one against a malware attack as it's connected too often. Having a couple of archived clones of one's boot drive pre-dating the attack will, provided before the restore occurs, the entire malware infected target drive (OS X , Recovery, Partition map, EFI etc)  is Zero erased from a non-writeable boot DVD first or all rewritable media simply replaced with a new ones, which in some Mac's can't be done by the user less they violate their AppleCare/warranty.


Given that DVD's and CD's are sort of on their way out, and with 10.7+ there are no boot disks, some Mac's have no optical drives, one must plan ahead for malware of the Conflcker magnitude affecting OS X and all rewritable media with a eradication method that can insure a compete erasure or replacement of a targets machines storage drive, firmware etc.





Secure your WiFi and privacy


Some  advice I have to share here


WiFi security issues, at home and WiFi hotspots




If this User Tip has benefited you, take a second to rate it down below.


Thank You