4 Replies Latest reply: Nov 5, 2008 3:30 PM by Klaus1
toekoms Level 1 (0 points)
Simple question, do I need to be concerned about spyware on a MAC. If yes is there any free software to alert and remove any spyware?

imac, Mac OS X (10.5.4)
  • Zlig Level 4 (1,340 points)
    Hi, there is no spyware that I have heard of for the Mac. [This link|http://discussions.apple.com/thread.jspa?messageID=6265972] to a previous post should come in handy in case you want to read more on the subject.

    You can also download [ClamXAV|http://www.clamxav.com>, a good freeware virus scanner, if you are concerned about Malware.
  • Klaus1 Level 8 (47,775 points)
    It depends on your definition of spyware. There are no viruses that affect OS X, but in the case of trojans and other forms of malware (including spyware) things are a little different.

    Mac OS X 10.4 Tiger automatically checks your downloads for malicious software and content that could harm your system or collect information from your computer. You can read more about that here:


    If you feel you need added protection, read on:

    SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:


    The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X. Called DNSChanger Trojan and also known as OSX.RSPlug.A Trojan Horse, the software attacks users attempting to play a fake video file.

    Upon attempting to play the video, the victim receives the following message:

    “Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”
    Upon running the installer, the user's DNS records are modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's DNS records stay modified on a minute-by-minute basis.

    SecureMac's DNSChanger Removal Tool allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

    There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac. A white paper has recently been published on the subject by SubRosaSoft, available here:


    Also, beware of MacSweeper:

    MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008


    On June 23, 2008 this news reached Mac users:


    More information on Mac security can be fund here:


    More on Trojans on the Mac here:


    Then this from July 25, 2008, is:

    Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.
    The code could be a boon to phishing gangs who redirect web users to fake bank sites and steal login details.
    In light of the news net firms are being urged to apply a fix for the loop-hole before attacks by hi-tech criminals become widespread.
    Net security groups say there is anecdotal evidence that small scale attacks are already happening.
    Further details here: http://news.bbc.co.uk/2/hi/technology/7525206.stm

    On October 30, 2008, MacWorld had this article:

    Malicious software that emerged on Facebook.com in late July has surfaced again, this time using Google's sites to sneak around security filters.
    On Tuesday, researchers at unified threat management vendor Fortinet noticed that a program similar to the Koobface worm had started using the Google Reader and Picasa sites to spread. In the attack, criminals host images that look like YouTube videos on the Google sites in hopes of tricking victims into downloading malicious Trojan software.

    On October 31, 2008 there was some more 'dramatic news':

    The details of about 500,000 online bank accounts and credit and debit cards have been stolen by a virus described as "one of the most advanced pieces of crimeware ever created".
    The Sinowal trojan has been tracked by RSA, which helps to secure networks in Fortune 500 companies.

    RSA said the trojan virus has infected computers all over the planet.
    "The effect has been really global with over 2000 domains compromised," said Sean Brady of RSA's security division.

    He told the BBC: "This is a serious incident on a very noticeable scale and we have seen an increase in the number of trojans and their variants, particularly in the States and Canada."

    The RSA's Fraud Action Research Lab said it first detected the Windows Sinowal trojan in Feb 2006.
    Since then, Mr Brady said, more than 270,000 banking accounts and 240,000 credit and debit cards have been compromised from financial institutions in countries including the US, UK, Australia and Poland.

    The lab said no Russian accounts were hit by Sinowal.

    RSA described the Sinowal as "one of the most serious threats to anyone with an internet connection" because it works behind the scenes using a common infection method known as "drive-by downloads"."

    Users can get infected without knowing if they visit a website that has been booby-trapped with the Sinowal malicious code.

    The article goes on to say:

    While attacks are on the increase, there are some simple steps that users can take to protect their information besides using security software.
    "We have a saying here which is 'think before you link,'" said Mr Manky.
    "That just means observe where you are going on the web. Be wary of clicking on anything in a high traffic site like social networks.
    "A lot of traffic in the eyes of cyber criminals means these sites are a target because to these people more traffic means more money," he said.
    RSA also urged users to be wary if their bank started asking for different forms of authentication such as a social security number or other details.
    "People think not clicking on a pop up or an attachment means they are safe. What people don't realise now is that just visiting a website is good enough to infect them."
    RSA said it is co-operating with banks and financial institutions the world over to tell them about Sinowal. It has passed information about the virus to law enforcement agencies.


    Moral: Be careful where you go on the web and what you download!
  • toekoms Level 1 (0 points)
    Many thanks for the reply, it was much appreciated
  • Klaus1 Level 8 (47,775 points)
    You're very welcome!

    Short version: Don't panic!