back to article Macs don't get viruses? Hahaha, ha... seriously though, that Word doc could be malware

Hackers are menacing Apple Mac users with Word documents laced with malicious macros that install malware. Security researchers spotted a rash of poisonous files doing the rounds earlier this week, one of which was titled "U.S. Allies and Rivals Digest Trump's Victory – Carnegie Endowment for International Peace.docm." Apple …

  1. Anonymous Coward
    Anonymous Coward

    Macs don't get viruses

    Despite that being Steve Job's mantra, a friend of mine who recently retired from Apple after 33 years claimed that during the entire time he worked there, being caught on the Apple campus with a Mac without AV was a fireable offense.

    1. Anonymous Coward
      Anonymous Coward

      Re: Macs don't get viruses

      I have a weekly scan, but it tends to mainly whinge at email in my spam folder :).

      That said, MS Office viruses are not a problem on account of not having anything from Microsoft or Adobe on the machine - I switched to LibreOffice ages ago, also because that doesn't need Java (at least not for what I use it for).

      No OS is impervious - the only difference between platforms is how much effort you have to put in to keep it clean.

    2. DerekCurrie

      Re: Macs don't get viruses

      "Despite that being Steve Job's mantra"

      No. Steve Jobs never said that. Apple haters invented that. Here's the famous video that upsets the haters and no one bothers to directly quote. (I won't either, so watch and learn instead):

      I personally have a collected database of 132 different Mac malware from the beginning of Mac OS X ('macOS') onward. It's an incomplete list as I haven't bothered with most adware (such as Genieo), PUPs (potentially unwanted programs, such as MacKeeper) or Microsoft Office macros. But the list does help point out that Macs have had many orders of magnitude LESS malware than concurrent versions of Windows.

      If one wishes to be a stickler for professional terminology, OS X has never actually had a 'virus'. The majority of Mac malware (malware being the overall term that includes 'viruses' and other malicious software) instead have been Trojan horses. They've depended upon social engineering in order to be directly and deliberately installed by the user. This is the case with the new MacDownloader malware.

      Meanwhile, Microsoft is responsible for their own malware problems in Microsoft Office. Therefore, please complain to Microsoft about their Office macro system if you're concerned about the new EmPyre macro malware. Or do what ALL wise Office users do and Turn Off Macros! How many decades have malicious macros been plaguing Office? Of course turn them off already.

      BTW: Apple has anti-malware software built into modern versions of macOS. That has been the case since 10.6.x Snow Leopard released in 2011. There are currently three components: (1) Gatekeeper (2) XProtect (3) MRT, Malware Removal Tool. These are in addition to other Mac security features.

      I write about Mac security here:

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Macs don't get viruses

        I've been dealing/fighting with Microsoft since about MS DOS 2 or something, and in all that time I have yet to sense any desire to protect the users - their only focus is protection of revenue. Sure, they will make all sorts of wonderful noises about security, but as far as I can tell, the vast swathes of people they bought in from security outfits were only ever taken in for marketing and making pretty powerpoint presentations with fancy ideas and lots of promises, not for actually fixing anything.

        The only way Microsoft will ever actively and pre-emptively start to deal with security issues from the structural basis upwards is if it is going to cost them revenue. That still hasn't happened yet in all those years (apart from a slight blip with Vista), so from a pure capitalistic perspective I can understand why they don't bother. That is also the exact reason why we don't bother using their software - we are not prepared to spend the money and effort to fix their deficiencies. Ditto for anything made by Adobe, although I must caveat that I understand that some creative companies don't have that option.

        That's why we use both macOS, Linux (and a bit of FreeBSD) and LibreOffice. Thankfully we're in a position (after putting in some initial effort) that we have zero need for Microsoft and Adobe (nor would anyone consider installing Microsoft software on Linux, btw). I hope we can keep it that way, as it has worked well for us so far.

        1. John 104

          Re: Macs don't get viruses


          As someone who worked on the protection services team at Microsoft for a spell, I can assure you that they do take security very seriously. Aside from that, they have made big steps in process privilege separation over the last several years and releases of server/desktop products.They aren't Linux (or BSD) and never will be, but at least they take threads seriously and respond to their user base which is not something that Apple are well know for...

      3. Anonymous Coward
        Anonymous Coward

        Re: Macs do get viruses

        Thanks El'Reg, as I do have this "Adware Removal" installed d/l from (apparently from Safari history) "httpX://,httpX://" (X added to prevent accidents)

        zip archive 1 208 614 bytes downloaded/created Wednesday 10 June 2015 at 08:15

        Application 1 405 363 bytes created Tuesday, 16 December 2014 at 14:01

        VirusTotal first analysis 2017-02-10 10:35:32 UTC ( 10 minutes ago ) gives 52 clean AVsystems, with just McAfee-GW-Edition giving "RDN/Generic.osx" PUP malware hit & Zillya giving "Downloader.OpenConnection.JS.147148" which attacks the JRE that I don't have

        smells strongly of sneaky QUANTUM-INSERT fast local server attack. . .

        1. Anonymous Coward
          Anonymous Coward

          Re: Macs do get viruses

          or it could totally be a false hit (McAfee!), as I have completely different hashes from the "Iranian" example.

          Now I get to play with Hex Dumps all afternoon, (initially it really looks like a real Bitdefender product)

          just d/l the latest Bitdefender from their site and their Zip bundle does trigger three hits from Google's VirusTotal

          [+] Adware Removal Removal Tool Mac OS X Executable 209280 Bytes

          SHA256 67c1a4fde8e14a68dd4d56e92522a07ea10ce32a94cf048326eb7c434a7faa36

          Datetime 2014-12-16 14:01:22

          Detection ratio 3 / 54 when this report was generated

          McAfee-GW-Edition RDN/Generic.osx

          TrendMicro-HouseCall MACOS_VSEARCH.MSGF215

          Zillya Downloader.OpenConnection.JS.147148


          1. The Vociferous Time Waster

            Re: Macs do get viruses

            "Now I get to play with Hex Dumps all afternoon,"

            So stare at them and wish you had been to college?

      4. Anonymous Coward
        Anonymous Coward

        Re: Macs don't get viruses

        >If one wishes to be a stickler for professional terminology, OS X has never actually had a 'virus'.

        MachoMan/Macarena were wild and interesting examples much later many, many variants built on JPanic's Clapzok which exploited the same vector which Apple had failed to patch - providing years of zero days from well-documented vulnerability. There are numerous sites on DW where you can buy zero days to order which will infect binaries and replicate on any platform,.

        >I write about Mac security


      5. patrickstar

        Re: Macs don't get viruses

        Related trivia: There was actually a file infector for Linux that got somewhat widespread many years ago (around 2001 perhaps). It used some (known) local exploits to elevate privileges and opened up a backdoor.

        Original infection vector was a SSH CRC32 deattack exploit executable, but it did have a life outside of that for a while.

    3. Fazal Majid

      Re: Macs don't get viruses

      I asked a colleague whose SO works at Apple what AV they use, the answer was "none".

      Quite frankly, AV software is written with terrible coding practices that dramatically increase your attack surface and can be counter-productive. One major product had buffer overflows in its scanner that meant you could be infected simply by receiving an email. At least without AV, you would actually have to double-click the attachment to be infected:

  2. stu 4

    mac AV

    But you know mac AV progs just detect WINDOWS viruses right ?

    I didn't till recently. So it does seem kinda dumb. I mean I suppose it stops you passing them into a windoze cow worker, but meh....

    1. Anonymous Coward
      Anonymous Coward

      Re: mac AV

      But you know mac AV progs just detect WINDOWS viruses right ?

      "This isn't right. This isn't even wrong." - Wolfgang Pauli

      1. stu 4

        Re: mac AV

        "This isn't right. This isn't even wrong." - Wolfgang Pauli"

        citation required here ?

        I will say, I said this as a mac (exclusive other than VM) user. I was informed of this by my work security expert who was looking into whether there was a need to mandate AV software for macs - on finding this out they decided the benefit of mandating mac AV was small.

        And note: I'm taking about viruses, not malware - malware is a different kettle of fish... though some software is reasonably unarguably malware, some is controversial - for example MacKeeper is a piece of malware crap, but no current AV product would pick it up as such afaik.

        So I'm not sure what you are disagreeing with here ? AFAIK mac AV products effectively check for windows virus signatures in files. That is what they do.

        In windows files (exes, etc) they do not present a threat to macs.

        In mac files they do not present a threat (since the code is windows code).

        So what are you arguing about ? please help me (and others in this thread by the looks of things) understand why you think my statement is wrong ?

        Note, I am not aware of any mac viruses in the wild HOWEVER they certainly could exist, and if they did, I'd expect mac AV to detect them. And I'm sure they'd add them if they do exist, but for now at least, as far as I can see mac AV offers ZERO benefit to mac users.

        1. Anonymous Coward
          Anonymous Coward

          Re: mac AV

          I have not seen Mac viruses either. There are Trojans aplenty, though, like Adobe Flash, Mackeeper, and Microsoft Office, and those are just the commercial ones..


    2. RudderLessIT

      Re: mac AV

      When I read your post, my eyes popped open!

      I then did some searching and apparently the definitions that you download to MAC or Windows are the same, as they put both into the one file - which makes sense, as I guess it makes publishing updates easier.

      I still don't like Macs though.

    3. Baldy50

      Re: mac AV

      Again FFS, what is this COW shit? CO worker, yes? My punctuation and spelling ain't the best I know, but from a previous post if you read it you'd get my drift and why I've bothered to comment this time.

      Cattle—colloquially cows—are the most common type of large domesticated ungulates. They are a prominent modern member of the subfamily Bovinae, are the most widespread species of the genus Bos, and are most commonly classified collectively as Bos taurus. Nuff said.

      And who gives toss about Windoze users anyway?

      1. stu 4

        Re: mac AV

        "Again FFS, what is this COW shit? CO worker, yes?"

        yes mate- it's El Reg lingo - get with the programme. unsurprisingly I am aware that coworkers is a word.

    4. DerekCurrie

      Re: mac AV

      "But you know mac AV progs just detect WINDOWS viruses right ?"

      No, there are Mac malware! Mac anti-malware programs detect and remove Mac specific malware. I use Intego VirusBarrier, ClamXav and Malwarebytes Anti-Malware. Both VirusBarrier and ClamXav can detect and remove Windows malware as well as Mac malware. I use all three because I study and write about Mac malware. I've used Sophos Home for Macs as well.

      As I point out elsewhere in the comments, I've collected data on 132 different Mac malware that were active at one time or another. If you're a Mac administrator, it may well be important to use Mac anti-malware on your client machines. Wetware (we humans) are consistently the weakest part of any computer system. Stopping wetware clients from install Trojan horse malware may save your LAN. If you're a security savvy Mac user, you can depend upon Apple's built-in anti-malware to keep you safe from major Mac malware infestations. But if you want to detect and remove Windows malware, you're going to need a third party anti-malware program setup for Windows malware detection. Check with anti-malware vendors regarding what malware they can detect.

      The best free options at this time are probably ClamAV (for which there is a CLI version for Mac), Malwarebytes Anti-Malware and Sophos Home. ClamAV will detect most Windows malware, although it lags in malware signature updates.

      1. FuzzyWuzzys

        Re: mac AV

        "No, there are Mac malware! Mac anti-malware programs detect and remove Mac specific malware."

        Yeah but why let the truth get in the way of a some utter muppet spouting crap as a thinly veiled anti-Mac rhetoric, spoil things!

      2. Hans 1

        Re: mac AV

        >"But you know mac AV progs just detect WINDOWS viruses right ?"

        >No, there are Mac malware!

        Ok, lets put aside the fact that anti-virus software for one platform contains signatures for malware for all platforms, as that has been made clear.

        I have worked in A/V and I know precisely the meaning of "virus", "trojan horse" and other "types" of malware.

        To this day, I have not heard of a Mac OS X or MacOS "virus", malware, yes, eg "trojan horses", but "virus", nada. Technically speaking, afaik, there has not been a Mac OS X/MacOS virus found in the wild.

        From wikipedia:

        A computer virus is a type of malicious software program ("malware") that, when executed, replicates by reproducing itself (copying its own source code) or infecting other computer programs by modifying them.[1] Infecting computer programs can include as well, data files, or the "boot" sector of the hard drive. When this replication succeeds, the affected areas are then said to be "infected" with a computer virus.[2][3][4] The term "virus" is also commonly, but erroneously, used to refer to other types of malware.

        We are IT professionals, let's start using appropriate terms for this stuff, Ok ?

        1. Anonymous Coward
          Anonymous Coward

          Re: mac AV

          We are IT professionals, let's start using appropriate terms for this stuff, Ok ?

          I'd love to, but if I start talking about crackers instead of hackers I get people looking at me as if I'm talking about a kind of biscuit :). Sadly, we have little influence on what the press decides to name things, and once that has happened we either sigh and follow along or risk being misunderstood by the people we're trying to help.

          As for the original discussion, I have since long settled on "malware". I appreciate that for defensive and technical purposes you have to be indeed precise about the right term used when you're working on defensive mechanisms (because each class needs its own) and engage in discussions with peers on the topic, but as soon as you talk to an end user, "malware" works well as shorthand for "any kind of code that can make your computer misbehave with the exception of Windows and Adobe Flash".. Unless they actively express an interest in the minutiae (very rare in my experience), any more detail will only make their eyes glaze over.

          But hey, it's rapidly approaching beer o'clock :)

          1. mstreet

            Re: mac AV

            "any kind of code that can make your computer misbehave with the exception of Windows and Adobe Flash"

            Thumbs up for the exception bit :)

        2. Old Handle

          Re: mac AV

          Correct me if I'm wrong, but aren't viruses, in the technical sense, nearly obsolete even on Windows? Worms and Trojans seem to be the hot thing now.

          1. patrickstar

            Re: mac AV

            There has actually been a couple of widespread file infectors for the NT line of Windows (NT/2000/XP/Vista/7/etc...) but I haven't seen them in any list of most widespread malware in quite a few years. Also they were more of hybrids - file infector, worm spreading via USB sticks and network, etc.

            I suspect they died out post XP where you no longer run everything as Administrator by default.

            And remember, all mass-distributed malware nowadays has a commercial purpose. File infectors tend to be far too noisy and have too many side effects to monetize well.

    5. Anonymous Coward
      Anonymous Coward

      Re: mac AV

      The Mac definitions come along as well, but they're a very small part of the list of malware.

      I would like a virus scanner that only checks for Mac malware, but I suspect that would be so simple and small that it would not be impressive enough to sell it for the sums of money that Windows AV checkers go for. It would also not detect problems often and that may prompt people to switch to macOS - thus killing off their main income from Windows. Quite a conflict of interest...

      That said, I found Kaspersky's Mac AV a pain in the butt. The "free" version has a number of hangups like stalling at what it considered an encrypted file (instead of parking it as an exception for the user to deal with and progressing) and if you make the mistake to set it up as a background process it's nigh impossible to undo that and cancel the software. Not impressed, and thus not planning to buy the Pro version.

  3. knottedhandkerchief

    A customer (running an e-commerce site) contacted me as they were blitzing their customers with spam. Turned out to be from a Macbook running Office, I was able to tell simply by looking at the headers of emails that I also received from them. Naturally, when the first client complaints came in, they switched off their PC, also on the network. It was just before Christmas, so they were in a total panic as the Mac was running their labelling and enquiries. They got Mac support specialists round to fix it, which they did (on a Sunday evening in countryside). Anyway, none of this surprised me, obviously MS Office macros of some sort. What is the point of this article? Writing this on a Linux Mint Mate...

  4. PassiveSmoking

    Doesn't matter if it's Windows or a Mac, there's only so much you can do to defend users against their own utter stupidity. It was a really bad decision putting macros in MS Office but even then it does warn you when you open a file with macros in it. If you still run it anyway then anything that happens next is on your own head.

  5. W Donelson

    Wait... You use MICROSOFT products?


    1. Anonymous Coward
      Anonymous Coward

      Wait... You use MICROSOFT products?

      We don't either, but I don't find that a reason to laugh at others. Most either lack the skills, knowledge or even ability to choose something else so you're laughing at something that they are not able to change.

      When we come across a situation like that and we have time we see if there are small things we can fix, like making sure AV is at least up to date and macro capability is disabled as it's very rarely needed in most companies anyway. It's not something we get paid for, but sometimes a little bit of extra help goes a long way.

  6. Anonymous Coward
    Anonymous Coward

    Even when its a Mac Virus, Microsoft is still involved, surprise surprise.

  7. Mike 16 Silver badge

    It's the 21st century

    I would have thought that people who enable macros on Word documents without knowing where they came from would be extinct.

    I mean, how do you eat, when all your money has been sent to some script-kiddie? Where do you live, when title to your house now belongs to a company with single-family homes all over the world, but "offices" that only exist as a mail-drop in the Caymans?

    1. John 104

      Re: It's the 21st century

      @mike 16

      And there it is. Users are users. Mac users are no better at understanding their PC that Windows users are. I'd wager worse when considering some of the moonlighting customers I've worked with over the years. They posses an absolutely stunning lack of understanding of how their fancy shit works and how to practice safe computing. So while the OS may be 'secure' it doesn't matter when your user is an idiot and falls for easy shit.

  8. a_yank_lurker Silver badge

    No one is immune

    There is no OS that is totally immune to malware. Some are harder to attack because of intrinsic design choices and practices than Bloat.

  9. david 12 Silver badge

    >ability to survive a reboot<

    However, the Mac users I support never reboot unless it crashes. The fast startup just freezes averything and resumes.

  10. david 12 Silver badge

    How is the python called?

    Curious to know which method is used to execute python script from Mac Word.

  11. Neil Barnes Silver badge

    I've never had an answer to the question

    Why on earth is there a programming language buried inside a text-editor/formatter?

    1. Kiwi

      Re: I've never had an answer to the question

      Why on earth is there a programming language buried inside a text-editor/formatter?

      I often use Macros (on Libre, none of this MS crap!) to reformat or do other processing on blocks of text. Sure there's probably a number of tools out there that could also do it, including sed in some cases - but I've barely used sed, and while I probably should learn something better creating a macro in Libre can be fairly quick and easy.

      That said, in this case the macros are basically recording what I am doing. Others use them to eg grab data from a database (or spreadsheet with all the customer data in it if you're one of those really l33t wimmen techspurts I've had the misfortune of knowning - "you should only ever use spreadsheets even when you're dealing with a few thousand customers, databases are wrong" types) and re-format that into something they can use, and others do combine spreadsheet formulaic functions in there. But I still can't see the need for it to have as much power as it does, especially given the sorts of people who use that power...

      Nearly 3am. Maybe I should be in bed...

    2. david 12 Silver badge

      Re: I've never had an answer to the question

      Just another feature copied from vi.

  12. Anonymous Coward
    Anonymous Coward

    What is the point?

    I fail to see the point in making malware for Mac OS. Anything worth making malware for is nearly always on a system with a Windows client somewhere along the line. Sure, there's more malware for Windows, but there's more to Microsoft's approach to security behind it. Take a look at CVE Details and you'll find Mac OS one of the most poorly rated OS's for potential exploits, they're just not taken advantage of.

    1. Anonymous Coward
      Anonymous Coward

      Re: What is the point?

      I fail to see the point in making malware for Mac OS. Anything worth making malware for is nearly always on a system with a Windows client somewhere along the line

      It depends on the motivation. If you're doing dark stuff in volume you don't care who gets hit, and yes, then it's worth spreading wide and going for the low hanging Windows fruit. Ransomware, acquiring zombie hosts, that sort of stuff depends on volume to return income for the time and effort invested in writing the malware.

      However, if you're a government agency tasked with hacking a specific bank which has switched to Macs because they combine better TCO with easier to maintain security (I know a few private banks which have done this), at that point you will be writing macOS malware because you have a precise, defined target and alternative, easier targets are irrelevant and out of scope. The payoff is usually different too as you may simply be employed, and you may not desire a form of blackmail or extortion but simply data itself. In that context it gets a lot more focused, and your efforts may even venture into subverting or blackmailing staff because someone has done too good a job on securing the Macs, or you find a way to hit their servers directly.

      No organisation is impervious to being breached one way or another, but unless the effort is specifically targeted it's just a matter of being a more difficult target than another organisation.

      It's the same principle of running away from a lion - you don't need to run faster than the lion itself, only faster than someone else so the lion gets to that other person first..

    2. JCitizen

      Re: What is the point?


  13. FuzzyWuzzys

    For the love of Christ, not this again!

    "Oooh panic!! User's ran a script on their PC and it did nasty stuff 'cos they never bothered to check what it did or simply refuse to run the script!"

    What's the difference between a macro and a script ? ( speaking in general terms here ) Nothing! They run commands that do stuff, the more powerful the interpreter, the more damage is likely by malicious intent. If I send you an executable or a shell script in the mail, it's not really any different from a macro buried in an application doc. If the application has a language so powerful it can screw up a machine then perhaps we need to bug the manufacturer of the application to knock the macro language features into touch. Oh right, it's Microsoft and their lazy sodding attitude to security and now they're pissing in another pool of the desktop machine market!!

    1. Anonymous Coward
      Anonymous Coward

      Re: For the love of Christ, not this again!

      Hang on a second...

      Just because you've a monk all your life and decide to go to the whorehouse and end up catching the Pox doesn't make it the whorehouse's fault. You knew the dangers of what you might catch before you went whoring. If you use Office for Mac then you know it has the ability to run macros.

  14. Roland6 Silver badge

    Doesn't need to be advanced...

    "Overall this malware sample isn't particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word..."

    People are forgetting all the phishing emails with Word attachments that the email purports to be an invoice, tax demand etc. that work in exactly the same way on PC's, ie. they also rely on user interaction to firstly open a malicious document (odd's are it will be with Word) and then do as instructed override security and enable macros...

  15. hellwig


    Do Macs just come with Python installed? Can said Python executable just operate at an administrative level? Seems like it's not Office's fault if the OS lets anything run a Python script with elevated privileges. Unless Office "has" to run with elevated privileges.

    Seriously, it is 2017 right?

    1. Anonymous Coward
      Anonymous Coward

      Re: Python?

      "Do Macs just come with Python installed?"


      "Can said Python executable just operate at an administrative level?"

      It can certainly write to stuff the user owns, which will include browser plugins and items activated at login.

      And then there's the problem that by default the first user added at installation gets admin privileges, (as also happens with Windows).

      However, on a Mac, any Python script requiring elevated privileges should ask for admin credentials (or fail).

  16. Matthew 17

    Malware and viruses aren't quite the same thing though

    So a virus should be able to infect another machine on the network without the user doing anything.

    Here you have to open a specific word document in Word presumably that's been engineered to include some malware. It's not going to 'infect' any other Mac on the network or replicate itself to be included into any of your other documents.

    Whereas if you run an unprotected Windows machine on the internet then it'll run into trouble in minutes whether you open a document or not.

    Still don't see any compelling reason to install anti-virus on a Mac, I run malwarebytes if I'm doing some housekeeping, never seen it report that it's found something bad.

  17. Mike 16 Silver badge

    Email Viruses

    Anybody else here old enough to remember the first Word Macro virus (ILoveYou?) that was spread within (IIRC) weeks after all the major ISPs "debunking" the notion that email could possibly deliver a virus? That was in response to an email going around warning of such email viruses, which_may_ have been a hoax, or _may_ have started with serious research, or _may_ have been a response to a UseNet post from a year or so previous (on April 1, IIRC) detailing how one could construct a "model-line virus to attack people who used emacs as their news and mail reader (and time-manager, pickle slicer, poetry generator... You know, the sort that just don't get out much)

    1. patrickstar

      Re: Email Viruses

      ILOVEYOU was a worm written in VBS that arrived as an attachment. You actually had to run the attachment manually.

      The first Word macro virus was Concept, which is closer to what you are thinking of. It actually ran automatically on opening an infected Word document as well as achieving persistence by adding itself to the standard template in Word.

      As to worms that actually run automatically, my memory is a bit rusty as to specifics, but there has been a bunch using vulnerabilities in eg. Outlook (auto preview of documents + HTML email...)

      And the most famous hoax of that kind would be Good Times - I actually received a copy around 1994. Back then e-mail was strictly text and attachments, so a lot less attack surface.

      I come to think of a quote along the lines of "the reason you now can get infected just by reading an e-mail isn't that the malware authors have gotten smarter but rather that the e-mail client authors have gotten dumber".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022