A few weeks ago I caught a tweet from Chris Wysopal (@WeldPond) noticing how the new version of Microsoft Security Essentials had detected the Zuc.A virus on his machine. You might think that's really cool how Microsoft gives away free anti-virus software to its users, and it is, but then you think wait a minute, Zuc.A is a Mac virus, why is it being detected by Microsoft Security Essentials, a Windows anti-virus product? Not only is Zuc.A a Mac virus it's a twenty-two years old! It was first detected in Italy in 1990! (To save you from looking it up that's when Mac System 6.0.5 was shipping.) Why was it added to Microsoft Security Essentials, and why does Chris Wysopal have a copy of it on his Windows machine?
The second question was easy to answer; I tweeted back at Weld Pond and asked him, "huh?" He mentioned that he keeps a copy of my old Whacked Mac Archives mounted on a back up drive. Now the Whacked Mac Archives is an interesting piece of history as it was the first and largest (at the time) repository of Macintosh Security software. It totaled a whopping 20MB, which was a lot at the time, and one of the things it contained was a collection of about twenty or so live Mac Viruses. So that answered the question of why Chris Wysopal had a twenty-two year old copy of a Mac System 6 virus on his Windows machine, but it didn't answer the first question, why it was being detected by Microsoft Security Essentials.
At the time this happened a few weeks ago I was travelling for work and didn't have time to delve into things very deeply however I received an unusual email from an old close friend who now works at Apple asking me to give them a call. I knew immediately why they wanted me to call. (If you're in the security community you know who it was and since people who work at Apple prefer to stay in the shadows I won't name them.) This person had caught some of the tweets between myself and Weld Pond and wanted to know what we were seeing. So the fact that Microsoft Security Essentials was detecting old Mac viruses seemed to be news to Apple as well.
Unfortunately like I said I was travelling and didn't have time to really look into this but I did have time to think about it, twelve hour plane trips will do that for you. There was of course the obvious reason why any Windows anti-virus product would scan for ancient Mac viruses would be to pad the numbers. By increasing the number of signatures they scan for, even if those signatures are technically irrelevant, they can say "We now have a squirrelzillon signatures in our product". Marketing, pure and simple. Of course the reason that most AV companies will give you for why they scan for viruses that can't possibly hurt your machine is so that you won't unknowingly infect someone else. I have to wonder just how big the installed base of Classic Mac OS or System 6 thru 9 actually is to justify adding these signatures.
But that got me thinking even more (did I mention it was a twelve hour plane ride?) If Microsoft is scanning for old Mac viruses who else is? Is this an isolated case or do all Windows AV packages scan for ancient mac viruses as well??
When I got home, and unpacked and got a little more settled I searched through some of my old boxes for a CD copy of the Whacked Mac Archives. Unlike Weld I don't keep copies of ancient Mac software mounted on my desktop. I fired up an old Mac Mini with OSX I had and a Dell laptop running Windows 7 and got to scanning. This is what I found.
Mac Mini 2GHz Intel Core 2 Duo 4GB RAM OSX 10.6.8
Sophos and Kaspersky Anti-Virus would only detect viruses in their uncompressed state. Which is interesting because Avast (See below) is exactly the opposite.
The Avast results are interesting. It only detected about six of my two dozen samples and only when compressed on the CD. Why only those six? If you're going to detect ancient viruses like this why not detect them all or at least most of them? When I uncompressed the files and left them in a folder on the hard drive Avast did not detect them at all, which is the exact opposite of Sophos (See above). I don't know but I suspect that the signatures that Avast uses are from compressed files and not the raw code.
iAntiVirus, which is a Symantec product, failed to detect any of the known viruses but it did hit on a different file inside the Whacked Mac Archives. It detected both the compressed and expanded versions of 'Invisible Oasis', which was basically a simple keystroke recorder. Its not a virus and it doesn't run on OSX so why detect it?
Just a side note on the different Free AV product I tested. Kaspersky Anti-Virus 2011 for Mac gave me the most problems. It had issues installing and activating. Since the software is set by default to autolauch on boot it would lock up my machine instantly. After about two hours of fighting with it I finally got it to behave nicely but it is definitely not something I would recommend.
Dell Latitude D520 Intel Core2 @1.66MGz 3GB RAM Windows 7 SP1 32-bit
Microsoft Security Essentials was impressive, not only did it detect the highest number of samples it detected both the raw files and the compressed versions. What I did not know and learned about after I shared this with some other members here at SpiderLabs is that Microsoft uses the same engine and signatures from MS Security Essentials in TMG (Threat Management Gateway) and probably for other products as well. It is nice to know that they pretty much detect everything.
Kaspersky's Mac product detects some of these so they definitely have some of the signatures in their library, if they have them why leave them out of the Windows version?
Sophos only detected some of the files and only in their uncompressed state.
Avast! seems to detect more Mac viruses on the Windows side than on the Mac side! It also detected compressed files as well as uncompressed which is a little different than what I found on the Mac side. I'm not sure what to make of that at all. I suspect something in my testing setup may have let some of the signatures slip through; otherwise there is something weird going on at Avast!
So what have I actually proven here? Not a whole hell of a lot really. Some anti-virus programs scan for really old Mac viruses and some don't. Personally I don't see any benefit one way or the other. They aren't going to harm your machine, whether you're on a Mac or a Windows box and the odds of you transmitting one of these to an old Mac Classic or System 6 thru 9 user is highly unlikely these days. I suppose there are still some pockets of old Mac users out there, most likely at schools, but how likely are you to share files with them? Either way I thought this was an interesting exercise just to see what the different companies are doing.
1Sophos Anti-Virus 8.0.4
Threat Detection Engine 3.32.0
Threat data 4.78
Protects against 3664367 threats
2ClamXav 2.2.5 (257)
Known Viruses 1248587
3Avast! 7.0 (37028)
Virus Definitions 12060602
Engine Version 188.8.131.52
Database Version 2.0.51
6Kaspersky Anti-Virus For Mac 2011
7Microsoft Security Essentials
Virus Definitions: 1.127.1493.0
8Kaspersky Internet Security 2012
9Sophos End Point Security and Control 10.0.5
Detection Engine 3.31.20
10McAfee AntiVirus Plus 15.0
Virus Definitions 120607-1