Mac malware is experiencing an uptick. While not yet the widespread levels of compromise seen in Windows, the growth in Apple device adoption–especially in the enterprise–makes OSX a more attractive target. The long-held axiom that Macs do not get “viruses” is not only untrue, but an irresponsible message for users, one that will likely cause a lag in adoption of malware protection.

Aside from traditional firewalls, malware signatures, or persistence behavior tracking, DNS has been and always will be a perfect ally in protecting against malware, on any OS, but OSX included.

Infosec Incident Handler Jack Crook recently wrote a guide to the behaviors of malware with suggestions for getting in front of intrusions. It’s an excellent source of how malware works. Crook’s post focuses on the network level, but the principles of malware behavior are the same for a personal computer, regardless of OS:

  1. An adversary needs to enter your network
  2. Maintain persistence in your environment
  3. Have the ability to execute commands with the correct privileges
  4. Locate the data they are after
  5. Get the data out

As Synack’s Patrick Wardle has already shown, Mac persistence is relatively easy. And recent news has shown the built-in protections against malware behaviors like protective measures Apple puts into OSX may not work as well as Apple intended.

Steps one and five from Crook’s list are where DNS can play an unmatched role in protecting against malware. To complete step one, attackers need to successfully get in, usually accomplished through phishing attempts, or exploiting an external-facing vulnerability like the infamous Flash player, or using compromised credentials to log into a sensitive system (or in this case a personal Mac). There are many other ways, but these are some of the main categories of intrusion. Passwords aside, many of the intrusion methods work over the Internet, which means they usually originate from unsavory places on the Internet. DNS is the perfect, automatic way of blocking traffic to and from those unsavory places.

A Very Poor Attempt at Phishing

A poorly concealed phishing attempt.

Step five is where attackers or the malware they install need to call out to announce the job is complete. Many forms of malware and botnets use a Command and Control (C&C) domain that will tell a PC what to do once it receives a successful ping. DNS traffic can provide many of the first indicators that something is wrong at this step.

In both cases–steps one and five–automatic protection is key, and DNS is the way to get it, as it can prevent before the infection even occurs.

This is not the case with ISP-provided DNS. Internet service providers often regard DNS as a necessary protocol, but do not use it to apply security, leaving the Internet wide open for a Mac or any other machine to contact any malicious domain available.

If you are a home user looking to for better DNS performance than your ISP, you can point your DNS to OpenDNS ( and to get more reliable and often faster response time than an ISP DNS service can provide.

If you’re looking to get enterprise-grade protection from malware and phishing, check out our Prosumer service.

This post is categorized in: