Sophos is a massive anti-virus/malware company with a 24-hour operation - I actually visited the Sophos HQ in Oxford, England last year and wrote it up on Mac Planet here, getting a tour from Mark Harris who had been at McAfee before Sophos.

Additionally, last year I spoke to Graham Cluley, Sophos Senior Technology Consultant here.

It's a serious business. From the Oxford base, Harris leads a worldwide team of experts from UK, Canadian and Australian offices.

Although Sophos issues anti-viral products for PC users (and a free one for Mac users), the bulk of the business is plant and network protection.


This team issues 24-hour protection to ensure customer networks automatically detect and block new threats. Harris also managed proactive technology development, including Sophos's Genotype forensic analysis to identify suspicious patterns and characteristics unique to either a malware family or spam campaign. Sophos constantly analyses these Genotype patterns, along with other indicators.

For 24-hour protection, the team in England hands off to Vancouver, Canada after eight hours and they, in turn, hand over to the Sydney team. After eight hours this Australian team hands back to the UK staff as they arrive at work in the morning. This means the Sophos experts constantly mine and monitor the worldwide data stream for trends, new malware, illicit access attempts and spam.

While I was in Oxford, I saw viruses blooming and spreading from relay stations across the world on a huge interactive panel display. It was pretty bizarre, and made me realise once again how lucky us Mac users have been.

Paul Ducklin from Sophos, from the Sydney office, was in New Zealand in February to attend a special interest group in Wellington to discuss hyperspotting or hotspotting, a method phishers use with social network sites. He called my iPhone for a chat - identity blocked, naturally.

"In the old days, there really were technically viruses - things that could actually spread by themselves. Often they were polymorphic - they could shape-shift as they infected from file to file. Even in the old DOS days of the early '90s, they could be fiendishly complicated. But the advantage to us was that if we captured a sample, every bit of intelligence about avoiding detection that the virus had tended to be built into it, so we could take it offline, put it in the lab and watch it deductively to see how it behaved."

But these days, "The crooks really have embraced the cloud. They seem to be the guys who understand it, sadly, the best, and what it can do to them. So you don't have viruses anymore. They're almost all Trojans - they're all one-shot files that are designed to infect your computer and maybe ten, 12, 50 or a 1000 other people, and then the next guy who visits that website gets something completely different. That means the changes that used to happen inside the malicious programs are no longer visible to us, unless we're able to acquire it somehow.

"This means they don't show the cards in their hands until the very last minute. It means we can't generate new samples at will for testing in the lab, and they can detect us visiting and trying to get these samples, so they play dead. So now we [Sophos] have to be bit nimble in how we browse the web."

Nowadays the humdrum, day-to-day stuff is mostly handled by computers; the human staff identify trends and check through otherwise legitimate sites and networks for planted malware and anomalies.

Paul thinks it's time Mac users learnt some caution from their "Windows' fellows" - indeed, I pointed out that it was only switchers to Macs who even ask me about malware.

Of course, 'phishing' (unsolicited emails masquerading as official, asking for various private details, for example banking or email account info) is as much a threat to Mac users as anyone else.

Sophos takes taking social networking sites very seriously. And not just Facebook and Twitter - LinkedIn can also host links that lead you where you shouldn't go, or that mine your personal details via made-up personas who 'friend' or connect with you. It still shocks Paul what people will divulge in their own profiles. For example, "LinkedIn users tend to be more trusting with the information in their profiles, as they think it's just for business users."

"Fifty-somethings came out worse than the 20-somethings in a survey we did." The older Facebook users had an average of a thousand friends. "That's the number of people seeing stuff that was considered intimate enough to only share with 'real' friends. We're often our own worst enemies."

We talked about the scam last year aiming at Mac users where they were tricked into paying a fee for 'virus protection', all fake. The software 'found' malware via a website and then sought a fee via credit card to 'solve' the 'malware'. Of course, there never was any.

Another currently going the rounds for PC users - and Paul says this is very prevalent in New Zealand - is actual phone calls from 'help desks'. The fake support calls say you have issues with your PC and they can help you over the phone; just let them into your computer. Of course, you have to pay with credit card details ... Currently, if you say 'Not bloody likely, I have a Mac' they hang up, but Paul doesn't think it will be long for that to happen often enough that the callers will learn enough about Macs to blag their way through those scenarios as well.

"Imagine if they get you to open Console for them?" [Console is an Apple app in your utilities folder that can delve deep into the heart of your OS - don't touch it unless you understand it.]

Good point. There are easily the same proportions of anxious Mac users who will listen to any authoritative voice and may be led somewhere very inadvisable.

Paul has advice for this: "Just remember, you didn't ask for help, so don't take it from them. If you think you really do need help, go and find somebody local you can look in the eye."

But Paul is reluctant to make any predictions that Apple is about to hit 'that magical tipping point' where malware creators will them. "It's hard to guess why the crooks aren't [yet] bothering. There's a school of thought that says it's so easy to make money out of Windows, and they've got the machinery to do it, so why blow the Mac advantage they might get if Windows gets more and more secure or people get smarter?

"But I would agree that if there's a market share point where the crooks go 'right' we're going to steam into Mac products now', well you'd have to say that moment's arrived [with ten per cent and rising Mac use in markets where they're available], yet that's not happening."

Sophos also has its eye on the Chinese market, where hacking and duplicating software for sale seems to almost be an acceptable form of commerce. It's not hard to slip malicious code into those duplicated, grey or black-market packages.

Another point of insecurity is the kind of data people leave on USB keys, and then lose. Two thirds of Mac users' USB keys Sophos checked already had PC viruses on them, presumably from being plugged into infected PCs. Plug them into clean Windows PCs, and you infect those in turn, even though you're a Mac user. And that's a common scenario, to swap a photo or a file from one user to another, no matter the platform. (But no, Sophos didn't find any Mac viruses on the keys.)

Anyway, if you do want security maintenance on your Mac, either for caution's sake or because you do regularly pass on files to PC users or you're in a mixed environment, check out the one Sophos created for free here.

And in the event Apple's ever-enlarging mobile space does also become a target, Sophos also has a free security app for iPhone.

The Sophos Threat report 2012 is also available here.

Happy cautionary proceedings.

- Mark Webster