Archive for the ‘Uncategorized’ Category

The reality of Macs and Malware

September 11, 2009

Friday, September 11, 2009

I read an article recently which inspired me to dive into this topic with a blog post of my own. The article in question was “Why are there no Mac viruses?“ by Philip Elmer-DeWitt.  The article makes a few interesting points in and of itself. However, I found the comments which accompanied the article to be of equal interest. I’m reminded of the fact that most people who comment on such topics don’t understand what a virus is much less how it differs from something like a Trojan horse. I’m also reminded of the fact that misery loves company.

Definitions
For those who feel they have a firm grasp on the definitions and distinctions between the various terms associated with malware, feel free to skip to the next section.

So, what is the difference between terms like Viruses, Worms, Trojan Horses, Spyware and Malware? People seem to feel free to use these terms interchangeably as if they are the same thing. They are not.

Malware
Malware, short for “malicious software”, is a very generic term that collectively refers to any sort of bad program running on your computer. Malware may come in the form of a Virus, a Worm, a Root Kit, a Trojan Horse or even as Spyware.
Dictionary.com has the following definition: “Malicious computer software that interferes with normal computer functions or sends personal data about the user to unauthorized parties over the Internet.

Virus
A Virus is a piece of malware that has the ability to self-replicate. This is the most dangerous piece of malware.
Dictionary.com has the following definition:“a segment of self-replicating code planted illegally in a computer program, often to damage or shut down a system or network.

Worm
A worm is similar to a Virus in terms of danger or threat, but there are several distinctions. A worm spreads across a network without any user intervention (this distinction is important as compared to a Trojan). Also, unlike a virus, a worm does not attach itself to existing code.

Dictionary.com has the following definition: “computer code planted illegally in a software program so as to destroy data in any system that downloads the program, as by reformatting the hard disk.

The dictionary.com is incomplete in this example, so further detail is described here with the Wikipedia entry.

The Wikipedia definition is as follows.
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or devour files on a targeted computer.

Root Kit
A Root Kit is more difficult to describe. It’s probably best described as a combination of a Virus and a Trojan. It allows unauthorized users to take control (“root” access in UNIX or “administrative” access in Windows) of your system without the knowledge or permission of the legitimate systems administrator. They are typically installed through legitimate software installations unknowingly. Likewise, they are only effective after they have been installed, presumably unknowingly, by someone with administrative access to a system.

Root kits go back to 1990, but they are most commonly associated with the 2005 Sony BMG scandal. Music CDs from Sony installed a Root Kit onto Windows based PCs in an attempt to enforce DRM. In the process, they created a huge security hole for anyone who was aware of their existence.

Reference.com has the following definition: “A root kit is a computer virus which consists of a program (or combination of several programs) designed to take fundamental control (in Unix terms “root” access, in Windows “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers.

Spyware
Spyware is basically a piece of malware installed on your system that monitors your activity, collects information about users (without their knowledge) and reports this information back to another source. This data is typically used for marketing purposes.

A subset of spyware called “keyloggers” can be used to steal a user’s password, credit card or any other sensitive data entered by keyboard.

Another type of spyware is called “adware”. Adware is computer software that automatically downloads, plays or displays advertisements on your computer when you run certain programs.

Dictionary.com has the following definition: “any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes

Trojan (horse)
A Trojan is best described as any piece of malware that is installed or run by the user through deception. Trojans typically do not exploit known security holes. Rather, they trick the user into executing them by pretending to be something else. The only real defense against a Trojan is a healthy dose of common sense. Don’t install software from un-trusted sources for example. Trojans often accompany pirated software downloaded from peer to peer clients. Trojans are not like Viruses as they don’t self-replicate. They are not like worms as they don’t automatically spread via networks. They require an end user to manually execute them. This is an important distinction.

Dictionary.com has the following definition: “a non-replicating computer program planted illegally in another program to do damage locally when the software is activated.

in the wild
This is another term that’s an important distinction. In the referenced article, Elmer-DeWitt uses the following definition for “in the wild”.

“In the wild” means it has infected, or is currently infecting, new machines through normal day-to-day usage.”

On the Mac platform for example, there have been several attempts at “proof of concepts” to make a Virus. However, due to technical and/or security barriers, these “proof of concept” viruses have never been able to propagate “in the wild”. This of course renders them completely ineffective and thereby nullifies their existence as a security threat.

So, why are there no Mac Viruses?
In the referenced article, Philip Elmer-DeWitt claims there are no known Mac OS X viruses in the wild. By contrast, there are thousands of known Windows based viruses in the wild. When you stop to think about that, it’s a pretty amazing claim to be able to make. Similarly, it isn’t very surprising that Apple would play to that strength with its “Get a Mac” advertising campaign.

Elmer-DeWitt attributes the lack of Mac viruses to three reasons: small market share, stronger UNIX based file system and kernel and “viruses going out of style”.

Security through obscurity
The first reason listed, “small market share”, is by far the most common answer by people (qualified or otherwise) who comment on the topic. This answer is sometimes called “security through obscurity” and this response is especially popular with Windows users. Many Windows users would like to think that Macs are just as vulnerable as PCs. This reasoning continues by suggesting that the smaller user base makes Macs less viable targets.

While there is some truth to this line of thinking, it’s a bit short sighted. On one hand, it’s a fair argument to suggest that viruses are created with the intention of gaining monetary value or wreaking the most amount of havoc as possible. With this mind set, targeting the Mac user base (less than 10% of the overall PC population) would be of little value. However, it’s more likely that Macs would have fewer viruses if this were the case rather than no viruses at all. Other motivations for creating viruses have historically been just for bragging rights amongst the “hacker” population. Imagine the notoriety that would go with being first to create a legitimate Mac virus! Further evidence to debunk this claim would be the “classic” Mac OS (Mac OS 9.x and below) had up to 60 viruses (depending on the source) over the years. Clearly, the classic Mac OS was less of a target, but it was a target and there were viruses for that platform. Similarly, there have been virus attempts for Mac OS X, but they have been unsuccessful due to technical & security limitations built into core of the operating system. As such, it’s fair to suggest that Apple’s relatively low market share makes the Mac less of a target as compared to Windows PCs. However, those who suggest this is the only reason are simply mistaken as logic would dictate otherwise.

Stronger UNIX based file system and kernel
Clearly, Apple’s stronger UNIX based file system and kernel have helped Mac OS X’s security reputation. If nothing else, the documented “virus attempts” would have been successful viruses were it not for this level of security. Arguably, this might be the only reason we haven’t seen a successful Mac OS X virus. However, that’s difficult to prove one way or the other.

Viruses are going out of style
Elmer-DeWitt claims that “The action these days, I’m told, is in Trojans and spyware.” That very well may be, but then the question has to be where are all of the Mac Spyware infections, not to mention Root Kits, Worms, etc?

The truth about Trojans
Trojans exist on both platforms, but these aren’t really breaches in security, these are breaches in common sense – at least with regard to security in modern operating systems. Trojans are often referred to as “Social Engineering” issues because they require tricking the end user to execute them with escalated privileges.

For example, I could write a very dangerous program and call that program “WINWORD.EXE”. I could then supply that executable with a copy of Microsoft Word’s icon. If someone were to download this executable, thinking they were getting a copy of Microsoft Word, they would be very surprised when my dangerous program wreaked havoc with their system instead. Unfortunately, this type of threat is not so much a security issue because the program doesn’t exploit any known security hole; rather the exploitation is the end user’s lack of judgment or precaution. As such, it’s labeled as it is a social issue. Though, to be clear, that “social issue” may very well compromise the security on your system. As such, categorically, it has to be considered a security issue at least indirectly.

With Windows XP, if you ran a Trojan and like most every other XP user, you’re running with administrative privileges, your system was compromised and you had no clue anything unusual was happening. At least with Mac OS X, when the Trojan tries to do something that requires more than basic user privileges (like infecting your operating system or wiping your hard drive, etc.), the user is prompted to authenticate with their administrative password (even if they the user account has administrative privileges). Most people with an ounce of common sense would think this is strange and deny the authentication. Why would Microsoft Word need administrative privileges to create a Word document?

Fortunately, Microsoft Vista and Windows 7 have similar authentication requirements. The problem with Vista is that the use of UAC is overdone to the point that users just become conditioned to accepting everything in order to clear the annoying Window. Apple’s latest operating system release, Snow Leopard or Mac OS X 10.6, contains rudimentary detection for known Trojans. Windows 7 goes a step further and provides basic anti-virus (malware) protection.

Misery loves company
The knee jerk reaction to an article like this is to do a Google search for viruses on Macs. After some digging, someone in the comments thread was able to find some write-up of a Mac OS X virus. Without further investigation, this commenter declared victory by way of “seemingly” providing evidence to dispute Elmer-DeWitt’s claim of no Mac OS X viruses in the wild. The two viruses cited were:

  1. OSX.MachArena.A
  2. OSX/Leap-A or OSX/Oompa-A

The problem is, just doing a quick Google search for a Mac virus may yield a few results, but if you dig into the details, none meet the actual requirements to be both a real virus that is capable of self replicating and also existing in the wild. It’s also important to note that companies who classify a piece of malware as a Virus stand to gain financially as people become scared and purchase their anti-virus “solution”.

Such is the case with the first example, OSX.MachArena.A. It became popular from a press release from Intego (who happens to sell Mac anti-virus software) on November 6, 2006. They did at least admit that it was just a proof of concept that did not exist in the wild. In truth, it had to be run from a Windows partition on a Mac (assuming the Mac user actually even had Windows installed) and even with that, it was executed manually and likewise could not self-replicate. It was just a silly proof of concept experiment that never could have existed in the wild. In a MacFixIt article, Symantic acknowledged that there is “there is no reliable vector for the spread of OSX.Macarena”.

Similarly, Sophos Labs released a press release on February 16, 2006 that the “First ever Virus for Mac OS X” was discovered.  This of course was referring to the malware known as OSX/Leap-A.  Not surprisingly, Sophos Labs just happens to sell Mac anti-virus solutions as well. Notice a pattern here? The entities that produce the scare with press releases just happen to have paid solutions available to you. How nice.

At the time, there were several technical sites which decomposed this supposed “virus” in detail and made it clear that it was not a virus. Just doing a quick search brings up lesser quality explanations, but they still serve to illustrate the point.

“Even if someone does send you the “latestpics.tgz” file, your computer will not be infected unless you explicitly unzip the file, open it and then provide the computer with your password so it can run.
“The Leap-A malware was a poorly-programmed Trojan horse that relied on “social engineering,” or trickery to perform its nasty function. There’s a simple way to protect against this kind of threat — common sense — and in testament to this, a lot of people didn’t fall for it. “

Macworld covered the issue and added the following:

“Apple’s Official Policy concerning this is: “Leap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file. Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust.” Apple provides a guide to safely handling files received from the Internet here.”

In short, to get this malware, you had to specifically choose to download it via iChat (Apple’s instant messaging software). Then you’d have to uncompress the file manually. OS X itself provides warnings at this point as a matter of course. Then you had to open / execute the file. Finally, you would have to authenticate your administrative password in order for it to work. I believe the real kicker here was that even with all that, it only worked over a local network. Clearly this was not self-replicating given all of the manual steps needed by the user. In reality, this was, as described, a poorly conceived Trojan and nothing else.

No doubt these “details” would seem to rain on the parade of the “Windows fanboys” looking for a little schadenfreude. More likely, it’s likely just a case of “misery loves company”. Either way, as of this writing, there are still zero legitimate Viruses (or worms, etc.) for Mac OS X.

Vectors of attack
Historically, it’s important to look at the vectors of attack for common malware. Years ago, while I worked at IBM, a colleague of mine was security researcher. It was his job to look for holes in software and try to exploit them. Anecdotally, I recall him telling me with a smile: “As long as Microsoft is in business, I’ll have an easy job”. The discussions often turned to examples with things like Microsoft’s ActiveX controls. This technology was Microsoft’s attempt to create a Microsoft Internet, whereby Internet applications would require ActiveX controls and thereby locking out other operating systems. Instead, ActiveX became the breeding ground for countless Virus and other such malware attacks. Prior to Internet Explorer 7, Spyware could be loaded onto your Windows based machine undetected seemingly at will. Worse, since Internet Explorer was (and is still) used by the masses, attacks were very easy.

Similarly, just viewing an e-mail in Windows opened up the door to countless virus attacks on PCs. The attacks were never ending because they were so easy to write. Perhaps the original attack was done by an expert, but subsequent attacks by “script kiddies – kids without much technical experience” were accomplished by modifying an existing virus just enough so that it wasn’t detected by existing virus definitions. With each mutation from the next script kiddie looking for fame, came significant downtime from corporations and users alike.

The point to illustrate here is that the most successful vectors of attack for viruses simply didn’t exist anywhere but the Microsoft Windows platform.

Other comments in the thread
There were a number of other comments after the article that caught my attention and are worth addressing.

“Trojans are just as dangerous as viruses, and the distinctions are basically academic.”
While it’s true that Trojans can be just as dangerous as viruses, the distinction is far from academic. Viruses, Worms, etc. infect your system via exploiting security holes. Trojans, particularly on OS X require the end user to both manually execute the Trojan and to provide administrative authentication manually through trickery. For this reason, it hasn’t been an issue for Mac users. Though, for Windows XP (2/3 of the existing Windows user base as of this writing), simply executing the code was all that was needed. For this reason, it’s understandable why some Windows users would consider this distinction to be “academic”.

“Viruses can be taken care of with a $20/year investment in antivirus software and a bit of personal responsibility.”
That of course ignores the initial investment in the software. Anyway, it’s said that Mac users have a false sense of security because they typically don’t even have anti-virus software installed. While that is true to some degree, the only valid reason for Mac users to run anti-virus software is really just to be a good citizen and not pass on other Windows viruses that come through e-mail, etc. With regard to a false sense of security, it should be noted that Windows users who use anti-virus software are only as safe as their latest virus definitions. That is, on Windows, Viruses happen. Until they’ve been detected and a solution is wide spread, that same virus may attack thousands of Windows users. Likewise, nobody is every 100% safe. Also, it should be noted that anti-virus software runs at an escalated privilege setting. In the past, anti-virus software has been a known vector of attack for security exploits.

“Time will tell.”
This is typically where debates go when there is absolutely no evidence to suggest Macs are equally vulnerable as Windows. When Mac OS X was new, this was a fair argument to make. Any operating system needs to be exposed to a large user base for a few years to see if it stands up to the rigor of the real world. However, after nearly 10 years now, this argument wears thin. How many more years will people still resort to this argument? Certainly, anything is possible. Quite frankly, I’m surprised there hasn’t been a legitimate virus for Mac OS X after all these years. However, with each passing year, the likelihood of such security breaches would seem to diminish.

“It’s because the people who write the viruses all use Macs!”
I’m sure that was written as a joke. Of course, just to respond, how would these PC viruses which were developed on Macs be tested?

“If MAC OS X doens’t have viruses, why do AV ISVS like Symantec, McAfee, and Sophos make AV software for them?”
As of this writing, there is no need to run such software on Macs. In fact, the vast majority of Mac users do not run any such software. That’s not necessarily a good thing, but that is reality. Right now, the primary reason for Mac users to run AV software is just to be a good internet citizen and not pass on viruses through e-mail, etc. onto other Windows users. For some, it’s always nice to know that such software does exist in case of an emergency. However, to be honest, I don’t know how these companies stay in business. For many companies this is one product of many that they offer.

“Let’s level the playing field here – if you “rule out” all those categories, the number of PC malware goes down quite a bit too. Not counting any browser (IE) vulnerabilities must cut it in half.”
While it’s true that if you rule out things like Trojans, etc. from the overall Windows based malware count the numbers would be significantly reduced. However, by no stretch would it “level the playing field”. The numbers of Viruses, Worms, etc. on the Windows side would still be in the tens of thousands as compared to zero for the Mac side. Narrowing the definitions isn’t the magic bullet here in terms of “leveling the playing field”.

“Who cares that it doesn’t have viruses when it has other forms of malware?“
As a multiplatform user, I care. As for other forms of malware, there are a handful of Mac Trojans and none of them are particularly harmful. There are no known Virues, Worms, etc.

“I’m the guy who promoted the $25,000 OS X virus challenge in 2005. I was thoroughly trounced by one and all as an evil, irresponsible criminal for having the guts to publicly say the technological truth about how the Unix frameworks of OS X and the as-shipped system configuration of Macs effectively eliminated any risk of non-user enabled entry trajectories for viruses.”
This wasn’t a question, but rather a comment from Jack Campbell who promoted the $25,000 Mac OS X virus challenge contest. He was criticized by the Mac community at the time as being irresponsible. That probably was true. However, the point remains, nobody was able to claim that prize. Four years later, nobody would still be able to claim that prize. Surely $25,000 is enough to generate interest from hackers, so we can’t say there wasn’t financial incentive to create a Mac virus.

“Windows is more vulnerable because it is more open to software development – which is why there’s a HUGE number of programs written for it, vs a tiny percentage for Mac.”
Considering that every Mac ships with professional development tools (Xcode) I fail to see the logic in that statement. Further, considering the massive amount of development shifting to the iPhone, which is done on a Mac, the excuse of not having enough Mac based developers just doesn’t hold water. For that matter, viruses could well come in the form of UNIX scripting which certainly exists on many other platforms.

“Why do you suppose Mac added AV software to Snow Leopard?”
Technically, there isn’t. Apple did add some basic anti-malware into some services such as iChat, e-mail and the web browser. Currently, it can only detect a few Trojans (because that’s all the malware which exists) and this service isn’t system wide. This is a good first step, but it’s not a full anti-virus solution. Anyway, to answer the question, if some malware does exist, why not build in some form of basic protection to further tighten security?

“no serious computer user or programmer gives a crap about apple, that’s why there are no viruses.”
I’m not even sure how to reply to such a ridiculous statement. However, comments like this do serve to demonstrate the notion that misery loves company and that there is no limit to the type of irrational arguments that come from Windows “fanboys” wishing to discredit the Mac platform in some way. It also serves to illustrate the level of intelligence of the typical ranting forum poster.

Conclusion
The article for the basis of the blog post was just one of many such articles on this topic. It never ceases to amaze me just how much misinformation and incorrect perception exists regarding this issue. The simple truth is, seemingly few people seem to have even a basic understanding of the various terminology associated with security and malware in general. I’m not sure that will change anytime soon.

As I suggested earlier, misery loves company. Windows zealots would be very happy to have the Mac community under the same level of malware attack as they are, but that’s just not the case. Worse, the fact that Mac users can brag that “zero” Viruses, Worms, etc. exist on the Mac platform seems to be a particularly sore spot for many. As seen in the comments section of the referenced article, there were many outrageous (albeit unsuccessful) attempts to discredit the Mac platform’s track record with regard to malware vulnerability. Worse, software companies who develop Mac based anti-virus software have been quick to send out false alarms in hopes of creating a panic and thereby sell more of their product. In many respects, that’s shameful.

Finally, logic would dictate that no system is perfectly secure. Mac OS X certainly isn’t. As such, it would seem likely that eventually there will be a significant Virus/Worm attack for the Mac OS X platform. Yet to date, that just hasn’t happened. Perhaps Mac users are living with a false sense of security by not purchasing anti-virus software. I certainly wish I didn’t have to use anti-virus software on my PC. However, it’s also hard to argue the fact that malware just hasn’t been an issue for Mac OS X users through the history of that operating system. For the Windows fanboys out there, this may be a tough pill to swallow. We can argue why Macs have been a safer platform (smaller market share, better inherent security model, etc.) but we can’t deny the fact that the Mac platform has enjoyed a tremendously better track record in this regard as compared to the Windows platform.


Follow

Get every new post delivered to your Inbox.