≡ Menu

The Reg on Apple’s Big Virus

Kelly Martin writes in The Register about “Apple’s Big Virus” – the fact that there’s no viruses on the Mac.

Beyond critical mass, I would like to believe there’s a better reason for the lack of viruses on OS X, and it’s based on the culture of the Mac — which is distinctly different from other platforms. Is it wrong to try a new computer system and actually enjoy the user experience, for a change? Can you imagine a world where (today) you can click on anything and never worry about malicious intent? Can we not continue this unwritten rule that there can be a platform out there that is simple, easy-to-use, with Unix (and a cool ports tree) underneath that has no threat at all from viruses?

Unfortunately, Kelly doesn’t actually talk about what this “cultural difference” is, which leaves me somewhat loathe to give it any credit – Kelly links to a study that shows that virus writers are fairly diverse individuals, which doesn’t really explain anything.

To my mind, there’s a simple reason why Macs lack viruses, trojans, et al: Unfamiliarity and lack of access. How many virus writers actually have a Mac they can write on? How many understand the ins and outs of Mac programming? No Access + no knowledge = no virus.

Of course, there are other reasons as well: The Mac is more secure, although not immune (no system is). The Mac is a relatively small percentage of machines on the net, which makes it less easy to effectively spread. And so on. But I suspect that knowledge and access are the two most important reasons.

Comments on this entry are closed.

  • Johno

    So your opinion is based on a hunch. That makes it just as well based as the writer whose opinion you trashed.

    I do agree on the knowledge part. You have to be a competent programmer to write a virus for OsX, the built-in security makes it MUCH tougher to get any bang for the buck. However, if you are really that talented, you are already working.

    The part about access to macs is misleading. OsX has been out for several years and no of the mlacontents couldn’t find a used iMac. PUHHHLEEEZE!

  • http://technovia.typepad.com Ian Betteridge

    Who said my opinion was based on a hunch? What’s more, if you read what Kelly links to, a lot of virus writers actually ARE working – and still write viruses. And don’t forget that a lot of viruses are written in South America and Eastern Europe, where Macs are rarer than hen’s teeth.

    It’s not just that the Mac is more secure that makes it need more knowledge – it’s that it’s a completely different OS, which requires a different set of skills to program for. A virus writer might well be familiar with the Win32 API, but it’s unlikely he’d be familiar with OS X – and the investment in time to learn how the Mac works is non-trivial.

  • Al

    Unix has been around for decades. Anyone can get the info to write programs, good or evil, for OS X’s Unix underpinnings at their local library or on the net. Let’s face it, Unix and as a result OS X is just too secure to bother with.

  • mcloki

    Well the root kits have been developed for the Mac. Proof of concepts are out there yet no Mac viruses (virii?). It seems anyone can write a virus for the mac but they can’t seem to get it to propagate (A true virus). Could it be that Apple may have a slightly better fence around their OS. The knowledge part seems suspect since many of the smaller attacks on the Windows side are just script kiddies running someone else’s exploit. The same virus keeps coming back albeit in a slightly different form.

    I don’t doubt that someone can write a program to do nasty things on a mac. Hell, Just learn Applescript. What I doubt is someone’s ability to do it without social engineering the situation. Each rootkit I’ve read about needs to have access to the machine. Every time I read that I’m reminded of that scary movie where the crazed killer calls the babysitter. She calls the police and they track the caller till finally the crazed killer calls and you find out that “THE CALL CAME FROM INSIDE THE HOUSE”.

  • http://technovia.typepad.com Ian Betteridge

    Al: You’re right that Unix isn’t new, but all the interesting stuff would require specifically Mac programming.

    mcloki: As I said above, Apple do have a slightly better fence. And you’re right about the script kiddies – I estimate that there’s actually very few virus writers around the world that are capable of creating completely new viruses – which, of course, narrows down the number capable of producing completely new Mac viruses too.

    And you’re right about propagation, but this is pretty much the same for Windows, in the sense that the VAST majority of viruses on that platform depend on a degree of social engineering too – running an email attachment, downloading something from a P2P service. My big fear on the Mac is that social engineering on this platform might actually prove to be easier – after all, if every Mac user believes that “there’s no such thing as a Mac virus” then they aren’t going to be too cautious about double-clicking an attachment in email that’s apparently from one of their friends, are they?

  • jdb

    OS X was wide open to a remote attack for several weeks last year. The attack code could have been written in applescript. We are talking script kiddie level stuff to get in. The only obstacle would have been to hijack a popular mac only site. Hacking websites happens all the time so it is generally pretty easy to do. There are dozens of popular mac only sites, I’m sure one of them is vulnerable.

    So, the stage was set. Then nothing happened. You have to ask yourself why not. The argument that it is too hard is just plain wrong. For that several day period of time, it would have taken relatively modest programming skill to accomplish what would have to be a pretty impressive achievement. The first remote break in on OS X machines in the wild. You know that there are many people out there that are dying to see this happen.

    This is where the culture argument comes in. It didn’t happen because the culture of the Macintosh users would have prevented a widespread outbreak. For days leading up to Apple’s patch, people were feverishly monitoring the net looking for signs that something was imminent. A widespread outbreak can only happen if the culture allows it. Without a widespread (or even modest) outbreak, it isn’t worth any malware writers time.

    In the windows world, no culture can prevent an outbreak because there are just too many places for it to happen. There are sometimes dozens of security holes discovered in a single month. While there are plenty of people analyzing the net looking for new outbreaks, the preponderance of vulnerable systems virtually guarantees that even a modest timeframe for a vulnerability will hit a huge number of systems. And since the majority of viruses and worms are now designed to hijack computers and turn them into zombies, the reward for success is very high. And to make matters worse, the expectation of success is even higher. Everyone knows (rightly or wrongly) that Windows is very vulnerable to attack. That makes the attempts more likely and that the evildoer will expend more effort because he knows it can be done.

    I’ve been watching this debate for years now. I used to be on the side of the number of users is too small group. But several things have changed my mind. First, OS X has a pretty large group of users now, in the 10′s of millions. Second is something that John Gruber of DaringFireball wrote a while back that really got me thinking about the whole expectation of success. You’ve probably read this article, but on the off chance you haven’t it is worth a read. http://daringfireball.net/2004/06/broken_windows and the followup here http://daringfireball.net/2004/06/so_witty

    If the attack everyone is waiting for was going to happen, I believe it would have already occurred.

  • jdb

    I should have also written that I don’t think OS X is invulnerable or even particularly secure except in comparison to Windows. I don’t that it matters if OS X is invulnerable as long as the expectation of success is low of OS X and high for Windows, then Windows will be the target.

    It will take continued diligence on the part of Apple and knowledgeable OS X users to prevent a serious outbreak, but I don’t see any reason to think that the current level of prevention isn’t sufficient. I will say that Apple’s latest security patch is a prime example of an ongoing problem. It took several months for Apple to eliminate a local root exploit. If that exploit was combined with a non-root remote exploit, all sorts of bad things would happen. But even a 2 month timeframe to fix the problem is still adequate (apparently) when it comes to OS X security. Imagine that.

  • studentrightsx

    All,

    I found a very interesting article (see below) that explains why Windows

    running on x86 processors by Intel / AMD are so vulnerable to viruses,

    spyware, and malware.

    It gets a little technical, but basically the type of attacks that Window

    users suffer from on x86 like the Pentium, stem from design flaws in Windows

    AND the x86 class chips that they run on. Linux also suffers from these

    design flaws if run on x86 PCs, instead of other chips such as the IBM RISC

    processors like the Apple’s G3, G4, or G5.

    Keep in mind that these flaws in Windows can’t really be fixed by security

    patches, since it’s the design (or how Windows functions) that is the root

    of the problem.

    So even if these viruses were written for Mac OS X (UNIX), they basically wouldn’t

    work unless you gave the virus application your password, and because

    Apple’s processors don’t contain the flaw that allows most viruses to

    exploit PCs in the first place. This also helps to dispel the myth that Macs

    are not attacked because of their small marketshare, rather than the fact

    that they are more secure by design than PCs.

    The article also points out that most businesses who move to Linux cite

    security flaws as their number on reason in moving away from Windows, not

    price.

    - James

    http://www.cio-today.com/story.xhtml?story_id=1110000275OO#story-start

    — EXCERPT FROM ARTICLE —

    Software and Hardware Vulnerabilities

    At present, attacks on Microsoft’s Windows products are generally drawn from

    a different population of possible attacks than those on Unix variants such

    as BSD, Linux and Solaris.

    From a practical perspective, the key difference is that attacks on Wintel

    tend to have two parts: A software vulnerability is exploited to give a

    remote attacker access to the x86 hardware and that access is then used to

    gain control of the machine.

    In contrast, attacks on Unix generally require some form of initial legal

    access to the machine and focus on finding software ways to upgrade

    privileges illegally.

    Consider, for example, CAN-2004-1134 in the NIST vulnerabilities database:

    Summary: Buffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows

    remote attackers to cause a denial of service and possibly execute arbitrary

    code via a long query string.

    Published Before: 1/10/2005

    Severity: High

    The vulnerability exists in Microsoft’s code, but the exploit depends on the

    rigid stack-order execution and limited page protection inherent in the x86

    architecture. If Windows ran on Risc, that vulnerability would still exist,

    but it would be a non-issue because the exploit opportunity would be more

    theoretical than practical.

    Linux and open-source applications are thought to have far fewer software

    vulnerabilities than Microsoft’s products, but Linux on Intel is susceptible

    to the same kind of attacks as those now predominantly affecting Wintel

    users. For real long-term security improvements, therefore, the right answer

    is to look at Linux, or any other Unix, on non x86 hardware.

    One such option is provided by Apple’s BSD-based products on the

    PowerPC-derived G4 and G5 CPUs. Linus Torvalds, for example, apparently

    now runs Linux on a Mac G5 and there are several Linux distributions for

    this hardware — all of which are immune to the typical x86-oriented

    exploit.

  • http://technovia.typepad.com Ian Betteridge

    jdb and James, thanks for the comments. One thing that’s worth noting, and that I think affects what both of you are saying: Almost no common Windows viruses use exploits to spread. It’s a common myth among Mac users that an exploit is necessary for a virus – in fact, virus writers have found that good old social engineering (fooling someone into running an application) works more often.

    Of the ten most common Windows viruses last month, listed by Sophos at http://www.sophos.com/virusinfo/topten/ , not a single one used an exploit. All of them relied on either email or P2P networks to spread, simply by fooling users into running them.

  • spongeboy

    Some people have been critical about the time it takes Apple to respond to security issues in OSX…I wonder how long MS takes to respond to security issues that their OS has. Seems to me they have issues that have been out there for years & still are. It seems more like this guy is trying to make excuses for MS. Nothings perfect…no kidding. You are trying to compare a snowball to an avalanche. This also seems to be the author’s take. You are also making the same comparison stated above. You’re just guessing.

  • OMG

    Windows 2000? What year is it?

    http://www.eweek.com/article2/0,1759,1788804,00.asp

    Get real.

  • http://technovia.typepad.com Ian Betteridge

    Spongeboy, I wouldn’t criticise Apple much for its work in patching. Although there’s always room for improvement, I don’t think it’s done too bad (Secunia currently lists only one unpatched vulnerability). The problem with the Reg report is simply that it’s so vague: “cultural differences” seems pretty weak compared to the much more likely fact that there’s a lack of knowledge. The author seems to be saying that virus writers become lovely, cuddly teddy bears as soon as they start using a Mac, which seems pretty unlikely.

    OMG: Not sure what your point is. Microsoft is ending support for Win2K – so? How does this relate to what we’re talking about here?

  • jdb

    Ian,

    Nothing will stop social engineering from working. People make mistakes. While the current top viruses may be spread by social engineering, the worst virus outbreaks in history were spread via email using Outlook and they were automatic.

    Given that social engineering is the same across all platforms and has nothing to do with technical knowledge, I fail to see how this supports your point.

    I will say that social engineering is also a “cultural” phenomenon and that it also supports my contention that people attack Windows because of an expectation of success. If my virus/spyware can only install itself after asking for a system administrator password, it won’t spread far before the Mac user culture spreads the word. Because of the registry in windows and other flaws, malicious code in Windows can easily gain automatic execution from the OS. And worse, the code runs with administrator privileges.

    While it is possible for malicious code to run automatically on OS X even for a non-admin user, it is easy to identify and remove. For a properly configured OS X system (absent exploits) there is little a virus or worm running from a non-admin account can do besides destroy user data. Even when running from an admin account, a password is needed to run anything at more than non-admin privileges (again absent local root exploits.) Spreading beyond the local computer is very hard. While I don’t trivialize the destruction of a user’s data, the ability to spread is necessary and inherent in widespread virus/worm epidemics.

  • http://technovia.typepad.com Ian Betteridge

    “Given that social engineering is the same across all platforms and has nothing to do with technical knowledge, I fail to see how this supports your point.”

    Because I hear, over and over again the same opinion from Mac users: The Mac is immune from virus, and you don’t need to worry about them. That makes Mac users much, much more vulnerable to social engineering. How many wouldn’t have a second thought about double-clicking on a file apparently sent to them by a friend, because they don’t understand that this is a security risk? How many think that, because the platform “is immune from viruses” that they can download anything they like from file sharing services?

    At least 25% of all applications I install on my Mac ask for my password prior to installation. Culturally (that word again!) Mac users are used to typing in their password on demand when installing anything. When someone packages up a virus that looks like the installer for Photoshop CS and puts it on Limewire, how many users will download it, give it their admin password, and curse when it doesn’t work – without realising they’ve just opened their Mac up, giving a virus admin access and allowing it to run itself on every startup – and all without a remote exploit in sight. And how long will it be before they realise what’s been happening, given that they’re not expecting a virus – after all, “the Mac doesn’t get viruses”.

    Spreading beyond the local computer isn’t hard, either: All it takes is an SMTP engine and the ability to read your Address Book – something that Apple makes very easy to do in its haste towards “ease of use”.

  • jdb

    “Because I hear, over and over again the same opinion from Mac users: The Mac is immune from virus, and you don’t need to worry about them. That makes Mac users much, much more vulnerable to social engineering.”

    Again you are contradicting your original point. If it is so easy to social engineer a virus for OS X then why hasn’t it happened? Your point is that it is too difficult technically but now you are saying it would be easy. I’m not trying to be obtuse, but I just don’t get your point.

    If Mac users are so culturally susceptible to viruses then why hasn’t it happened? Again, social engineering is not a technical matter and is the same across all platforms. I do understand your point that many virus writers are from relatively backward countries but you have to admit that this may explain a lesser number of viruses and worms but it can’t explain the complete lack of them on OS X.

    I disagree that Mac users are more susceptible anyway. The vast majority of Mac users also must deal with Windows in some way during their careers. This is one of reasons why Mac users get so upset over ignorant comments made by their Windows only using peers. Most Mac users have to be at least somewhat knowledgeable about Windows but Windows users are generally completely ignorant of Macs. I just don’t think many people can live in a world where Windows is in the vast majority and not be aware of malware and how to prevent it.

    As for spreading beyond the computer, you are correct. I said as much. I made the point explicitly that Mac OS X is not as secure as people seem to think. It is entirely possible to write a trojan that can mail itself out to users in your address book and again it isn’t a big technical challenge. Again, you seem to be contradicting your original point that the reason no one creates malware for OS X is that it is technically difficult. Sure, technically there is nothing necessary beyond the trojan you just described to get the software to run and to mail out copies to everyone in your mailing list but that doesn’t mean the virus will spread. The conditions for that to happen are much less guaranteed.

    This brings up yet another culture, the Windows monoculture. The reason that such viruses work in the Windows world is that the vast majority of people in your address book will be Windows users. But in the Mac world, that doesn’t work as well. The vast majority of users in a Mac users address book will still be Windows users. That means your Mac trojan doesn’t spread very well at all. Add to that the inability for the trojan to execute on the remote systems and you aren’t going to have a very successful virus. Again, this leads to the argument that the expectation of success is very low. That makes the likelihood of someone writing a Mac virus very low (and to this point non-existent.)

    The final point is that applications asking for a password is a good thing. It alerts the user that the application is doing something potentially dangerous. You make it sound like the requirement for a password is a negative. I can’t see how that can be the case. Applications ask for passwords because they are required to have administrator access to do the most dangerous operations. As a user, you have to be aware of that. I’ve already admitted that social engineering works and that some people will be hit by it simply because we are human and human error is common. But the alternative is the Windows world where no one is ever asked for a password. That is clearly not better and is the major cause for the proliferation of malware on that platform. If a user is dumb enough to install something they got from an P2P sharing network illegally, there is little anyone can do to prevent them being compromised. So I will ask it again, if it isn’t because of culture, then why has there not been a single successful malware attack on OS X?

  • http://technovia.typepad.com Ian Betteridge

    I think you’re conflating a couple of different points. Is it technically difficult to build a Mac virus? No. It’s harder than on Windows, because the security model is different, but it’s not all that difficult. The technical challenge comes because virus writers don’t know enough about programming for the Mac to do it, and because they often don’t have access to a Mac to learn.

    When it comes to spreading, I think that – again – you’re missing the point that the vast majority of Windows viruses use exactly that kind of propagation method: email or P2P, most usually email. If you send out several hundred emails per machine infected, the chances are that one or two people from that list will double-click on the attachment and catch the virus, because people are stupid like that. Why are the conditions for spreading “much less guaranteed?” Because, as you say, of the monoculture factor. But this is just the argument from obscurity that you’re saying isn’t valid, and which – if the Mac increased it’s market share – just wouldn’t be valid anymore.

    The fact that Mac users are culturally susceptible will only be a factor when someone writes a serious virus, and not before, which answers your “why hasn’t it happened” point. Your point about knowledge of Windows is irrelevant: Look again at the original article I linked to. “Can you imagine a world where (today) you can click on anything and never worry about malicious intent?” – Now that doesn’t sound like an exhortation to keep thinking about security, it sounds like “switch to the Mac and never think about security again” which is way overblown.

    That applications ask for a password only becomes a bad thing when it’s done all the time. At that point, users will automatically give ANY application their password when one asks for it. And as for users being dumb: The first rule of security is that users ARE dumb, and you have to stop them doing dumb things.

    Why has their not been a single successful malware attack? See my original reasons. Lack of knowledge, lack of platform.

    There are three kinds of malware writers in the Windows world. At the bottom, Tier C, are the script kiddies. Barely programmers, these guys will take pre-existing scripts that use known exploits and run them, probing for weak machines and compromising them. These guys are a pest, but if you keep security in mind by having AV software, a firewall, and SP2 you don’t really have to worry about them.

    Next up come Tier B. These guys are programmers, but relatively low-skilled. They can take an existing virus and modify it with a different payload, but that’s about it. No real new viruses come about because of them.

    Finally, there’s Tier A. These are the dangerous ones, the ones capable of writing a new virus from scratch, and of finding and exploiting any new security holes in a platform. Thankfully, though, these guys are rarer than hens teeth: There are probably less than 500 active writers like this in the world, in fact probably much less.

    And it’s ONLY the last lot that could write a Mac virus, even if they wanted to. Would any of them take the time to write a virus that could, at best, infect 2% of the world’s computers (and incidentally earn no money – no spyware/spamming company is going to pay you to create one)? No.

  • jdb

    “Because … of the monoculture factor. But this is just the argument from obscurity that you’re saying isn’t valid, and which – if the Mac increased it’s market share – just wouldn’t be valid anymore.”

    The monoculture isn’t about market share per se. It is about overwhelming market share. I don’t think Apple rising to 10 or 20 percent of the market makes them any more vulnerable. It isn’t obscurity, it is simply that less machines to attack means it is less likely that a particularly aggressive virus can spread to epidemic proportions before it is contained. The best situation would be to have Windows, Linux and OS X have somewhat similar market shares. That makes targeting any particular platform more difficult, especially if the platform has decent protection against remote attacks.

    “That applications ask for a password only becomes a bad thing when it’s done all the time. At that point, users will automatically give ANY application their password when one asks for it. And as for users being dumb: The first rule of security is that users ARE dumb, and you have to stop them doing dumb things.”

    It doesn’t matter that users are dumb (I don’t agree but the point is irrelevant.) The point is that there is no alternative that I can think of. Not asking for a password is far far worse than requiring one. The requirement is technical and not arbitrary as you seem to think. Installers only ask for passwords when a password is necessary to perform part of the install operation that can’t be done with normal permissions. The alternative is to not install the software.

    “And it’s ONLY the last lot that could write a Mac virus, even if they wanted to. Would any of them take the time to write a virus that could, at best, infect 2% of the world’s computers (and incidentally earn no money – no spyware/spamming company is going to pay you to create one)? No.”

    Many people who write non-spyware malware are not in it for money. And even if they are, can you think of a better argument than, “Hey I wrote the first successful OS X worm” to get them more business? The blackhat culture (there’s that word again) is very much about who can write the most infamous exploit. The Tier A group that you think is required to write malware for OS X (which isn’t true at all– consider the example I already gave from last year that could have been done with an hour of study of Applescript) do have access to Macs and technical documentation. Hell, anyone can have access to technical documentation by signing up for a free developer account.

    I still don’t think you still haven’t made a good argument of why it hasn’t happened yet. I can’t prove that it isn’t because of some mysterious lack of Macintosh computers by malware writers but I think the theory is highly suspect. That argument can explain away why there are not a large number of malware attacks but it can’t explain why there are none! The point isn’t that there hasn’t been a “serious” outbreak but instead that there is not a single virus or worm for OS X. Say it again, not a single virus or worm. Your theory falls flat for me as an explanation.

  • http://technovia.typepad.com Ian Betteridge

    “Not asking for a password is far far worse than requiring one. The requirement is technical and not arbitrary as you seem to think.”

    No, I actually agree with you on both counts. The correct secure application behaviour would be that no user can install applications for anyone except themselves, which removes the need for an admin password. However, that wouldn’t be very user friendly! But the point is that because many applications need to install stuff into /lib (etc) they need an admin password – which means that users get used to supplying a password on demand. If it’s a virus that demands it, that means they’re in trouble.

    “Hey, I wrote the first Mac OS X worm” wouldn’t impress a potential employer (ie a spammer), who would be solely interested in paying them to hit the biggest possible target – Windows. No money, no time, no inclination.

  • http://technovia.typepad.com Ian Betteridge

    But let’s look at it the other way around: If I’m wrong, what are the magical Mac properties that have kept it immune? You have two options:

    1. It’s simply too difficult to write a virus that spreads. This isn’t true.

    2. It’s not worth the effort.

    Which is it?

  • jdb

    “2. It’s not worth the effort.”

    I’ve already said that this is what I think is the reason. But not for the specific reasons you believe. It is about expectation for success, not market share. John Gruber of Daring Fireball documents a case where a grand total of 12,000 machines were vulnerable to a security hole and a worm infected every machine.

    http://daringfireball.net/2004/06/so_witty

    It is about expectation for success, not market share. If it were easy, someone would do it even if the odds of success were relatively low. Why not, it wasn’t something that took any real effort. If it were hard but the malware author had a reasonably high expectation of success, it will also happen. Sure, it took a lot of work, but success is almost assured and it will be worth it. But with OS X there is no expectation for success at all because it hasn’t happened. And it is harder, not impossible but still moderately difficult and definitely more difficult than windows, so again the expectation for success is low. Successful attacks feed on themselves producing more success.

    I also think you are wrong about spyware companies not hiring blackhats who target the Mac. They almost certainly hire through the same blackhat network that rewards infamous hacks. I don’t know this but I suspect it. But I also said the attack probably wouldn’t be from a spyware company and money would probably not be the motivating factor.

  • http://technovia.typepad.com Ian Betteridge

    Expectation of success is linked to market share. Most viruses work by sending out emails to everyone in someone’s address book. If only a small percentage work on Macs, then you will have significantly reduced chance of gaining traction – all of which is another version of the obscurity argument, wearing a different hat.

    John’s point about Witty actually backs up what I’m saying. It’s MUCH more likely that a worm writer will have access to a firewall (given their interest in Windows security and predeliction for piracy) than to a Mac, which you actually have to go out and buy yourself. Note also that this was someone capable of writing a worm which utilised a known exploit, which places them in a somewhat smaller group than the majority of virus writers.

    As I said in my original post, it’s a combination of factors, with knowledge and access the most important. But whatever it is, the point remains that as long as Mac users keep telling themselves that Macs are *immune* to viruses (something which is demonstrably false) they are in danger of a very serious virus outbreak.

  • mohclips

    I don’t usually post on these ‘my os is better than your os’ blogs, but as i know one of thwo things about one of the example posted, my 2 pence follows.

    Some notes on witty;

    - The platform was ISS Realsecure

    - A fully working demo could be downloaded with a 30 day licence, at the time it ran on Windows, Solaris and Linux. Thought the exploit was for windows only.

    - It is a network intrusion detection system – a sniffer

    - Witty took hold so quickly as the ISS software was sniffing the network – no user interaction – most sniffers where outside the front firewalls and mostly illegal copies (a lot in China)

    - The ‘in house’ rumours are that a disgruntled ISS employee wrote it.

    - I have been using ISS for the last 5 years (a long with a few other vendors). We had only one sensor (sniffer) caught by the worm – a test/developmemt lab sensor.

    - Virus/Worm writers aren’t all money money money, the large percentage are script kiddies, they grab the PoC and wrap it up into the current malware they have. It’s about kudos to them, how many bots they have, who they can DDoS. Just bragging rights – so if they can exploit a few hundred mac servers say, they will, and then they will post it on a web site somewhere (ryan1918 being a good example).

    A late comment on the above arguments;

    Its 2007 and we still haven’t seen a decent OSX worm. Now, its very possible to write one, especially this month Jan 2007 “the month of apple bugs” but good quality worms need remote access to expoit the targets quickly enough that it gains media attention, eg. Slammer, blaster, and witty. There haven’t been these ‘holes’ for quite a while, in fact even on windows most PCs have personal firewalls and this stops the media gaining attention worms nowadays.

    Also i believe you need to split the operating system from the application in your arguements, though as an example of a smaller user base being compromised it is fairly worthy (along with the caevats i posted above).

Next post:

Previous post: