The Reg on Apple’s Big Virus

Who said my opinion was based on a hunch? What’s more, if you read what Kelly links to, a lot of virus writers actually ARE working – and still write viruses. And don’t forget that a lot of viruses are written in South America and Eastern Europe, where Macs are rarer than hen’s teeth.

It’s not just that the Mac is more secure that makes it need more knowledge – it’s that it’s a completely different OS, which requires a different set of skills to program for. A virus writer might well be familiar with the Win32 API, but it’s unlikely he’d be familiar with OS X – and the investment in time to learn how the Mac works is non-trivial.

Well the root kits have been developed for the Mac. Proof of concepts are out there yet no Mac viruses (virii?). It seems anyone can write a virus for the mac but they can’t seem to get it to propagate (A true virus). Could it be that Apple may have a slightly better fence around their OS. The knowledge part seems suspect since many of the smaller attacks on the Windows side are just script kiddies running someone else’s exploit. The same virus keeps coming back albeit in a slightly different form.

I don’t doubt that someone can write a program to do nasty things on a mac. Hell, Just learn Applescript. What I doubt is someone’s ability to do it without social engineering the situation. Each rootkit I’ve read about needs to have access to the machine. Every time I read that I’m reminded of that scary movie where the crazed killer calls the babysitter. She calls the police and they track the caller till finally the crazed killer calls and you find out that “THE CALL CAME FROM INSIDE THE HOUSE”.

OS X was wide open to a remote attack for several weeks last year. The attack code could have been written in applescript. We are talking script kiddie level stuff to get in. The only obstacle would have been to hijack a popular mac only site. Hacking websites happens all the time so it is generally pretty easy to do. There are dozens of popular mac only sites, I’m sure one of them is vulnerable.

So, the stage was set. Then nothing happened. You have to ask yourself why not. The argument that it is too hard is just plain wrong. For that several day period of time, it would have taken relatively modest programming skill to accomplish what would have to be a pretty impressive achievement. The first remote break in on OS X machines in the wild. You know that there are many people out there that are dying to see this happen.

This is where the culture argument comes in. It didn’t happen because the culture of the Macintosh users would have prevented a widespread outbreak. For days leading up to Apple’s patch, people were feverishly monitoring the net looking for signs that something was imminent. A widespread outbreak can only happen if the culture allows it. Without a widespread (or even modest) outbreak, it isn’t worth any malware writers time.

In the windows world, no culture can prevent an outbreak because there are just too many places for it to happen. There are sometimes dozens of security holes discovered in a single month. While there are plenty of people analyzing the net looking for new outbreaks, the preponderance of vulnerable systems virtually guarantees that even a modest timeframe for a vulnerability will hit a huge number of systems. And since the majority of viruses and worms are now designed to hijack computers and turn them into zombies, the reward for success is very high. And to make matters worse, the expectation of success is even higher. Everyone knows (rightly or wrongly) that Windows is very vulnerable to attack. That makes the attempts more likely and that the evildoer will expend more effort because he knows it can be done.

I’ve been watching this debate for years now. I used to be on the side of the number of users is too small group. But several things have changed my mind. First, OS X has a pretty large group of users now, in the 10′s of millions. Second is something that John Gruber of DaringFireball wrote a while back that really got me thinking about the whole expectation of success. You’ve probably read this article, but on the off chance you haven’t it is worth a read. http://daringfireball.net/2004/06/broken_windows and the followup here http://daringfireball.net/2004/06/so_witty

If the attack everyone is waiting for was going to happen, I believe it would have already occurred.

All,

I found a very interesting article (see below) that explains why Windows

running on x86 processors by Intel / AMD are so vulnerable to viruses,

spyware, and malware.

It gets a little technical, but basically the type of attacks that Window

users suffer from on x86 like the Pentium, stem from design flaws in Windows

AND the x86 class chips that they run on. Linux also suffers from these

design flaws if run on x86 PCs, instead of other chips such as the IBM RISC

processors like the Apple’s G3, G4, or G5.

Keep in mind that these flaws in Windows can’t really be fixed by security

patches, since it’s the design (or how Windows functions) that is the root

of the problem.

So even if these viruses were written for Mac OS X (UNIX), they basically wouldn’t

work unless you gave the virus application your password, and because

Apple’s processors don’t contain the flaw that allows most viruses to

exploit PCs in the first place. This also helps to dispel the myth that Macs

are not attacked because of their small marketshare, rather than the fact

that they are more secure by design than PCs.

The article also points out that most businesses who move to Linux cite

security flaws as their number on reason in moving away from Windows, not

price.

- James

—

http://www.cio-today.com/story.xhtml?story_id=1110000275OO#story-start

— EXCERPT FROM ARTICLE —

Software and Hardware Vulnerabilities

At present, attacks on Microsoft’s Windows products are generally drawn from

a different population of possible attacks than those on Unix variants such

as BSD, Linux and Solaris.

From a practical perspective, the key difference is that attacks on Wintel

tend to have two parts: A software vulnerability is exploited to give a

remote attacker access to the x86 hardware and that access is then used to

gain control of the machine.

In contrast, attacks on Unix generally require some form of initial legal

access to the machine and focus on finding software ways to upgrade

privileges illegally.

Consider, for example, CAN-2004-1134 in the NIST vulnerabilities database:

Summary: Buffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows

remote attackers to cause a denial of service and possibly execute arbitrary

code via a long query string.

Published Before: 1/10/2005

Severity: High

The vulnerability exists in Microsoft’s code, but the exploit depends on the

rigid stack-order execution and limited page protection inherent in the x86

architecture. If Windows ran on Risc, that vulnerability would still exist,

but it would be a non-issue because the exploit opportunity would be more

theoretical than practical.

Linux and open-source applications are thought to have far fewer software

vulnerabilities than Microsoft’s products, but Linux on Intel is susceptible

to the same kind of attacks as those now predominantly affecting Wintel

users. For real long-term security improvements, therefore, the right answer

is to look at Linux, or any other Unix, on non x86 hardware.

One such option is provided by Apple’s BSD-based products on the

PowerPC-derived G4 and G5 CPUs. Linus Torvalds, for example, apparently

now runs Linux on a Mac G5 and there are several Linux distributions for

this hardware — all of which are immune to the typical x86-oriented

exploit.

—

Some people have been critical about the time it takes Apple to respond to security issues in OSX…I wonder how long MS takes to respond to security issues that their OS has. Seems to me they have issues that have been out there for years & still are. It seems more like this guy is trying to make excuses for MS. Nothings perfect…no kidding. You are trying to compare a snowball to an avalanche. This also seems to be the author’s take. You are also making the same comparison stated above. You’re just guessing.

Spongeboy, I wouldn’t criticise Apple much for its work in patching. Although there’s always room for improvement, I don’t think it’s done too bad (Secunia currently lists only one unpatched vulnerability). The problem with the Reg report is simply that it’s so vague: “cultural differences” seems pretty weak compared to the much more likely fact that there’s a lack of knowledge. The author seems to be saying that virus writers become lovely, cuddly teddy bears as soon as they start using a Mac, which seems pretty unlikely.

OMG: Not sure what your point is. Microsoft is ending support for Win2K – so? How does this relate to what we’re talking about here?

“Given that social engineering is the same across all platforms and has nothing to do with technical knowledge, I fail to see how this supports your point.”

Because I hear, over and over again the same opinion from Mac users: The Mac is immune from virus, and you don’t need to worry about them. That makes Mac users much, much more vulnerable to social engineering. How many wouldn’t have a second thought about double-clicking on a file apparently sent to them by a friend, because they don’t understand that this is a security risk? How many think that, because the platform “is immune from viruses” that they can download anything they like from file sharing services?

At least 25% of all applications I install on my Mac ask for my password prior to installation. Culturally (that word again!) Mac users are used to typing in their password on demand when installing anything. When someone packages up a virus that looks like the installer for Photoshop CS and puts it on Limewire, how many users will download it, give it their admin password, and curse when it doesn’t work – without realising they’ve just opened their Mac up, giving a virus admin access and allowing it to run itself on every startup – and all without a remote exploit in sight. And how long will it be before they realise what’s been happening, given that they’re not expecting a virus – after all, “the Mac doesn’t get viruses”.

Spreading beyond the local computer isn’t hard, either: All it takes is an SMTP engine and the ability to read your Address Book – something that Apple makes very easy to do in its haste towards “ease of use”.

I think you’re conflating a couple of different points. Is it technically difficult to build a Mac virus? No. It’s harder than on Windows, because the security model is different, but it’s not all that difficult. The technical challenge comes because virus writers don’t know enough about programming for the Mac to do it, and because they often don’t have access to a Mac to learn.

When it comes to spreading, I think that – again – you’re missing the point that the vast majority of Windows viruses use exactly that kind of propagation method: email or P2P, most usually email. If you send out several hundred emails per machine infected, the chances are that one or two people from that list will double-click on the attachment and catch the virus, because people are stupid like that. Why are the conditions for spreading “much less guaranteed?” Because, as you say, of the monoculture factor. But this is just the argument from obscurity that you’re saying isn’t valid, and which – if the Mac increased it’s market share – just wouldn’t be valid anymore.

The fact that Mac users are culturally susceptible will only be a factor when someone writes a serious virus, and not before, which answers your “why hasn’t it happened” point. Your point about knowledge of Windows is irrelevant: Look again at the original article I linked to. “Can you imagine a world where (today) you can click on anything and never worry about malicious intent?” – Now that doesn’t sound like an exhortation to keep thinking about security, it sounds like “switch to the Mac and never think about security again” which is way overblown.

That applications ask for a password only becomes a bad thing when it’s done all the time. At that point, users will automatically give ANY application their password when one asks for it. And as for users being dumb: The first rule of security is that users ARE dumb, and you have to stop them doing dumb things.

Why has their not been a single successful malware attack? See my original reasons. Lack of knowledge, lack of platform.

There are three kinds of malware writers in the Windows world. At the bottom, Tier C, are the script kiddies. Barely programmers, these guys will take pre-existing scripts that use known exploits and run them, probing for weak machines and compromising them. These guys are a pest, but if you keep security in mind by having AV software, a firewall, and SP2 you don’t really have to worry about them.

Next up come Tier B. These guys are programmers, but relatively low-skilled. They can take an existing virus and modify it with a different payload, but that’s about it. No real new viruses come about because of them.

Finally, there’s Tier A. These are the dangerous ones, the ones capable of writing a new virus from scratch, and of finding and exploiting any new security holes in a platform. Thankfully, though, these guys are rarer than hens teeth: There are probably less than 500 active writers like this in the world, in fact probably much less.

And it’s ONLY the last lot that could write a Mac virus, even if they wanted to. Would any of them take the time to write a virus that could, at best, infect 2% of the world’s computers (and incidentally earn no money – no spyware/spamming company is going to pay you to create one)? No.

“Not asking for a password is far far worse than requiring one. The requirement is technical and not arbitrary as you seem to think.”

No, I actually agree with you on both counts. The correct secure application behaviour would be that no user can install applications for anyone except themselves, which removes the need for an admin password. However, that wouldn’t be very user friendly! But the point is that because many applications need to install stuff into /lib (etc) they need an admin password – which means that users get used to supplying a password on demand. If it’s a virus that demands it, that means they’re in trouble.

“Hey, I wrote the first Mac OS X worm” wouldn’t impress a potential employer (ie a spammer), who would be solely interested in paying them to hit the biggest possible target – Windows. No money, no time, no inclination.

“2. It’s not worth the effort.”

I’ve already said that this is what I think is the reason. But not for the specific reasons you believe. It is about expectation for success, not market share. John Gruber of Daring Fireball documents a case where a grand total of 12,000 machines were vulnerable to a security hole and a worm infected every machine.

http://daringfireball.net/2004/06/so_witty

It is about expectation for success, not market share. If it were easy, someone would do it even if the odds of success were relatively low. Why not, it wasn’t something that took any real effort. If it were hard but the malware author had a reasonably high expectation of success, it will also happen. Sure, it took a lot of work, but success is almost assured and it will be worth it. But with OS X there is no expectation for success at all because it hasn’t happened. And it is harder, not impossible but still moderately difficult and definitely more difficult than windows, so again the expectation for success is low. Successful attacks feed on themselves producing more success.

I also think you are wrong about spyware companies not hiring blackhats who target the Mac. They almost certainly hire through the same blackhat network that rewards infamous hacks. I don’t know this but I suspect it. But I also said the attack probably wouldn’t be from a spyware company and money would probably not be the motivating factor.

I don’t usually post on these ‘my os is better than your os’ blogs, but as i know one of thwo things about one of the example posted, my 2 pence follows.

Some notes on witty;

- The platform was ISS Realsecure

- A fully working demo could be downloaded with a 30 day licence, at the time it ran on Windows, Solaris and Linux. Thought the exploit was for windows only.

- It is a network intrusion detection system – a sniffer

- Witty took hold so quickly as the ISS software was sniffing the network – no user interaction – most sniffers where outside the front firewalls and mostly illegal copies (a lot in China)

- The ‘in house’ rumours are that a disgruntled ISS employee wrote it.

- I have been using ISS for the last 5 years (a long with a few other vendors). We had only one sensor (sniffer) caught by the worm – a test/developmemt lab sensor.

- Virus/Worm writers aren’t all money money money, the large percentage are script kiddies, they grab the PoC and wrap it up into the current malware they have. It’s about kudos to them, how many bots they have, who they can DDoS. Just bragging rights – so if they can exploit a few hundred mac servers say, they will, and then they will post it on a web site somewhere (ryan1918 being a good example).

A late comment on the above arguments;

Its 2007 and we still haven’t seen a decent OSX worm. Now, its very possible to write one, especially this month Jan 2007 “the month of apple bugs” but good quality worms need remote access to expoit the targets quickly enough that it gains media attention, eg. Slammer, blaster, and witty. There haven’t been these ‘holes’ for quite a while, in fact even on windows most PCs have personal firewalls and this stops the media gaining attention worms nowadays.

Also i believe you need to split the operating system from the application in your arguements, though as an example of a smaller user base being compromised it is fairly worthy (along with the caevats i posted above).