Who cares if it’s a virus?

Posted on February 16, 2006 by Ian Betteridge

I’m not sure if this really qualifies as the first Mac OS X malware, but it’s definitely new. First appearing on a MacRumors discussion, there a good discussion of what’s been dubbed MacX/Oomp-A at the MacRumors and Digg over whether this is a virus (in which case it would certainly be the first of its ilk), a trojan, or a worm. Some users report that they were infected without having to put in a password when installing, others that it spreads via iChat.

But really it doesn’t matter one jot. The vast majority of what are commonly termed “viruses” on Windows are also either worms or trojans, depending on social engineering to get a grip of a user’s machine. Take a look at F-Secure’s virus statistics for the most common current threats on Windows: None are actually “true” viruses. Yet, the Mac folk who are clogging up the message boards claiming that this isn’t a “true” virus would happily refer to Windows as “virus ridden”.

I’ve said this before, and it’s worth saying again. The reason why the vast majority of Windows malware are trojans or worms rather than true viruses is that social engineering is far easier than exploiting a hole in an OS. OS holes get patched pretty fast. Insecurities based on user behaviour do not. The only security advantage built in to Mac OS X that isn’t in Windows is the need for a password to install software, and this really isn’t much of a protection, as many people will happily just give their password no matter what – and if the user KNOWS he’s installing something (as, for example, he would if he were installing a new application) there’s no protection.

All the arguments over taxonomy make no difference to the fact that this malware is a real threat.

This entry was posted in Macs. Bookmark the permalink.
  • http://www.alexhutton.com Alex Hutton

    _The only security advantage built in to Mac OS X that isn’t in Windows_

    I think Windows also has issues concerning memory handling, memory paging, executing things from the stack…

    Please don’t be sensationalist just to jump on the “OS X isn’t bulletproof and I mean it” bandwagon.

  • http://technovia.typepad.com Ian Betteridge

    Alex: OS X also has various exploitable security holes. All operating systems do – that’s just a fact of life. The big difference between OS X and Windows remains the security model, which seperates admin privs from general use, using a password whenever the user needs to have them. This model, which is one of the strengths of Unix, doesn’t on its own make an OS secure, though – you need to back it up, both by ensuring that holes are patched quickly and by fostering good user behaviour.

    And I’m hardly jumping on any bandwagon here. I’ve been warning that OS X isn’t the bullet-proof operating system that some have claimed for quite a while (read back through some entries here), not because OS X is insecure (it isn’t) but because an environment where people *believe* that an OS is completely secure is one that fosters bad user behaviour. How many users, because they *know* the Mac is secure, will enter their admin passwords without really knowing what they’re installing?

    Ironically, this is something that Apple has actually been “a good citizen” with. It doesn’t make outlandish claims over OS X security. It included Virex with .Mac, up until the point when Virex was effectively abandoned by its maker. It’s the zealots who’ve gone around claiming that any warning over the potential for Mac malware is “FUD” that have acted irresponsibly. And it’s them who I’ll be happy to blame if any Mac malware comes along that causes serious damage.

    We are, in a sense, lucky this time: this piece of malware appears relatively benign. It’s a shot across the bows. There is, however, nothing to prevent someone taking this code and making something from it that would wipe all the files in your home directory, though. I hope no one is idiotic enough to do it. But you never know.

  • James Bailey

    “The only security advantage built in to Mac OS X that isn’t in Windows is the need for a password to install software, and this really isn’t much of a protection, as many people will happily just give their password no matter what”

    Except that in this case the trojan masquerades as a JPEG image. I don’t know any user who would think that a JPEG needs a password to view.

    Once this is publicized a little more, people will become a little more cautious. I find it hard to believe that someone actually was infected by this given that it was on a Mac rumors site where I would expect some savvy on the part of the readers. I’m awaiting more information and would love a copy of the virus but I’ve been completely unsuccessful in tracking a copy down.

    Oh and I completely agree with you that the definition of whether or not it is a virus, trojan or worm is irrelevant. It seems to me that it is all three anyway.

  • http://technovia.typepad.com Ian Betteridge

    James: “I don’t know any user who would think that a JPEG needs a password to view.”

    From what I can gather, it doesn’t require a password to run, unless you’re running as a non-admin user.

  • James Bailey

    “It’s the zealots who’ve gone around claiming that any warning over the potential for Mac malware is “FUD” that have acted irresponsibly. ”

    I’ve called FUD in the past because guess what, it was. I’m not calling FUD this time because guess what, it isn’t.

    See. Just because a security company comes out and says, WARNING DANGER!! etc doesn’t make it a real threat.

    This one is potentially exactly what you describe. A shot across the bow. So far, it isn’t a problem and it isn’t likely to ever become a problem but no one who knows what they are talking about is going to call this one FUD.

  • James Bailey

    “From what I can gather, it doesn’t require a password to run, unless you’re running as a non-admin user.”

    Just what I’ve been afraid of. I’ve been warning people for over a year to not run your day-to-day account as an admin user. There is no reason to do so on either OS X 10.3 or 10.4.

    Still, on the download they would have gotten the standard warning that the file was unsafe. I understand that that warning hasn’t generated any particular concern in the past and that is behavior that needs to change.

  • James Bailey

    A little further testing shows that even non-executable files get the warning on downloaded .tgz files.

    OK, I can see how this could catch people. Double click on a .tar file. Open up the JPEG except it is a Unix executable. So even a non-admin user could be pretty seriously compromised with this social engineering exploit. Though a non-admin user likely wouldn’t see the worm or virus aspects of the malware since they would need to type in a password and become suspicious (I hope.)

    I think Apple needs to add a tag to the icon of any file/folder that is an executable and runs code when double clicked. That is the only way to make this obvious.