[Infowarrior] - On Macs And Malware

[Richard Forno]

http://www.businessweek.com/technology/ByteOfTheApple/blog/archives/2009/04/on_macs_and_mal.html

On Macs And Malware

Posted by: Arik Hesseldahl on April 21

Windows apologists hate being reminded that their platform of choice  
has long been rife with security problems, and that relatively  
speaking, the Mac suffers less from these problems.

I was reminded of this in spades in recent days furious comments on  
last week’s column and emails from Windows fans. Here’s a sample from  
a reader known as Robert: “NO NEED FOR ANTI-VIRUS ON A MAC??!!! Are  
you serious? I can’t believe I just read that…”

Yes Robert. You did read it. And I meant it, because I’m living proof  
that Mac user can exist happily without using anti-virus software on  
their computer, and I have done so for about a decade. Now there are  
some caveats to that statement. First off circumstances can change. A  
very scary new threat could emerge on the Mac tomorrow that sends  
people like me running to the near security software vendor, credit  
card in hand. And there are certain scenarios where it makes sense to  
use anti-virus or anti-malware protection on you Mac. I’ll get to  
those scenarios presently. But first, after the jump, let me tell out  
about the last time I saw a Mac virus.

I remember very well the last time I experienced malware of any kind  
on a Mac: It was in the summer of 1998. I worked at a now-defunct  
trade publication called Internet World, where I was required to use  
an IBM ThinkPad running Windows 95. To this day I remember this  
machine as the very best Windows computer I have ever used, but I  
digress.

A guy in the art department – the art department was all Macs,  
naturally – had copied some files for me. One was a Quicktime file of  
the fan-made Star Wars parody film Troops, which had been making the  
rounds. He copied it to an Iomega Zip Disk which I promptly took home.  
This disk was one I used frequently for sharing files around my house.

As I later learned, this disk picked up an infection at the office.  
(The "Troops" file had nothing to do with it.) It was popularly known  
as theAutostart 9805 worm, also known as the Hong Kong virus, and  
having jumped from the art guy’s machine to my Zip disk, it jumped  
next to my machine at home, a PowerMac 6500/250 running Mac OS 8.1,  
and soon as that same disk was used to share files around the house,  
had spread to other Macs in the house, and from there to Macs outside  
our home after sharing other disks.

Once I discovered the infection I ran an application called  
WormScanner to eliminate it, and then I thoroughly scanned all the  
affected machines for any other known viruses. There weren’t any. The  
damage was minimal: A few files were corrupted, and I blew a Saturday  
night running virus scans instead of doing something fun. But that was  
it.

That was 11 years ago. Since moving to Mac OS X in 2001 I haven’t  
bothered with anti-virus software because broadly speaking, there  
hasn’t been anything for a reasonably cautious Mac users to worry  
about. The few threats that have materialized have for the most part  
been Trojans.

In the universe of computer malware a Trojan, is a very specific kind  
of threat that is different from either a computer virus or a worm. A  
virus is something your computer catches, usually via contact with  
infected media, like a CD, USB drive, external drive, floppy disk, and  
sometimes it’s attached to a program or file. A worm is a type of  
virus that tends to spread itself via network connections, and so  
doesn’t need to be passed actively by users on infected media.

A Trojan – the name is borrowed from the Trojan Horse of Greek  
mythology -- is something else: It’s a bad program that is designed to  
masquerade as something else, usually something you think you want.  
It’s introduced to the target system by way of the user actively  
installing it after having been fooled into doing so.

Trojans are the types of malware most often seen for the Mac, and so  
when Macs get infected with malware, it means that the user of the  
target machine has been tricked into thinking they were installing  
something else. Sometimes Trojans can be made to look like documents  
and sent as attachments in email.

One Trojan for the Mac I remember from about 2005 was one that  
masqueraded as a Dashboard Widget, but was really a proof-of-concept,  
meant to demonstrate the potential vulnerability.

Another, called OSX.RSPlugA surfaced in 2007 was spotted in the wild  
in 2007 being served by 65 porn sites. Visitors to said site would  
click on a link to a “video” only to be told they didn’t have the  
latest version of some video software, and were then asked if they  
wanted the latest version, and were presented with a link. Instead of  
new video software and a naughty clip they got a program, which once  
installed changed the target machine’s network settings. Wired’s Ryan  
Singel covered the outbreak here and here. Among the other things the  
Trojan could do: If you tried to visit the Web site of your bank or  
credit card company, your browser session would be intercepted so that  
your user name and password could be captured as you typed them in.  
Scary? Yes. Widespread? No.

The RSPlug Trojan is still around and has morphed into new variants.  
Security software firm Sophos found an interesting case of a variant  
called RSPlug.F pretending to be a new HD video program. (As if  
Quicktime plus Perian weren’t enough….)

More recently, a new Trojan has been seen on BitTorrent file-sharing  
networks attached to pirated versions of Mac software like iWork and  
Adobe Photoshop CS4. As reported by Ars Technica. This Trojan, known  
as the iServices Trojan, joined targeted Macs into a botnet – meaning  
that many compromised machines can be controlled remotely in order to  
carry out malicious actions as a group. Sometimes they’re used to  
execute distributed denial of service attacks against Web sites by  
overwhelming the targeted site’s Web server with constant requests for  
attention. Other times botnets are used to convey large volumes of  
email spam. It’s not known exactly how many Macs were assembled into  
this botnet, though Intego, a company that sells security software for  
the Mac said that some 20,000 people had downloaded infected versions  
of iWork and Photoshop in January. Some interesting technical details  
about it, from someone whose machine was part of the botnet can be  
found here.

The largest known botnet, not surprisingly made up of compromised  
Windows machines, is thought to be the one created by the Conficker  
Worm, which has been spotted on more than 4 million individual IP  
addresses.

What this means to me — and here is the caveat that I promised above —  
is this: If you’re the kind of person who’s likely to trust a porn  
site to serve up legitimate copies of video software, or who trusts  
pirated versions of commercial software found on file-sharing  
networks, then by all means, download and install whatever anti- 
malware program you feel best meets your needs for your Mac.  
Personally I don’t fit either profile and so I’ll continue on my merry  
but cautious way.

I’m generally pretty careful about what I put on my machine. Before  
downloading and installing shareware, I vet it a little first, and  
check its reputation via sites like Macupdate.com or Versiontracker.

Many pundits have been saying that the Mac it’s “only a matter of  
time” before a serious security threat emerges for the Mac and shocks  
people like me out of their complacency.

There have been many points when this was supposed to happen: As a  
result of the transition from OS 9 to the Unix-based OS X, and the  
reason was all the underlying security vulnerabilities lurking within  
the BSD Unix on which it is based. It didn’t happen. Then there was  
the switch to Intel processors bringing with it the ability to run  
Windows on a Mac. This, many with a chip in the security software game  
argued, only heightened the potential threat to Mac users. I didn’t  
buy their arguments then and I don’t buy them now. With the exception  
of these Trojans —: which to me prove only that there’s no cure for  
stupidity or bad judgment —: nothing of substance has changed since  
then.

Windows malware in aggregate still far, far outnumbers malware for the  
Mac. A malware discovery on Windows is still a near-daily occurrence  
that no longer makes the news, (Conficker stories on “60 Minutes”  
notwithstanding) while the same discovery on the Mac, given Apple’s  
high profile in the media, makes news, however much the details  
concerning what the malware actually does and how it spreads get lost  
in the heat of uninformed reporting. The result? Fear, Uncertainty,  
and Doubt, also known as FUD.

Critics are quick to point out that the Mac has a smaller market  
share, making it a less inviting target. Since malware is now created  
with a financial motive, and so malware creators go where the numbers  
are, which globally means Windows users. Sure, there is some truth to  
that, but I don’t see what’s small about 46 million Macs sold so far  
this decade, out of a billion-plus personal computers in use around  
around the world.

There are other factors to consider. The most determined malware  
creators tend to live in places like Russia, Eastern Europe and China,  
places where historically Macs aren’t as popular. Perhaps malware  
creators haven’t the experience in writing software for the Mac. Or  
maybe they're just waiting for the moment to slap Mac users upside the  
head with something devastating. No one can say for sure.

Or it may be that the Mac OS simply doesn’t have the same types of  
security holes and vulnerabilities that have historically caused  
problems on Windows. I suspect it’s a combination of these and other  
factors.

Regardless, it's clear that there will continue to be attention paid  
in the media to the matter of Mac security. Rich Mogull at TidBits has  
a nice summary of how Mac users and others should consider and  
evaluate the stories that are likely to emerge about new instances of  
Mac malware in the coming months and years. It will be helpful to keep  
a shaker of salt nearby as these stories emerge and to read beyond the  
headlines.

Or maybe I’m just a Mac-loving Pollyanna. In my own defense, I have to  
say I like my chances to far.

TrackBack URL for this entry: http://blogs.businessweek.com/mt/mt-tb.cgi/14093.141291259