Daniel Eran Dilger
Random header image... Refresh for more!

The Mac Malware Myth

register fear

Daniel Eran Dilger
According to proponents of the Mac Malware Myth, Mac users should be afraid of a series of reports about a “rising tide” of malicious software and in panicked response, install anti-virus software from the vendors who propagate those dire warnings. They’re wrong, here’s why.
.
For more than a half decade, the Windows-enraptured tech media has been banging on a drum about the imminent arrival of Mac viruses. As proof of this coming wave, they always cite researchers employed by anti-virus vendors who recount vulnerabilities found in Mac OS X or occasionally trojan horse malware designed to dupe Mac users into manually installing software that intentionally causes problems.

This is like warning the population of the threat of a global pandemic outbreak based on press releases issued by a homeopathic group concerned that isolated reports of individuals hitting themselves with a hammer might portend a greater public health crisis, unless more people coat themselves with 30x ferrum phos obtained from one of their practitioners.

Somewhat ironically, a good long time ago, well before any of today’s pundits were trying to suggest that Windows isn’t really that insecure and the Mac isn’t really any better, there was a time in the 80s that Macs did suffer from regular infections, at least if you were in a school setting where kids were passing around floppies infected with boot sector viruses. That was in the days before Microsoft ported the Mac desktop to the PC and called it Windows. A lot has changed since. (Correction: There Were Never Any Mac Boot Sector Viruses )

Someday, someone might develop code that attacks Mac OS X, then replicates itself, and propagates the attack to other systems. Of course, for that type of viral attack to have any real and lasting effect, it will also require Macs to be widely installed by millions of users in the 1990s, prior to the development of Software Update over the Internet. You’ll know this is about to happen shortly after the first time machine is invented.

Until then, you can rest assured that every article you read about a wide spread virus attacks is really about Microsoft Windows. Of course, there will also be those sneaky articles written in CNET and Wired and the Register that insinuate that trojan horse attacks are the same thing as viruses because they are both “malware,” just like stubbing your toe and the Black Death are both “health-related issues.”

 Wp-Content Uploads 2008 04 200804010234-1

The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown
Office Wars 3 – How Microsoft Got Its Office Monopoly

Goodin Questions Security Using Obscurity.

One recent example of this comes from Dan Goodin, filling space in the Register. If you’re one of the millions of web readers who stopped reading the Register back in the late 90s when its effeminate sassiness grew tiresome, let me fill you in on what the site has been up to lately.

Goodin’s most recent article “Mac malware tide on the rise!” (exclamation point added to highlight the silliness) desperately bends backwards to conflate a) malicious software dressed up as pirated warez that tricks one individual Mac user into manually bypassing operating system security to install it once with b) the self-installing, self-replicating viruses that rapidly spread to millions of Windows PCs overnight, like the recent Conficker virus (aka Kido or Downadup), which has now infected more than 15 million Windows systems across the globe.

Goodin was careful not to directly refer any of the four Mac malware reports that made up his “rising tide” as actually being viral, but he expertly wove in mentions of “anti-virus providers,” purposely muddying the waters to suggest that Macs have no security advantage over PCs running Windows, the platform that must always run anti-virus software or else face immediate infection.

Warning: yikes link Mac malware tide on the rise • The Register

The Business of Fear Gets an Education.

Googin’s article was sponsored by Symantec security ad banners and made direct reference to “Mac anti-virus provider Intego” and “anti-virus provider Kaspersky.” How is it that there is any software industry built around Mac anti-virus when there are no Mac viruses?

Fear. And ignorance. It is certainly conceivable that a Mac virus could be written, even it if would not pose the same widely infectious threat that Windows users face every day they are connected to the public Internet. However, it is not accurate to say that installing anti-virus software would protect Mac users from such a theoretical situation.

In fact, anti-virus software itself is a key target for infection. That’s because anti-virus software sits in a powerful, trusted position within the operating system and has its own mechanisms for accepting updates from the network, which are often easier to corrupt than the operating system itself.

Apple itself discovered this when it began shipping Virex as part of its Dot Mac package. While the anti-virus software was never compromised by an external virus attack, it did cause other low level problems for the system, which got so bad Apple yanked the title and stopped distributing any anti-virus tool at all for Macs. It also stepped up its advertising of the fact that Macs had no viruses in the wild. When dealing with fear, sometimes the best defense is a good offense: education.

Apple’s other offensive is in working to progressively bolster the security of its platforms. That means regular updates to its system software, new technologies incorporated into Mac OS X, and new security policies that make infecting the iPhone and iPod touch virtually impossible.

 Wp-Content Uploads 2009 01 Road-To-Sl-080826-6-1

Road to Mac OS X Snow Leopard: 64-bit security
New QuickTime 7.6 addresses quality, security
iPhone 2.0 SDK: How Signing Certificates Work
10 FAS: 10 – Apple’s Mac and iPhone Security Crisis

Managing Risk.

Anti-virus software on Windows, like Windows itself, has actual exploited vulnerabilities that have been used to spread infections. That risk is usually overwhelmed by the greater risk of not running anything and being more likely to fall victim to one of the tens of thousands of active viral attacks that can infect Windows software.

On the Mac, there is no background danger of viral infection, only a theoretical one. That makes running anti-virus software a risk not worth accepting. It’s not just that there’s no valid reason to run anti-virus software, but that there is real danger in installing anti-virus software on the Mac and assuming that you are now protected from any problems.

Installing anti-virus software on a Mac puts you at greater risk because the anti-virus software itself provides new opportunities for potential infection. If that’s hard to comprehend, imagine covering yourself with band-aids with the hope of avoiding any potential for infection; the reality would be that those bandages wouldn’t do anything to protect you from being infected if you were actually injured, and up to that point they would only serve as a potential media for culturing infectious bacteria and keeping it in contact with your body.

 Wp-Content Uploads 2008 04 Nocountryforoldwindows

Five Factors Shifting the Future of Malware and Platform Security

Prophylaxis not Always a Panacea.

Similarly, because there are no known signatures for Mac viruses (because no viruses yet exist), there is no way to prevent infections that might be developed. The security software would have to be updated to provide any protection, but that update mechanism also serves as a potential vector for distributing elements of malicious attacks, either directly or by opening up potential new vulnerabilities.

Were there some real, plausible risk of Mac viruses being developed (say, you operated a large lab of Macs that served as a valuable target for attackers), it might make some sense to install anti-virus tools so that you could mitigate damage once a threat was discovered. It also might make some sense for some institutions to install tools that limit what software its users can install.

However, for home users, Mac anti-virus makes no sense whatsoever. All it can possibly do is slow down the system, add some irritating interruptions, and provide a false sense of security while actually undermining real security by adding new layers of potential vulnerabilities. Very targeted attacks, ones that might exploit a vulnerability to gain access to your system, are not preventable with anti-virus software that only scans for known patterns of malicious software.

Really, how useful is it to install anti-virus software that can realistically only stop you from installing software you should know better than to attempt to install in the first place, whether it’s the pirated version of Photoshop or the pirated version of iWork or an unknown anti-virus package from the web? Yes, those are the four fearsome malware examples Goodin cited as his “rising tide” of Mac malware, and which, coincidentally, Intego cites as the reasons to buy its Mac software.

Of course, the security experts at Kaspersky, Symantec, Intego, and others don’t want you to know that. They want you to read scary articles like those that regularly appear on CNET, Wired, and the Register, which are based on press releases issued by those vendors, all suggesting that Macs are really damn close to being dangerous to use, and that their products are really critical for your continued safety.

Because when you’re in the business of fear, an educated population is the worst thing you can imagine, and a lazy media content with republishing your press releases is your only hope in preventing that from happening.

Did you like this article? Let me know. Comment here, in the Forum, or email me with your ideas.

Like reading RoughlyDrafted? I’d write more if you’d share articles with your friends, link from your blog, and submit my articles to Digg, Reddit, or Slashdot where more people will see them. Consider making a small donation supporting this site. Thanks!

  • wintercamp

    Hi! I always love your articles! I’m not so into “effeminate” as a derogatory term, though.

  • http://www.isights.org/ whmlco

    I think you may be making a bit much out of the article being “sponsored” by Symantec, as it was probably just a contextually placed ad.

    Much, I assume, as was the Cyber-Defender anti-virus ad that adorned the top of the Roughly Drafted article…

  • ronhip

    Odd that given the subject of this article, two of the three ads associated with it were spyware and security scan ads…

    [Not odd at all considering that they are positioned by context – Dan]

  • Brau

    Man! A subject close to my heart. Well said.

    A few other things most people don’t realize about virus software:

    1. Viruses have to be coded very lean and if even one bit is out of place they won’t work. AV software can’t actually run any code to see if it’s truly viral so they only compare it to known virus strings, within a percentage. This means over 90% of the pop-ups users receive warning of a “possible” virus are usually false and the user is being denied viewing a perfectly legit file. The result is that the user thinks it’s actually protecting them when it’s not. Sometimes it’s simply the file name.

    2. AV software cannot protect you from future viruses, only past ones.

    3. Running any brand of AV software causes infinitely more problems for Mac users than not. Norton, McAfee, Sophos, and even ClamX all have extensive troubleshooting forums detailing tens of thousands of issues ranging from HD erasure, critical data loss, and even phantom user accounts. Scary stuff, given there are no Mac viruses that can do any of these things.

    4. Many Mac dealers often profit from getting Mac users to install free AV software as they make a ton of money on the resulting service calls. I had a knock down, drag-em out public confrontation with the local Mac User Group (hosted by a local dealer) who was openly pushing all Mac users to run AV software to be “good netizens” and “just to be safe”. Thankfully many other Mac users were just as enraged by this as I was and they were thoroughly embarrassed into backing off.

  • http://quickdekay.net QdK

    Thanks for this article. I agree with some of your points: all additional programs can potentially become new attack vectors when it comes to viruses or malware.
    Quite possibly the anti-virus packages for the Mac actually protect against Windows viruses so when a Word or autorun-based virus travels on i.e. a USB stick from an infected pc to a Mac to an uninfected pc, the Mac will have intercepted and cleaned the medium before it hits the uninfected pc. To this day, anti-virussoftware for the Mac isn’t so much protecting your Mac, but other pcs, if I’m correct in this assumption.

    However, the article on The Register details a hacked version of iWork which was then distributed as a torrent. Downloading something you ought to know you can’t trust while saving only $79 is just stupid, but people seem to do it. The problem arises when the user launches the iWork installation tool. By that time, the tool can anything it wants, with the rights of the user (such as launching a daemon, etc). It probably asks for your password and by giving this, the (hacked) tool can do even more, like installing a KEXT or, like the hacked iWork seems to do, make a daemon start when the OS starts. The malware KEXT can then serve the purpose of a keylogger, the daemon as a spam hub.
    This question on the Cocoa-dev mailing list caught my attention last year:
    http://lists.apple.com/archives/accessibility-dev/2008/Oct/msg00006.html
    It reminded me of a malware distributor we found out we had as a user of our services (I work at an ISP). He distributed torrents (for Windows programs) with malware which used a keylogger. This logger would then, with intervals, FTP a file with all keystrokes including the active window name to a homepage the user had created. Needless to say the account was closed and reported to management, but this kind of trick would work as well on OSX if the user is tricked into giving his/her password.

    Self-propagation like a virus would do is still seemingly out of reach for OSX, but trojans apparently aren’t. And it’s trojans the malware writers of today are writing, since there’s enough morons allowed to use computers.

  • http://johnsessays.blogspot.com John Muir

    @Brau

    True. That last point is the only justification for Mac anti-virus software that I’ve heard. “Be a good citizen. Don’t pass viruses on!” Oh please, what a load of bunk. Do people really think the Internet works just like passing around floppy disks like the old days? Apparently…

    Every system which ever touched the Internet is responsible for its own security, period. And for hassle free living, that is best a Mac or something else rooted in UNIX.

  • Joel

    Its interesting how much the Register article confuses malware with trojans. I’m surprised they didn’t manage confuse the two with “computer viruses” or worms… They must still have a technical person writing…!

    The interesting thing is the computer security industry could be wiped out very quickly if Microsoft took the same design precautions Apple has. Instead of having a secure OS from the start they added half-baked security precautions in Vista that are having no real effects. One wonders why they don’t do anything. Are they incompetent, or are they afraid of being sued by the anti-viral companies for loss of business…?

    Another point… If Levi sold jeans that allowed the build-up of bacteria against the skin, and caused a nasty rash that could spread to others there would be a class-action suit in minutes. Why can’t the same be applied to Microsoft…?

    Pity they miss out that the quickest way to deal with iWork Trojan is by running the command “sudo rm -rf /System/Library/StartupItems/iWorkServices” from the command line (ie Terminal.app). Some sophisticated attack…!

  • Joel

    In that comment, the last paragraph should be the 2nd one… :D

    I wonder when Dan will address these other myths:
    The “Security through Obscurity” Myth.
    The “Computer Virus will Occur Naturally Everywhere Anyway” Myth

  • chuckb

    Laughed out loud at this, “Of course, there will also be those sneaky articles written in CNET and Wired and the Register that insinuate that trojan horse attacks are the same thing as viruses because they are both “malware,” just like stubbing your toe and the Black Death are both “health-related issues.””

    Well put. The FUD put out on this issue by Windows apologists and anti-virus software purveyors has clouded this issue for many people. Thanks for a great piece of debunking.

  • warlock7

    @wintercamp:
    I don’t believe that the term was used in a derogatory manner. It was merely descriptive, as well as being accurate.

  • gus2000

    I used Virex when I first got dotMac, but quickly removed it when I discovered it was worse than any virus I ever had.

    In the early days of the PC Plague, antivirus was actually quite useful against “unknown” attack vectors since they plugged many of the infection-holes left open by Windows. They also did things like keep checksums of COMMAND.COM to make sure it hadn’t been modified. Computer systems are far more complex now, and malware more sophisticated unfortunately. For instance, viruses are now defeating signature-based rules by distributing interpreted code that uses randomized internal names.

    Call up Sun, IBM, or HP and ask them what kind of anti-virus software they use. Chances are you’ll get a “wtf?!?” response, even though their servers are used in the most critical data centers around the world. Why? Because they use Unix (or a variant) which wasn’t coded to act like a drunken prom date. OS X is based on NeXT, which is based on Unix, just like the big servers!

    Daniel, you might as well keep this article in generic form (“Tech analyst $NAME at site $URL spreads Mac malware myth $TODAY”) so that you can avoid repeating yourself as this happens over and over and over again.

  • stefn

    How far back has it been true when a techie with even an ounce of ethical principles could have recommended using Windows rather than Mac for home users?

    Ten years? And still I hear it all the time.

  • gus2000

    Big, heavy sigh.

    This myth is now being spread by the mainstream (non-tech) media:

    Jennifer LeClaire, newsfactor.com – Fri Jan 23, 12:09 pm ET
    “Who said Macs are immune to viruses? Some malware makers aim to bust that myth with a Trojan horse that’s being downloaded across the Internet.”

    Apparently, using “virus” in the first sentence and “Trojan” in the second sentence did not trip any of the author’s Cognitive Dissonance Detectors. She repeatedly referred to the malware by both terms, despite its inability to spread to uninfected Macs.

    To answer Ms. LeClaire’s question: no one said Macs are immune to viruses. However, Macs do have a superior security architecture over Windows that make them far less vulnerable. Oh, and viruses are not the same as Trojans, just like being a “writer” does not automatically make you a “journalist”.

  • Joel

    From NewsFactor : “Noteworthy is the fact that although Apple is known for a virus-resistant platform today, in the 1980s and early 1990s the Mac was among the top platforms for spreading malicious code. That changed with the introduction of Windows 95 and the Internet. Security researchers recommend Mac users stay protected with security software.”

    Just because you surf the Internet doesn’t make you a tech writer…

  • gus2000

    ZOMG, and now the Windows Apologists are taking their case to the people via FauxNews:

    Experts: New PC Virus No Reason to Panic
    Monday, January 26, 2009 | FoxNews.com
    “A new computer virus is spreading across the Internet, but security experts say that it hasn’t resulted in much damage and that its impact is primarily psychological.”

    Yes, it’s infected over 15 million systems and counting, but there’s nothing to see here! These are not the malwarez you’re looking for. Move along. Move along.

  • WebManWalking

    I think you could make a good argument for Macs running antivirus software that detects WINDOWS viruses, so that we don’t pass along something malicious to that community. I couldn’t talk my youngest sister out of going 100% Microsoft in her household, for example, and I wouldn’t want to send her something that proved to be malware.

    On a similar note, I’m all the time recommending funny or interesting or erotic websites to my coworkers, but I visited them at home on a Mac. Didn’t hurt me a bit. Software for a Mac that identified websites that are actually Windows virus vectors would save me from inadvertently hurting a friend’s computer by recommendation.

    If you really want to be a good netizen and not pass along malware, it seems patently obvious what kind of malware to be most worried about: the kind that’s made for Windows.

  • Brau

    @ WebMan

    Sorry, but it makes no sense at all for Macs to run AV to protect Windows users. They have chosen to purchase a system they know is full of holes and simply must be responsible for their own security. Metaphorically, they are choosing to live without skin then blaming others when they get an infection. People who decide to run Windows deserve whatever they get and it is unfair to coddle them into a false sense of security by allowing them to blame Mac users for their laziness.

  • http://home.comcast.net/~daguy daGUY

    It seems like every couple of months an article comes out about how attacks on Macs are “on the rise” and there could “soon” be an outbreak of dangerous Mac viruses. This has been repeated for years and years, and yet there is still not ONE SINGLE Mac virus, as far as I know.

    There’s a few Mac trojans out there, and yes trojans are malicious, but they are NOT viruses. Trojans don’t automatically spread between computers, and they work by tricking the user into *intentionally* giving them secure access to the machine – hence the term “trojan.” They don’t take advantage of an actual vulnerability in the system; they take advantage of users who blindingly install software without considering the source. Big difference – you can patch security holes, but you can’t prevent users from purposefully deciding to install something.

    The scare tactics are just to drum up hits and attention. For all the feigned panic about Mac viruses that don’t exist, THREE NEW Windows viruses come out every DAY on average! And that’s real viruses, not trojans or proof-of-concept things like you see sporadically on the Mac.

    Finally, with all the disproportion attention already being given to the possibility of Mac viruses, don’t you think somebody out there would create one JUST to capitalize on that? Imagine how berserk the tech media would go if a REAL Mac virus was released! And yet, OS X’s been out for 9 years are there aren’t any.

  • http://home.comcast.net/~daguy daGUY

    @Brau: but a lot of Windows users don’t even realize that they’re at risk, or that there are other, safer alternatives to Windows. Other users may not have a choice (for example, I have to use a Windows PC at work). So, even if you’re on a Mac, it would be irresponsible to pass along a Windows executable through email if you’re unsure of where it came from. That’s the one reasonable argument I can see for running Mac AV software.

  • NB

    Dan,

    Mac OS X is just as vulnerable to drive-by malware installations as Windows is. Flash; QuickTime; WebKit. Three prime vectors.

    The first user-friendly iPhone jailbreak was executed via a buffer overflow in MobileSafari that could lead to execution of code supplied by the attacker, leading to full compromise of the device, for example.

    You can claim that trojans are not self-replicating and thus not viruses but that is a semantic difference. They both lead to compromises of the computer’s integrity and thus of the user’s data. I can’t find statistics on how many compromises were from viruses (that exploit bugs in the OS for remote code execution) versus trojans (that require some amount of user interaction such as navigating to a website) for Windows but certainly some of the high-profile ones in recent memory have been the latter kind. Continuing to claim “Look, no horse shit on my driveway!” when you have a large dog kennel there is not useful if you want to be free of shit.

    Obviously, nobody is going to write a Warhol Worm that runs on Mac OS X, purely due to the much lower market penetration of Mac OS X. Nobody is arguing with that. That doesn’t mean that the first occurrence of malware distributed with fresh software released in the OS X P2P community isn’t worth writing about anymore.

    Ironic, by the way, how you bashed The Register for carrying Symantec ads, while your own page carries similar ads, by e.g. Intego – and additionally an ad for “Remove Antivirus 2008: Detect and Remove Antivirus 2008. Antivirus Removal (Free Scan)” which sounds distinctly unwanted and spyware-like to me.

  • Pingback: O Mito do Malware para Mac perpetuado por (surpresa!) fabricantes de anti-virus » AppleMania.info()

  • http://www.roughlydrafted.com danieleran

    NB: no anti-virus software would protect iPhones from being exploited through a WebKit vulnerability.

    Also, I did not “bash” the Register for having a Symantec contextual ad, I simply referenced it to allude to the big money behind the anti-virus industry, which is necessary on Windows and really wants to make money selling to Mac users too.

    “You can claim that trojans are not self-replicating and thus not viruses but that is a semantic difference”

    Yes, it is a semantic difference, which is why we have dictionaries and assign words meanings in the first place.

  • jfatz

    It’s a Symantec difference?

  • http://all.net/ hylas

    gus2000
    “I used Virex when I first got dotMac, but quickly removed it when I discovered it was worse than any virus I ever had.”

    I got VirusBarrier X5 with a bundle recently, I got curious and installed it, weeks later I’d forgotten, and was swapping firewire drive – copying on to the other, it kept telling me a certain Linux .iso was corrupt. Twice.
    “Real-Time Scanner” was fscking me.
    Curiosity over.

    Brau
    @ WebMan
    “Sorry, but it makes no sense at all for Macs to run AV to protect Windows users. They have chosen to purchase a system they know is full of holes and simply must be responsible for their own security.”

    With the exception of Servers with Window clients, I totally agree.

    There is an instance of one that is of concern, it’s not a virus, more of a rootkit – logic bomb hybrid I have (and others) run across. (X-Platform)
    In ’97 and ’05 this thing got a hold of me. The first time on a 68040, Quadra 610 and it’s networked Mac IIsi. the second time G4s, G5s (everything) and Xserves.
    Another researcher (Nancy) has named it, and it’s appropriate:
    Subversion.
    (on Nancy’s site you’ll get a warning on Site Identification [it seems to be expired] click through to read)

    https://tagmeme.com/exmachina/a/002450.html

    It’s like nothing you’ve ever seen or will see.

    It’s BAD – really bad, and it’s genius, no way out. (ISYN)

    She’s on Windows (now Mac), it reads like my experience (on Macintoshes), very similar hallmarks.

    Nancy:

    https://tagmeme.com/exmachina/a/002450.html

    https://tagmeme.com/subhack/whoarethesepeople.html

    The quest for ring 0:

    http://www.securityfocus.com/columnists/402

    http://www.securityfocus.com/comments/columns/402/33600#33600

    (^replaces a broken link^)

    http://www.mackido.com/EasterEggs/CD-System70.html

    Researchers: Rootkits headed for BIOS:
    (comment especially)

    http://www.securityfocus.com/news/11372

    http://www.securityfocus.com/comments/articles/11372/33017/threaded#33017

    http://www.securityfocus.com/comments/articles/11372/34206/threaded#34206

    http://www.securityfocus.com/comments/articles/11372/33500/threaded#33500

    http://www.securityfocus.com/comments/articles/11372/34207/threaded#34207

    http://www.securityfocus.com/cgi-bin/index.cgi?c=articlecomments&op=display_comments&ArticleID=11372&expand_all=true&mode=threaded

    http://www.spywareinfoforum.com/index.php?s=3a3ce02c4055e269a0220c239560f3f9&showtopic=6056

    The reaction is alway (you’ll notice):
    no way
    this is a hoax
    you’re mistaken
    you’re an idiot
    you’re incompetent

    Ad nauseam, ad infinitum

    I’m starting a Journal (blog) about this @ lunatechnical.net in the near future (forgive the self-reference) It’ll be a small personal project as I collect the people this has affected to fully document this major problem that flies so low to the ground as to never be seen.

    P.S.

    I’m completely behind Daniel’s above article, the whole two times I’ve ever run AV on a Mac it has been the problem – corruption of the disks.
    They need a new model.

  • http://home.comcast.net/~daguy daGUY

    “You can claim that trojans are not self-replicating and thus not viruses but that is a semantic difference. They both lead to compromises of the computer’s integrity and thus of the user’s data.”

    Yes, but the difference is that trojans work by tricking the user into running something, rather than taking advantage of a security hole. A theoretical system that was 100% secure (zero security holes) could still get bitten by a trojan. So doesn’t it say something about the Mac’s security that there have been trojans, but no viruses?

  • Pingback: Malware on the Mac: Anti-virus or no Anti-virus? | edu.Mac.nation()

  • enzos

    A deliciously crafted squib!
    Cheers Dan
    -Enz
    PS: I’ve used Macs on and off uni networks since the SE, never used AV software and never once been bitten. [fingers crossed, touching wood]

  • enzos

    PPS: daGuy makes a good point, and a sharp retort to the security through obscurity mantra.

  • Michael

    great article daniel, you’ve been really prolific lately with your writings, i look to see more! anyway, i laugh everytime people say they don’t run antivirus on windows vista, BUT they advocate running antivirus software on mac os x, which hasn’t had any real attacks compared to vista’s paper maché record on virus protection.

    of course, people will rant since they don’t need antivirus protection on windows, they have defeated the mac’s main selling point. until they get a virus. anyway, smart users don’t (and won’t) install pirated software, especially if it’s reasonably priced.. but there are those who take the chance to pirate anyway, and they pay for it, just not with monetary costs. As far as I know, you can just grab the serial key and download the trial version from Apple’s website, therefore having the best of both worlds, pirated software being downloaded legitimately.. not that i’m advocating anyone to do that, of course. But those news media outlets were apparently brainless enough to not realize that there ARE other sources for getting your clean iWork copy. And yeah, that one line removal in Terminal posted by Joel would solve the problems created by that trojan.. try doing that in Windows!

  • Joel

    Well… Once the infected versions of the pirated copy of iWork were either flagged or removed, the chances of being infected decrease significantly. Its why I sceptical of the 20,000 Macs being infected figure. I would guess probably about 5,000 at most, and then the majority of them being cleared up. So I would guestimate that by now a maximum of 1,000 Macs are still infected. Big deal…!

  • Joel

    The full command line removal is :

    1) (open Terminal.app)
    3) sudo rm -r /System/Library/StartupItems/iWorkServices
    4) sudo rm /private/tmp/.iWorkServices
    5) sudo rm /usr/bin/iWorkServices
    6) sudo rm -r /Library/Receipts/iWorkServices.pkg
    7) sudo killall -9 iWorkServices

  • http://pushingjelly.co.uk Bradley

    Hey Dan,
    We run AV on our 700+ Macs because we don’t want them to harbour anything that would infect out 4000+ XP machines.
    It’s a pain but a necessary evil.
    Brad

  • stefn

    @NB
    More semantic differences: cat/dog, black/white, up/down …

  • stefn

    Not@NB

    Semantic difference, as in “merely semantic difference.”

    A world of Orwellian nightmare lurks within this usage, when it lets the user abandon of any form of intelligent or articulate argument in favor of making it all up. In other words—avoiding too fine a semantic point—employing fabrication, obfuscation, mendacity, lies.

    War is peace. Torture is dialogue. Oligarchy is democracy. Greed is need. Poverty is prosperity. Oppression is freedom.

  • http://home.comcast.net/~daguy daGUY

    @enzos: I think “security through obscurity” is still part of it, too. Obviously, if you’re writing a virus, you want it to spread and cause as much damage as possible. So naturally, you’re going to aim for the biggest target – Windows PCs.

    I think the lack of Mac viruses is a combination of both factors – OS X is inherently more secure, and at the same time, it’s used by far fewer people so it’s a much smaller target. Why expend more effort to create a virus that did less damage? It makes no sense.

    The only incentive I see for creating a Mac virus is media coverage – the first legitimate, widespread infection would generate a lot of attention. But yet even after 9 years of OS X on the market, that hasn’t happened. So either it’s too difficult, or it’s simply not worth the effort.

  • mihomeagent

    Funny you should mention this at this time. Here’s USAToday showcasing a claim of an infected MacBook. The details are not actually believable–in fact, they sound impossible.

    http://www.usatoday.com/tech/news/computersecurity/2009-01-28-hackers-data-scams_N.htm

    “Cybercriminals have launched a massive new wave of Internet-based schemes to steal personal data and carry out financial scams in an effort to take advantage of the fear and confusion created by tumbling financial markets, security specialists say. [. . .]

    “Among those caught in the most recent barrage of scams was Justin Terrazas, 27, a beverage merchandiser from Seattle. He clicked on a Web link that infected his MacBook Pro laptop with a data-stealing program. Not realizing the laptop was compromised, Terrazas later typed his Bank of America debit card number and PIN to pay his Verizon cellphone bill online. The data-stealer swiftly siphoned his information.

    “A few days later, someone used Terrazas’ debit card account to make a $501.41 online purchase from Modabrand.com, a designer clothing store. The merchandise was shipped to London, leaving Terrazas to unravel a big mess.”

  • http://macsmarticles.blogspot.com Derek Currie

    HISTORY: ‘The Sky Is Falling’ FUD started in August of 2005. The first perpetrator was our old pal Symantec. Who else. McAfee fell in line by the end of the year. But oddly, the CEO of McAfee was then quoted as saying the single best way to avoid malware on computers was to, you guessed it, use a Mac.

    In the following three years there was an actually wonderful event: The FUD got to Apple and they got seriously serious about Mac OS X security. Believe me, Apple had NOT been serious about it previously. As a result there was an exponential increase in Apple Security updates. There was also one enormous revelation: Apple QuickTime was a massive security hole. If you review the security improvements in Quicktime over the last year you’ll realize this is a fact. The problems first became obvious in December 2007 when one of its vulnerabilities was exploited by hackers at MySpace who managed to use a cross site scripting hole in Quicktime to hack thousands of MySpace pages. Apple rapidly provided a fix and got to work cleaning up the rest of their messed up code.

    In October 2007, the very very very first Mac OS X malware in-the-wild showed up in the form of a porn site Trojan horse masquerading as a Quicktime component you were supposed to install in order to watch a website porn video. That was over TWO YEARS after ‘The Sky Is Falling’ FUD began. Then over the last year a horrifying TRICKLE happened. While Windows was flooded with thousands of new malware, including real life viruses, Mac OS X was made slightly damp with another seven Trojan horses. Did I feel a drop?

    You can read all the gory details over at my Mac-Security blog:

    http://mac-security.blogspot.com

    ;-Derek

  • http://macsmarticles.blogspot.com Derek Currie

    TYPO:
    Was “The problems first became obvious in December 2007”
    Is “The problems first became obvious in December 2006”
    SORRY!

  • beetle

    @NB
    As is appropriate, you have been chastised for asserting that the disctinction between worms and viruses is trivial. Perhaps under Windows the differences are less relevant?

    You also give as an example of triggering user interaction:
    > such as navigating to a website

    Sorry, but if it only takes a URL to let a piece of malware infect an operating system, that is more like a virus than a trogan. Under Unix (including OS X), the latter requires user authentication.

  • http://macsmarticles.blogspot.com Derek Currie

    “Security By Obscurity”
    … Is a joke, always was, and I suspect always will be. I wrote a shocking article, over at my Mac-Security blog, about how to prove it is a joke to all but the most dimwitted among us. It uses mathematics, which apparently confuses dunderheads and trolls.

    Why is there no such thing as ‘Security By Obscurity’ for Mac OS X?

    Because Mac OS X is UNIX. It’s certified! Look it up! UNIX was built from day one to be profoundly secure. Windows never was. That’s why Microsoft, to this day, have the single least secure operating system commercially available. Very sad. Very true.

    Do not ever expect Mac OS X, even if it becomes as popular as Windows, to have any amount of malware as massive as Windows. Mac OS X is, here’s that word again, PROFOUNDLY more secure than Windows. There is no such thing as perfect security. Mac users have no excuse for not paying attention to security. But never let any joker, dimwit or troll fool you that there is such a thing as ‘Security By Obscurity.’ What really exists is solid state Mac OS X security that prevents hacking and cracking far better than anything Microsoft will ever come up with. That is literally why they have 99.99999999% of the malware and Mac OS X users statistically have next to nothing. And yes, they’ll hate you for telling them the truth. Just smile back.

    ;-Derek

  • http://macsmarticles.blogspot.com Derek Currie

    OK, so you want to be a responsible Mac OS X user, and want to be prepared for any Mac malware lingering out there in the wild. What do you do?

    1) Never install anything that you have not verified as 100% legitimate software. That means specifically two things:

    A) Never believe any notice anywhere that says you must install something being offered to you. Go check it out and download it from a reputable site that checks out software and provides user reviews. These include Versiontracker, MacUpdate, Download.com, TuCows, etc.

    B) Never install pirated software. The most recent Trojan for Mac OS X specifically hides inside pirated software installers, pretending to be an installer package, installed right along side the legitimate installer packages.

    2) Go get a decent free anti-malware program. (The term ‘anti-virus’ is out of date). My only recommendation for a FREE program is ‘iAntiVirus’ free edition from PC Tools. It is up to date. Do NOT bother with ClamXav. It is well over a year out of date regarding Mac malware. (I have personally attempted to improve this situation but found it fruitless).

    Of the commercial/shareware anti-malware programs, the only one I recommend is Intego’s VirusBarrier. It works great. I own it. Got a nice deal on it too. Downside: You have to pay every year for updated malware definitions. Not worth it! See #1 above. Go get iAntiVirus.

    3) Keep up with security updates. Always install Apple Security Updates when they are provided via Software Update for your Mac. Always install updates to applications and plugins. Quicktime has security holes. Adobe Flash has security holes. RealPlayer has security holes. Etc.

    4) Use security tools and techniques. This includes working as a ‘Standard User’ on any network, not as an Administrator. You can also encrypt your account using Apple’s provided File Vault. You can also lock down your Mac using a Firmware password. There are loads of other security utilities on the net. Three I like are 1Password, Little Snitch and Gnu Privacy Gaurd (which is free!)

    5) The #1 Rule of Computing, repeat after me:
    Make
    A
    Backup.
    If you don’t, you get what you deserve. Cruel. Reality.

    That’s my list!

    The end.

    ;-Derek
    http://Mac-Security.blogspot.com

  • Joel

    @daGuy: There’s two other advantages to creating Mac Virus or Malware program. First, not many Mac users are running anti-nasty software. So if you are successful, then you will infect lots of Macs before anyone notices, and removal of your nasty will be much slower.

    Secondly, aren’t Macs supposed to be stereo-typed as being more expensive than Windows machines. Ergo it follows the users will have more cash to be stripped out of their accounts…

    And I wouldn’t dismiss the bragging rights as unimportant. To the low-life scum that make up malware/virus creators their reputation is everything…

  • enzos

    >But yet even after 9 years of OS X on the market, that hasn’t happened. So either it’s too difficult, or it’s simply not worth the effort.<
    We’re on the same wavelength, daGuy. It wasn’t bravado that I didn’t use AV. It’s just that we had a mixed network: some departments like Chemistry had Mac networks (invariably maintained without fuss or downtime in his/her spare time by a single techo or academic) and some (like Biology) succumbed to ITS pressure and ‘upgraded’ to Wintel (and were serviced at great expense by ITS). My security was that most other people on the uni’s Mac networks had AV running.. but never found anything to swat… so I never bothered to install any on my machines: the Law of Parsimony (a favorite bullshit-buster in the physical sciences) says that if there’s no *proof* that you need it – in a Theory or hypothesis – leave it out. The Wintel networks were another matter, of course, they crashed and burned at least a couple times a year and would sometimes beg assistance from our hopelessly obsolete system. Indeed, the only viruses, worms &c I dealt with in the last decade havee those on our grad-students’ Windows disks and thumb-drives (bloody krag.exe &c.).
    -Enz

  • http://www.transchristians.org Ephilei

    Nice. But unless you’re misogynist, don’t use “effiminate” or “sissy” as derogatory. Nothing wrong with femininity.

  • gus2000

    “Security through obscurity” is total BS.

    The installed base of OS X Macs is around 25 million (not including iPhone/Touch!) and I’d say most of those connect to the internet. However, the year that Windows 95 was released, there was a total of only 16 million users connected to the internet worldwide (internetworldstats.com).

    So there are now more Macs connected to the internet than there were Windows boxes on the internet when Win95 took off and the malware boom was hitting its stride. But we’re supposed to believe that Macs are still too small a demographic to get noticed?

    Viruses are not written to “do damage”. They are not written by little kids playing pranks, but by thieves looking for personal data to exploit, or severs for delivering spam. They want quality, not just quantity. Still, a virus that could infect only 1/10th of 1 percent of Macs would get 25,000 systems. If each of those nets a single credit card number worth a measly $100, that’s a $2M-dollar virus program you’ve written there. And just think of all the effort that security researchers went through to crack OS X and claim a tiny $10,000 prize!

    There’s a thread about the USA TODAY article over at the Apple discussion forums. The consensus is that the victim either got spoofed and handed his info over directly, or that the “link” was a malicious plug-in for watching FREE PR0N! that the user happily agreed to install.

    There’s no AV program for Social Engineering. The Vista UAC tried, but simply ended up training users on how to click “Allow” repeatedly in the least amount of time.

  • benlewis

    @ the knee-jerk political correctness police: Get over yourselves. To say “their effeminate sassiness grew tiresome” is a legitimate expression distaste for a particular writing style. One could also say “their manly braggadocio grew tiresome” if one were being critical of another style of writing.

  • PXT

    I would like to know the statistics for an average virus of how many uninfected unix servers it passes through to infect say a million PCs.
    If a PC in New Zealand passes a virus to a PC in the US, how many non-microsoft OSs does it pass though?

  • PXT

    BTW – I’m pretty sure that ‘effeminate’ is inherently derogatory in that it applies to a scenario in which being feminine would not be a positive thing – such as a gladiator in the colosseum. Use of the word does not imply that being feminine is itself bad.

  • hodari

    Derek Currie “Because Mac OS X is UNIX. It’s certified! Look it up! UNIX was built from day one to be profoundly secure. Windows never was. That’s why Microsoft, to this day, have the single least secure operating system commercially available. Very sad. Very true.”

    REALLY ?

    Contrary to you and what some “UNIX based OS” users mistakenly think, Unix like systems are inherently less secure than Windows NT based operating systems.

    NO commercial Unix ever got C level or B level certification when the NSA was still certifying software. The Windows NT core OS was architected at the B level, implemented at the C level (B level is too difficult to be practical for use by anyone but military and intelligenc agencies) and certified as C2 compliant.

    One big reason for the Unix failure at that level of security is it’s designed for only limited access control levels (3 categories with rights represented by an octal digits) and even that is only checked at a high level. Windows NT architecture, on the other hand, has granularity of security at the object and call level, a modern ACL architecture and all calls pass through a certified security subsystem.

    Now, some modern Unix based systems have a modern security system bolted on to them but that’s not the same as having it architected into the design.

    “reality” is that OS X is a VERY vulnerable operating system and Apple has a horrible record of fixing security holes.

    It’s also reality that fewer of the criminals who attack vulnerabilities have bothered going after OS X since they automatically start out with a 96%+ failure rate if they target OS X because of its tiny market share.

    Does that leave Mac users vulnerable? Absolutely. All it takes is one of the syndicates that launch these attacks (and it isn’t teenagers in basements anymore) to decide that it’s financially worth it and all those unpatched Macs with no anti-malware are toast.

  • http://home.comcast.net/~daguy daGUY

    @Joel: think of it this way. Macs have about a 5% marketshare in the world (give or take a few percentage points). So, to generalize, 5% of the world’s computers are Macs and the other 95% are Windows PCs (for the sake of argument, I’m leaving Linux, etc. out).

    Anyway, imagine a hypothetical Mac virus that was so successful it spread to *every single* Mac in use. That would still only account for 5% of the world’s computers! Windows is such a huge target that even a mildly successful virus can spread to more PCs than there are Macs in existence!

    So, I do think security through obscurity is part of it. Why create a Mac virus when *at best* you would only be able to infect a tiny fraction of the world’s computers?