Daniel Eran Dilger
Random header image... Refresh for more!

There Were Never Any Mac Boot Sector Viruses

 Image Virus3

Daniel Eran Dilger
In referencing the history of Mac viruses that occurred long before anyone ever began using Windows, I referred to “boot sector viruses” that occasionally bit users of Macs, particularly those in school environments where floppies were being passed around. I forgot to note this earlier, but an anti-virus authority corrected me earlier to point out these never actually existed. Boot sector viruses were (and are) exclusive to the PC.
.
I originally got this wrong in writing The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown. Chris W. Johnson, an anti-virus developer of the era, offered a correction that I forgot to print then, and I then subsequently repeated the same mistake in The Mac Malware Myth.

Johnson noted, “The statement: ‘Back when all computers used floppy disks, and floppies were easy to infect with boot sector viruses, Macintoshes of the Classic Mac OS era carried and transmitted viruses on floppies [….]’ implies that boot sector viruses existed for Mac’s of the pre-[Mac OS ]X. They did not. As the author of the Gatekeeper anti-virus system, I can speak with some authority on this subject, even with memories that are bit fuzzy more than 15 years after the fact.

”You were probably thinking of the WDEF family of viruses (and perhaps also some other ‘implied-loader“’viruses that were inspired by WDEF). The WDEF viruses infected the hidden ‘Desktop’ file on floppies (and hard disks). Its mode of operation depended on being accidentally loaded when a window needed to be opened and the Mac GUI went looking for a ‘window definition’ (WDEF) resource containing the executable code necessary to define the look of the window.

”Because all resource files, including those containing all of an application’s executables (in this case the application was the Finder), were kept open and searched in a most-recently-opened to least-recently-opened manner, and the Desktop file was also a resource file that was automatically opened when the disk it resided on was inserted, a WDEF resource in a Desktop file would be loaded and executed in preference to the real WDEF resource in the System file. (Hence the ‘implied-loader’ designation for this type of virus, of which WDEF as the first.)

“So, you were right about floppies providing a vector for spreading viruses in certain versions of the old Mac OS, but boot sectors were *never* exploited by any Mac virus, largely because there was no executable code in those sectors. [Strictly speaking, I think we identified one tiny, legacy (even at the time), portion of the boot information on Mac disks that could contain some executable code, but it was never exploited by a virus.]”

Microsoft’s MBR Boot Sector Legacy

So there you have it, Macs never fell prey to boot sector viruses. Those were, and still are, exclusively active on the PC platform, which used Microsoft’s archaic MBR disc partition format. MBR allows for executable code right in the partition map, a problem that can infect both DOS/Windows (including FAT and NTFS file systems) and Linux running from an MBR formatted drive. Macs used the more sophisticated Apple Partition Map, and with the transition to Intel, have skipped over the MBR legacy and exclusively use GPT, the GUID Partition Table defined by Intel’s EFI standard.

Even today, Windows XP/Vista (and Windows 7) continue to use MBR formatted drives because Microsoft hasn’t pushed the PC industry to the more modern EFI. Even when installing a FAT or NTFS partition to boot Windows using Boot Camp, Macs use GPT to set up an MBR-compatible, but boot sector immune, partition map. Of course, running Windows using in Boot Camp doesn’t protect you from the other viruses targeting the Windows platform.

Mac OS X’s Finder is also a bit smarter about how it handles disks now, making the WDEF virus a historical curiosity. However, there are plenty of potential targets that could be exploited, if there were a credible business model for malicious software on the Mac. Apple’s increasing interest in maintaining its reputation for security is helping to keep that likelihood financially unworkable, greatly reducing any threat of future Mac virus attacks.

GPT EFI Macs

Imaging MacBooks: Understanding MBR, APM, & GPT
How Apple’s Firmware Leapfrogs BIOS PCs
Did you like this article? Let me know. Comment here, in the Forum, or email me with your ideas.

Like reading RoughlyDrafted? I’d write more if you’d share articles with your friends, link from your blog, and submit my articles to Digg, Reddit, or Slashdot where more people will see them. Consider making a small donation supporting this site. Thanks!

  • Pingback: The Mac Malware Myth — RoughlyDrafted Magazine()

  • http://www.xerces.com mrsteveman1

    “Even when installing a FAT or NTFS partition to boot Windows using Boot Camp, Macs use GPT to set up an MBR-compatible, but boot sector immune, partition map.”

    While the Mac firmware might not execute (or even look for) code in the first 446 bytes of what would otherwise be the MBR of a drive, it does execute volume boot record code in order to boot windows from its partition, and that code could be compromised in similar fashion to MBR code.

    [Yes, which is why Macs are immune to boot sector viruses unless actually booting Windows. And as you note, even if Windows managed to get its MBR infected with a boot sector virus, it would have no impact on Mac OS X, as the Mac’s EFI ignores the MBR (TFA FTW, LOL) – Dan ]

  • The Mad Hatter

    Dan,

    Boot sector viruses were (and are) exclusive to the PC.

    Remember that Microsoft considers any operating system that isn’t Windows a “Boot Sector” virus.

  • gus2000

    I remember a job where the PC “network” was actually large collection of floppy disks. As a result, our AV software scanned every floppy each time it was inserted, leading to much boredom. Back then, viral transmission speed was limited to the speed at which floppies could be walked around the building.

    Viral infections didn’t hit epidemic proportions until they could reach out across the network and infect machines remotely. Windows made this process very easy. To this day, you cannot reload a PC from original XP disks and then hook it to the open internet without it becoming a keylogging, spamming slavebot.

    Every time I look at my web server logs, I’m aghast at the sheer number of bots pounding away randomly at every IP address they can find, searching for vulnerabilities. Fortunately my server is Linux/Apache, so it just smiles and keeps on going.

    I look back fondly at the “good old days” of viral infection being limited to taking disks from strangers.

  • enzos

    Cf. my reply (#43) to daGuy’s comment on the previous thread.
    -Enz
    (I wuz there! ;)

  • enzos

    PS: s.b. #42. And to deplore the horrible dentition.
    -Enz

  • http://www.lowededwookie.com lowededwookie

    Ahhh, Gus2000, you must be really really old. I mean sneakernet only existed at school in order to get Amiga games from my mate onto my Amiga at home. :)

    I remember the good old days where viruses used to write to the BIOS in a PC. Of course we Amiga and Mac users never had this problem so it was with some gloating when we heard of people’s machines literally being killed by a virus.

    I miss those days. If that could still happen then I would surmise that there would be a hell of a lot more Mac users out there.

  • http://www.systematicabstraction.com/ KA

    I don’t think writing viruses is a “credible business model” anyway. Not quite business. More like theft.

  • The Mad Hatter

    There’s stupid – and then there’s Microsoft. Apparently Microsoft has made changes to how the User Access Control function works in Windows 7 that leave it open to Malware. Microsoft just doesn’t seem to understand “Security”.

  • SamLowry

    Boot sector viruses were not exclusive to the PC:
    Atari ST had them too, a friend of mine wrote one as proof of concept (doing nothing but reproducing well). After all, Atari also used the FAT file system.

  • http://planetenpaultje.nl Planeten Paultje

    I remember in the sneakernet days when the SCA virus did the rounds. It arrived at my Amiga club in Holland some three weeks after its release in Switzerland. Soon after the same Swiss computer club released a cool app which analyzed your disks specifically for their own SCA virus and would show you the number of copies the virus had made of its original before arriving at your machine. In my case it was about seven.

    We all loved that stuff!

  • WebManWalking

    At the time, the implied loader viruses were called “definition resource” viruses. Not sure where the term “implied loader” came from, but what the hay. When in Rome.

    The order of priority for the loading of definition resources was documents, then applications and then system. The hidden desktop file was a document with a resource fork, so it had priority over the Finder, which is actually just another application. So you couldn’t protect yourself by loading a WDEF or MBDF resource into the Finder itself.

    Before implied loader viruses there were nVir A, nVir B and Scores. nVir A and B installed “nVir” resources, one of which used Macintalk to make the Mac’s speakers say “Don’t panic.” (I forget which one.)

    Scores infected the code resources of applications, installing its own code resource after the app’s, but skipping a number. So if an app had CODE 0, 1, 2 and 3, Scores would store its viral code as CODE 5. It had a file in the System Folder named Scores, so that users who saw it would think that it contained scores from a game app. But it’s real purpose for being in the System Folder was to get loaded at boot time by the INIT 31 mechanism. It also installed boot time viral code in the Scrapbook File (remember the Scrapbook???) and Note Pad File. But it was soooo poorly done, it changed their icons. So instead of hiding the virus, the change of icons announced its presence. Rumor had it at the time that the virus had code in it to attack a particular company in Texas, so it appeared to be written by a disgruntled employee. But I don’t know if that proved to be true or was just an urban legend.

    But then something happened in the Mac community that just doesn’t happen in the Windows community. People loved their Macs so much, they rallied together to write anti-virus apps to stamp them out. Two very early apps nipped those outbreaks in the bud.

    First there was an app whose source code was published in MacTutor, now MacTech, called SecurityPatrol. It found and uninfected only those 3 viruses, but that was enough, because those were the only 3 Mac viruses in existence at that time. It showed how to float a working directory to scan an entire Mac hard disk, leaving viruses no place to hide. (Previously folks would concatenate diskname:directoryname:directoryname:… etc, but that technique capped out at 255 characters, allowing a not-too-cleverly-crafted hierarchy of nested folders to shelter an unfindable virus.) That article also predicted the now-cryptically-named “implied loader” viruses and boot sector viruses, alerting the then-tiny legions of nerdy Mac programmers to squash impending vermin by contributing to the open source effort (which never really materialized). I have it on good authority that Apple attempted to suppress that article on the grounds that it revealed “chinks in the armor”. But that was before Mac OS X, so of course, there was no armor.

    After SecurityPatrol, there was Disinfectant. It wasn’t open source, but it was freeware and sophisticated. It had a slick Mac like interface, not the clunky sysout console of files scanned that SecurityPatrol had. Most importantly, it had support from an academic, John Norstad of Northwestern University. John vigilantly and tirelessly updated Disinfectant against all current threats, for free, up to version 3.7.1. That version was the point at which commercial anti-virus software became a viable alternative. If you want a more-or-less complete list of all viruses there ever were for Classic, as it’s now called, get a copy of 3.7.1 and run it’s About Disinfectant list. And don’t worry. It’s not a long list. Maybe 20? 25? Pretty tiny compared to the more-like-25-million over the years under Windows.

    John Norstad didn’t do it alone. Mac users from all over contributed to his efforts by binhexing and sending him everything suspicious they could find. And that’s kinda my reason for writing this history lesson post.

    Nothing like that ever happens in the Windows community. Windows users largely hate it, but they’re afraid to buy anything too different from the crowd. I have to use Windows at work, so I see it everywhere: Windows users tolerate Windows, barely, and sometimes don’t.

    I believe that that’s the real reason for the disparity of viruses between Windows and Mac. When Windows gets attacked, it’s like the bullies beating up the kid who everyone hates. But attack the Mac, and you get an angry mob of Mac users rising as one to stop you.

  • http://www.peylow.se PeyloW

    @SamLowry: I too wrote a selfreplicating bootedctir app for the Atari ST, did nothing more but keep count of it’s generation, and greeted users at boot.

    I think the both funniest and yet most anoting bootsector Virus for the Atari ST must have been the Ghost virus; it inverted the Y-axis of your mouse after a few minutes.

    But the best use of re bootsector was done by the demoscene, some quite clef and fast losing tech demos was made that way, in all of it’s 480 bytes of executable code glory :).

  • WebManWalking

    A Google search for “securitypatrol nvir” (without quotes) allowed me to find the original article at

    http://www.mactech.com:16080/articles/mactech/Vol.05/05.02/VirusPatrol/index.html

    It reveals that some my memory was faulty. The actual resource code was nVIR, not nVir. Not that nVIR matters now, but resource codes are case sensitive, with all upper and all lower being reserved by Apple.

    The author of the SecurityPatrol article was Steve Seaquist. He goes by Steve, not Steven. Typo I guess. And it also revealed that, while Apple objected to the article’s candor, it was actually using some of the same techniques internally. I forgot that part too.

    Sigh. Guess I gotta take more B-1 and ginko biloba.

  • WebManWalking

    Damn, the “good authority” I had it on that Apple objected to revealing “chinks in the armor” was the mactutor/mactech article itself.

    Note to self: Even more B-1 and ginko biloba … and coffee.

    (But, you know, it is kinda fun being reminded about BRA instructions in Motorola 68000 assembly language, the low-level interfaces to files and directories, which were the only interfaces we had back then, Pascal (the Mac’s original Breakfast of Champions) and determining the “Blessed Folder”. Good times. Good times.

  • kovacm

    hi SamLowry, hi PeyloW (from T.O.Y.S.? – I didn’t know that you are reading roughlydrafted.com :) )

    maybe you will find interesting (if you already don’t know) to see list of all (?) Viruses for Atari ST http://www.uvk2000.com/viruses.htm at UVK2000 (Ultimate Virus Killer) page :)

  • beetle

    @Dan

    Nice series of articles! But I must take issue with one of your assertions:
    > if there were a credible business model for malicious software on the Mac…

    As articulated in the comments to The Mac Malware Myth by @gus2000 and @Joel (and others), there is more than sufficient finacial incentive to create a true virus for OS X.

    Dan, please consider investigating and reporting on this aspect. There is no one better to put this particular derision to bed!

  • http://home.comcast.net/~daguy daGUY

    @beetle: “As articulated in the comments to The Mac Malware Myth by @gus2000 and @Joel (and others), there is more than sufficient finacial incentive to create a true virus for OS X.”

    If there were a credible business model for malicious Mac software, then we would have seen some by now, no? Outside of some proof-of-concepts and a few trojans that pop up occasionally (which no OS could ever fully protect against), there isn’t any.

  • d235j.1

    @daGUY: not if it’s extremely difficult to create a virus for Mac. Why are there only a handful of Linux viruses (even though most critical servers run Linux)? Because it’s very difficult to write one. The same is true about the Mac. While there’s a possibility a virus can be written, it is so much harder that only someone who knows the OS very well can do it. Therefore Linux (and OS X) are inherently more secure than Windows.
    Of course, a virus still can be written; I’m speaking in relative terms here.

  • beetle

    Here’s some back of the envelope numbers to dispel this particular no market myth.

    How many machines do you need for a profitable botnet? The Wikipedia article on the subject justifies 25 thousand as substantial critical mass. How many OS X Macs are there? A low number is 25 million. So, if a virus or worm could, in short order, compromise just one tenth of one percent there is sufficient monetary incentive. Such a rate of infection is unprecedented, but we are talking about computers that are supposedly wide open here. Mac owners are smug and over confident, right? They are not running antivirus and they leave their machines on and connected to the Internet. And these are decent machines with well healed owners. Moreover, after nine clear years, most will dismiss the first reports of the virus as just another rumor, and the Mac community can be expected to be slow to react.

    Sorry, but there is a credible business model for malicious Mac software. And this does not touch on the fame aspect, which provides even stronger motivation than money.

    [Sorry but no, you’re wrong. The 25 million Macs are scattered around among affluent PC users who all have different setups and are generally aware of what they are doing. The billion Windows PCs in the world are all over the third world and in those $300 PCs that sit unpatched in the homes of people who have no clue. And tons of them are identically configured behind weak security. Tap one, and you unlock a huge selection of similarly configured machines that are vulnerable to the same attack. Windows also makes it easy to install software without the user even knowing: no password needed to give elevated permissions.

    Imagine a target with bullseye that is a quarter of a hundredth the size of another target. Which do you shoot at? Yeah I thought so. – Dan]

    ]

  • Joel

    I’m sure why people need “financial incentive” to do everything. If you look at historical viruses “financial incentive” didn’t have much to do with them. Unless you’re an anti-viral company of course….

    [most viruses are designed to deliver a payload. If you look at the botnets that send out spam you’ll find the business model. Some are proof of concept things that spread without doing much, but the intent is clearly there. The same goes for trojans many times, and there have been trojan attacks on Macs that attempt to install some sort of adware or bot.

    The difference is that its much harder to deliver single attacks that require user intervention (and on the Mac that means entering a system password) rather than setting off automated, viral attacks that infect and spread widely on their own. Windows accomodates this, Mac OS X doesn’t.

    Also, once you have an infection, Windows is often really hard to clean up. Infected tentacles end up reinstalling themselves from the Registry. On the Mac, it is very straight forward to identify and kill and prevent the return of an attempt to run a background process (and a bit harder to get them there and hide them in the first place).

    That’s (ironically) the “broken windows” theory of graffiti – if you leave it around, the place goes to the dump and people throw trash on the street and don’t keep things up. If you remove any traces, then people in the environment feel more like keeping up their neighboring places too. The Mac is simply a better neighborhood. – Dan ]

  • http://home.comcast.net/~daguy daGUY

    @beetle: I see what you’re saying, and I don’t disagree with you outright…but then where are the viruses? If you’re right, then how do you explain almost a decade of ZERO viruses?

    My opinion is that there are only two explanations – either the incentive to create a Mac virus isn’t strong enough to overcome the technical difficulties, or there isn’t any incentive in the first place.

    I don’t really see how you can claim otherwise. All we need is ONE Mac virus to prove that it’s possible to do, and that someone out there was motivated to do so. But after 9 years we have zero examples.

  • Joel

    I would suggest that its not that there’s a high incentive to produce viruses/malware for Windows, but due to the lax security described elsewhere only a low amount of incentive is actually required. I’d be interested in seeing how much money is actually made through malware to their respective authors. I would guess its not that lucrative…

    However, if OS X security is as well designed as I would think, there would need to be a very high amount of incentive required before the extended labour is paid off. I’m thinking that Macs would have to have the locations of the owners stacks of gold bars, or oodles of highly blackmailable porn available for it to be fruitful.

  • beetle

    The way *I* explain a decade of zero viruses is that OS X is well engineered, and Apple is proactive with patching vunerabilities.

    I freely admit that this seems terribly improbable, but I find assertions of insufficient motivation be even less credible!

  • Joel

    I would consider an operating system that is poorly and and patches issued haphazordly, but becomes the most populous, to be more improbable…!

    [Don’t forget the presence of a decades-long monopoly in your calculations. One might also say that it is “improbable” that a first world county would elect an incompetent president who starts boondoggle wars, kills babies and mothers by defunding family planning in the name of being ‘pro-life,” dismantles emergency relief systems in the name of being for “small government” while inciting terrorism and following the guidance of superstitious hate mongers who say sex is causing God to send the US natural disasters, and tortures US citizens on off shore locations ironically close to dictator Fidel Castro, but you don’t need to calculate probability for events that have happened. – Dan ]

  • ibookfast

    “They’re wrong, here’s why.” … that could be Dan’s tag line… I love this his blog.

  • beetle

    The bullseye may be a quarter of a hundredth the size of another target, but the payoff is 400 times (or more) as large. Here is the evidence that the wrong people have sufficient finacial incentive to create malware for OS X:
    http://blogs.zdnet.com/security/?p=3157