Daniel Eran Dilger in San Francisco
Random header image... Refresh for more!

Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller… Mac AntiVirus Foe

200903192334

Daniel Eran Dilger

Why is Ryan Naraine, a “security evangelist” for Kaspersky Lab, writing news for ZDNet? And why is he only serving up half the juice that flows from Charlie Miller, the famous Mac cracker of CanSecWest? I think it has to do with the fact that Kaspersky has a Mac version of its security software in development, and it needs to generate some panic in order to sell it. Here’s the smoking gun showing why.

.
The Rising Tide of Terror.

You may recall that in January I called out a fear mongering article by Dan Goodin published by the Register. That article associated the idea of “Mac anti-virus” products with the discovery of potentially dangerous tools posing as pirated software, which users would need to manually install with administrative privileges in order to suffer any damages from, an article written apparently just to continue the meme that Mac users were facing a “rising tide” of malicious software.

Apparently, “rising tides” of Mac malware crest after five years of panicked warnings with the arrival of four obscure risks, including two software installers purporting to be stolen versions of iWork and Photoshop, and, get this, two fake antivirus tools. How ironic is it that half of the malware in reported existence for the Mac is fake anti-virus software? And who is that targeting… Windows switchers who don’t know why they’re switching?

The Mac Malware Myth
Mac security researcher wins Pwn2Own contest with Safari hack

In Russia, Anti-Virus Infects You.

Now assume for a moment that you’re in Moscow and your company makes antivirus software. You happen to notice that the majority of Windows PC users steal software rather than paying for it. You also notice that Microsoft is having a difficult time getting its user base to upgrade to Windows Vista, threatening your upgrade cycle.

At the same time, you also notice that Macs have grown from 2% of the entire global population of PCs sold to something closer to 10%. Also, those users are more likely to pay for software.

Might you possibly want to tap that market, even if you only sell software that is pointless for Mac users, not because they can’t possibly be infected by malware threats, but because anti-virus software offers little real protection for threats that don’t already exist, and no real viral threats exist for the Mac?

Lets stop being hypothetical here.

That company is actually Kaspersky Lab, and it is well aware of the slipping share of Windows. Two years ago, co-founder Eugene Kaspersky was cited by PC Pro saying that Vista’s lukewarm reception will drive more customers towards alternative platforms, making them a more attractive target for malware writers.

“Home users are not so loyal to the OS. Not many of them are satisfied with Microsoft Vista,” Kaspersky told PC Pro. “Some Windows users will switch to other OSes. Microsoft will not lose its dominance, but it will be reduced a bit.’”

Kaspersky also issued the dire warning that “there will be a significant rise in virus attacks on both the Mac and open-source platforms.”

A year later, the company told IDG/InfoWorld/Macworld that while it offers no Mac products now, “one could ‘be ready in just days,’” according to company spokesman Timur Tsoriev. The IDG report added:

“Kaspersky’s anti-virus technology is flexible enough to work on different operating systems, said CEO Eugene Kaspersky. The company’s analysts have also cracked open an iPhone, which runs a slimmed-down version of OS X, to see how it runs.”

“As Apple’s share of the PC market has grown, security analysts as well as vendors have forecasted that Apple’s seeming immunity won’t last forever. So far, they’ve been pretty much wrong, as there have been no attacks on the scale that affects Windows machines, such as the Storm Worm.”

“As of now, hackers ‘don’t pay any attention to the Mac at all,’ Kaspersky said. But it may come as no surprise that Kaspersky, whose business is based on selling security products, maintains he is skeptical of the security of most operating systems, including OS X.

”’We see that Mac OS is taking a bigger and bigger share of the market,’ Kaspersky said. ‘We made the prototype to be ready just in case.’“

The IDG report pointed out that Kaspersky isn’t the only company to be hungrily watching the Mac market from the sidelines.

”Finnish vendor F-Secure scuttled its Mac products around 1998, said Mikko Hypponen, chief research officer. But he didn’t rule out the company taking another look at the platform. ‘Most of the hard-core geeks in our lab use Macs,’ he said.“

Also, ”Czech-based vendor AVG is also keeping an eye on how the Mac market shapes up. Miloslav Korenko, marketing director for AVG, said it’s hard to say what level of Mac usage would prompt them to develop a product, ‘we are considering one as well.’“

PC Pro: News: Mac and Linux viruses to rise ‘significantly’
Vendors mull security software for OS X | Security | Macworld

Speaking Hypothetically, Again

Now say a year has passed and Vista’s adoption is still terrible and the PC industry is actually shrinking for the first time ever. What would it take to get you, were you Mr, Kaspersky, to leverage the known outcome of the CanSecWest Pwn2Own contest, where one researcher was known to be arriving with an exploit that would take down Safari on the Mac?

Would you send a company employee to post at report of the event with a tech news site that will print anything? Would you also have them submit an interview with Miller that suggests Macs are woefully insecure, just to drum up business?

That’s exactly what you would do, even if you had to step around the reality that Microsoft’s latest Windows 7 and IE 8 were also compromised that same day, and even if your report also made it clear that there was no existing market for selling Mac vulnerabilities.

Miller actually complained about having to sit on an unreported bug for a year just to get $5,000 for it from the CanSecWest contest because there was no other way to get paid for Mac vulnerabilities. In contrast, a researcher with an exploitable Windows vulnerability, Miller noted, ”could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point.“

Questions for Pwn2Own hacker Charlie Miller | Zero Day | ZDNet.com

The Sin of Omission

But there’s also something you wouldn’t do if you worked for Kaspersky: you wouldn’t point out that Miller, a Mac security expert, thinks your products are unnecessary for most users to buy and install. This winter, Miller took Apple itself to task for recommending in a support document that Mac users consider installing antivirus software.

Gregg Keizer wrote for Computerworld that Miller ”pooh-poohed Apple’s recommendation using the same logic as many longtime [Mac] users,“ quoting Miller as saying, ”Windows has 90% of the market, but [attackers] give it 100% of their time.“

The article continued, ”Criticizing security software for its cost — both in dollars and in the processor cycles it consumes — Miller admitted that he doesn’t bother running any on his Macs. ‘I don’t think it protects me as well as it says,’ he argued. ‘If I was worried about attacks, I would use it, but I’m not worried.’“

Apple’s antivirus advice ‘big to-do about nothing,’ says researcher

So there you have it: Miller knows where flaws are in Apple’s software, but he also knows that antivirus is unnecessary for the majority of users, just as I stated in January. He knows that because nobody will buy his discovered exploits. When Miller stops showing up to CanSecWest with ready exploits in hand, you can start worrying that he found a buyer. Until then, you can root for Miller to win the contest, because it means Mac users have little to worry about in the real world.

Did you like this article? Let me know. Comment here, in the Forum, or email me with your ideas.

Like reading RoughlyDrafted? I’d write more if you’d share articles with your friends, link from your blog, and submit my articles to Digg, Reddit, or Slashdot where more people will see them. Consider making a small donation supporting this site. Thanks!

16 comments

1 gus2000 { 03.20.09 at 12:05 pm }

The worst attack I ever suffered on my Mac was when I installed the free Antivirus software that accompanied a dotMac subscription. Once I had enough of my system running slowly and unreliably, it was banished to the trash and I’ve not suffered since.

I’ve got an idea: let’s buy up a bunch of ferrite cores used for RF suppression on cables. They should be about 25 cents. Then we will sell them for $19.95 each as a “Mac Virus Blocker” that you wrap your broadband cable around. See? No viruses!!!

2 ericmurphy { 03.20.09 at 1:29 pm }

I’ve heard in several places that something like 90% of all spam is sent from botnets comprised of compromised PCs running Windows. I’ve been using Macs for 14 years myself, and know at least a dozen other Mac users. None of them have ever had to deal with an infection of any of the Macs they use, with either viruses, trojans, worms, or spyware, with one exception: my brother, who works in digital prepress, once received a CD-ROM infected with the Autostart worm. In 1998.

One confirmed infection, in 14 years.

3 DesertRose { 03.20.09 at 1:56 pm }

Dude, I’m getting a Mac!

Tired of all the threats of viruses, worms and the like. Plus, I am terrified of Vista.

4 hylas { 03.20.09 at 11:33 pm }

That Charlie Miller, something’s odd in his remarks – it’s not passing the smell test.

Ryan Naraine:
“Did you consider reporting the vulnerability to Apple?”

Charlie Miller:
“I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.”

Later:

“… It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.”

He sure seems to be working hard, the rhetoric is escalated – he’s driving the point too hard.

It’ss eeeasy.

So why did he qualify this on browsers when he said it was really all about the OS ?
Plus using a year old hack he discovered and sat on since last year?

“Browsers are so complex, it’s almost impossible to get everything right. With all that code and dependencies, it’s hard to be perfect.”

Sounds like he got religion:
“NO MORE FREE BUGS”

By his own admission Apple won’t pay him and you can live off that contest for the year … hmmmm, who could it be ?

5 hylas { 03.20.09 at 11:38 pm }

That’s
… *can’t* live off that contest for the year …

6 cfJeff { 03.21.09 at 8:30 am }

I think the angle of “security experts” writing dire security warnings is legit, but…

The bottom line is Safari failed. If Safari had held up like Chrome, there would be nothing much to write about. We need Chrome for Mac or we need Safari to step up to the plate.

[Not to knock Google's Chrome, which is doing some great things, but keep in mind that it's new and different and nobody has looked at it extensively.

It's easy to write Safari off as "failed," but what really happened here was that Miller exploited an open source library, likely another bug in the same package he discovered before. So Apple needs to keep working at finding and patching bugs, both in its own code and in the FOSS packages it uses, but be realistic here.

Look at the millions Microsoft has put into IE8 and Win7 to heighten security, and that platform "fell" as well. It's not like Apple isn't doing anything in security; both OS X and Safari are making a lot of progress.

Another think to consider is what everyone knows but the media refuses to say: that Macs aren't being targeted, and that a lot of Apple's security features in Snow Leopard will kick in long before anyone significantly tries to attack the Mac. As I pointed out before, there's no money motivation, which Miller's comments are in agreement with. - Dan]

7 qka { 03.21.09 at 4:30 pm }

Apple aids, abets, and profits from this FUD.

I was in my local Apple Store earlier today. There on the shelf was Symantec Anti-virus, both in a single product box and as part of an “Internet Security” suite. They were also selling the Intego “security” suite.

Then there was the flap a few months ago about Apple’s website saying something to the effect that there might be viruses, and then they changed it to say no viruses.

Lack absolute, strong leadership from Apple on what viruses are of concern to Mac users (some? none?), this kind of FUD will only continue.

8 Mirage { 03.22.09 at 5:35 pm }

1. I thought I had read you reporting that Apple computers will not be at risk for attacks as they become more popular for the same reason that they are not under attack now. There was something inherent in OS X that made them safer. Popularity wouldn’t change that. But now I read Miller explaining how OS X is a joke from a security standpoint, and how you say that once he doesn’t show off his exploits anymore, we have to start worrying.

I thought we Apple users were safe. I thought these security programs were going to be eternally useless to us. Yet, Miller claims that he might need to install security software if Apple ever reaches 30% of the market. Snow Leopard may be coming, but all this time, it sounds as though we’ve just been sitting ducks in a flock too small to attack. Say it ain’t so.

2. Also, if Miller knows about some sort of black market for exploits, why isn’t he under some sort of police surveillance? Isn’t all of that illegal? Is he really able to intimately know of an entire growing underground world of ethically-neutral anti-programmers and not worry about his own physical security? It sounds like an FBI movie or a TV pilot or something.

I mean, how can this CanSecWest exist without every attendee compromising their own anonymity by attending? Doesn’t the government scope out everybody there, or does the government do nothing because there’s nothing it can do? These computer security “conventions” sound like shadowy gateways into some alternate Matrix-level reality where anything can happen for the right price.

3. Here is a relevant web comic strip on the issue: http://xkcd.com/538/

9 hmciv { 03.22.09 at 7:25 pm }

One day I’d like to see a really good explanation of why Macs aren’t targeted more in the wild.

Difficulty? Obscurity? No Financial Gain? Lack of Disdain?

10 lowededwookie { 03.23.09 at 5:22 am }

The naysayers are either ignorant or just plain stupid to realise what MacOS X is built on… BSD Unix.

BSD has been around for almost 40 years and yet the last major damaging virus was around 20 years ago. It’s not security from obscurity that is protecting Macs it’s a well engineered backend that is protecting us.

Why is it that no one is touring the insecurities of Linux? Same reason, Apple’s just a more visible target for FUD

11 danieleran { 03.25.09 at 10:37 pm }

@ Mirage “I thought I had read you reporting that Apple computers will not be at risk for attacks as they become more popular for the same reason that they are not under attack now. There was something inherent in OS X that made them safer.”

There are lots of different aspects of what makes something secure. Mac OS X already implements a user security model that prevents people from installing software with elevated privileges without knowing they are; Windows does not, and when Vista does, it does so using UACs, but it screams about so much that it has effectively cried wolf.

So Mac OS X asks a user to supply their admin password, equivalent to an ATM asking users to supply their PIN, indicating that something is up and that they shouldn’t be installing this thing unless they are aware of what it does.

On Windows, you can install crap just browsing the web. That’s why to be “infected” by Mac malware, you have to download warez posing as stolen software and expressly give it control of your system, but on Windows you can just click buttons and end up with an adware box with viral infections, even if you’re running Vista.

It’s like the difference in hitting your thumb with a hammer (something the vendor can’t protect you from) and getting salmonella from eating peanut products you thought were safe (because the vendor doesn’t care enough to ship safe products). One is a product problem, the other is YOUR problem.

The only way Apple can prevent you from ever getting malware is to set up an app store and control what apps you can install. Like it did with the iPhone. Google is ok with you getting Android salmonella just like Microsoft is ok with Windows salmonella.

The tech media is content suggesting that hitting yourself with a hammer is Apple’s version of salmonella, despite the fact that it isn’t.

12 Pwn2Own contest winner: Macs are safer than Windows — RoughlyDrafted Magazine { 03.26.09 at 2:33 pm }

[...] winter Gregg Keizer wrote about Miller in Computerworld: “Criticizing security software for its cost — both in dollars and in the [...]

13 Pwn2Own contest winner: Macs are safer than Windows « WebTaste | Tasting everything online { 03.26.09 at 9:58 pm }

[...] winter Gregg Keizer wrote about Miller in Computerworld: “Criticizing security software for its cost — both in dollars and in [...]

14 Are Macs more Safe than Secure? No — RoughlyDrafted Magazine { 05.16.09 at 1:44 am }

[...] Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller [...]

15 Aleex4 { 12.03.09 at 7:42 am }

The market is getting incredibly segmented because of so many different products. Add into the mix all the free offerings, and a very fickle and demanding product AND the incredible amount of new malware…it’s just getting very hard to stand out from the crowd in this sector..

16 CanSecWest security competition falsely portrayed, again — RoughlyDrafted Magazine { 03.27.10 at 2:55 pm }

[...] Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller… Mac Antivirus Foe Pwn2Own 2010: iPhone hacked, SMS database hijacked | Zero Day | ZDNet.com Support RoughlyDrafted! [...]

You must log in to post a comment.