Monday, April 07, 2008

mac malware reality check

last month david harley wrote a really good piece about macs and malware... of course david is a writer (who i hope will forgive me if that's too much of an oversimplification) and has been following malware on the mac for as long as i can remember (you knew there was malware on the mac before osx, right?) so it's balance and reason comes as no great surprise... it was a fine piece of work...

perhaps too fine...

i regularly keep an eye out for new and interesting security related blogs and the name of adam o'donnell's blog NP-Incomplete appealed to the comp.sci. in me but some of his recent posts about malware for the mac (biological niches and malware prevalence, newsflash, its an issue of market share, not security), not to mention a heap of posts by others like rich mogull that i wrote about before, have made me wonder if perhaps a blunt instrument is called for instead... bluntness is something i ought to be able to handle, after all that's what being {c|k}urt is all about...

i think we need a reality check about where we are with respect to malware for the mac osx platform...

first, there are viruses for the mac osx platform... the first of which, osx/leap-a, has apparently even been seen in the wild by at least one anti-malware vendor (note the prevalence is not at it's lowest level as it is for the osx/inqtana-a)...

"but that's the old model", you say... "that's not what you need to worry about these days", you say... "it's all about the commercial malware now", you say... fine, then let's talk about the DNS changing trojan that was discovered last year... a port of zlob from windows to the mac... as craig schmugar pointed out on the avert blog, zlob was one of the most widely reported pieces of malware for windows and it was most definitely commercial malware...

"it's just one piece of malware" i can almost hear you saying - try one family of malware... it wasn't just a single instance that was made for the mac, there were many variants made as mikko hypponen clearly demonstrates... and if you have any doubts about how serious the zlob gang were about spreading malware onto macs you need only take a look at the posts alex eckelberry made for a while, while tracking the new instances found - it's a list that goes on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on... personally, i'm glad alex stopped filling his blog with these posts, but they certainly are useful for making a point... the point in this case is that some criminals have already started looking at the mac and they've decided it's worth the effort and expense to target them in addition to targeting the windows platform...

"but it's still just one case", you say... WRONG!... did you not hear about the rogue anti-malware apps macsweeper and imunizer? they were (as far as anyone knows) produced by a different group than the folks making zlob so that's at least 2 criminal enterprises that have moved to include the mac platform in their pool of targets...

the mac may not have crossed the chasm in the malware underground yet, but there are already multiple early adopters... as such it's no longer a matter of if the criminals will start targeting the mac, nor is it even a matter of when will they do it... the only question that remains now is how long will it take before it gets bad enough that people to wake up and notice... mac osx' age of innocence is over...

4 comments:

Vess said...

Just a small correction - there aren't many different DNSChanger variants. Mikko's blog post was an incompetent piece of crap, which he never bothered to correct despite me pointing it out to him.

They weren't different variants. This Trojan is sent as DMG files - which are basically disk images. The Mac mounts them automatically when clicked, and a feature similar to autorun in Windows executes the malware on them automatically. The malware itself is scripts (shell and Perl) - and it is exactly one and the same set of scripts in all the "different variants".

In other words, they are just different disk images with one and the same malware on them. Calling these "different variants" is like calling "different variants" many different diskettes (with different file contents) that are infected with one and the same boot sector virus. Just because F-Secure's scanner is inable to scan inside DMG images and see the (same set of) files inside is not an excuse for (incompetently) reporting theese different images as different variants.

kurt wismer said...

y'know, my first thought on reading your comment was about the question i raised earlier about how widely your objective definition of variant is used in practice...

then it occurred to me that mikko and gang correctly applied your definition to the dmg files themselves... the dmg files differ in ways that cannot be attributed to the actions of the malware itself, therefore there was outside influence and therefore the dmg files are variants...

what's in them may be the same thing, but the same is true for packed malware, or droppers, etc. and that hasn't stopped us from considering them to be different enough from the original to call them something new...

i understand the arguments both for and against considering the package/archive/envelop when looking at a piece of malware... i don't see that there is any universally right answer... further, i should point out that your supposed objective definition of variant does not resolve this ambiguity so i must once again conclude that what constitutes a variant is subjective, at least in practice...

Anonymous said...

A lot of discussion about Mac malware revolves around traditional viruses and how it is much less likely (but imho more likely than people think) to see something like that on a Mac than it is in Windows.

But as I've said before, I don't need root to break your heart, I just need the rights to trick you into running rm -rf ~.

And we all know how easy it is to trick users, everyone wants to look at a dancing pig screensaver right?

kurt wismer said...

@rob moir:
i couldn't agree more...

the focus on traditional viruses is especially problematic because they don't seem to realize that the current set of malware problems that windows has has virtually nothing to do with traditional viruses...

the watershed event they're expecting to signify that macs are really a target now is not only not going to happen to macs, it's not happening for windows machines anymore either...

the age of the viral epidemic seems to be all but over, while the age of commercial malware is just beginning... (ack, damn, i used that term again)