Saturday, December 12, 2009

why mac fanatics still believe they're virus free

(another post form the draft pile)

i stumbled across this article about why macs are still virus free and it occurred to me that there were a number of false premises that deserved highlighting to illustrate why mac users still think their beloved platform is so safe.

  • the first thing i noticed was an ill-conceived notions of what a virus is (eg. "When I say virus I'm referring to a program which self-propagates and self-installs either by exploiting a back door in the operating system or another legitimate application"). by this definition most PC viruses (and i'm not using virus as a catch-all umbrella term here) are not actually viruses.
  • next thing i noticed was the comparison of apples to fruit (eg. "So why don't Macs get viruses while Windows PC's seem to be facing a constant tsunami of malware, spyware, worms, trojans and botnets?"). compare mac viruses to pc viruses please, not mac viruses to pc viruses, worms, spyware, trojans, botnets, etc. either that or compare the gamut of mac malware to the gamut of pc malware.
  • next on the list of wrong-headed thinking i picked up from that post was thinking malware authors are still just attention seekers (eg. " There are a lot of theories regarding install base and attention-seeking virus writers") when it has been demonstrated over and over again for the past several years that they're financially motivated now - the current trend is to follow the money.
  • another bit of nonsense i noticed (which in fairness is bandied around by a lot of otherwise intelligent people) is thinking that going after the biggest group limits them to going after just one group (eg. "wanting to target the biggest market") when it has been demonstrated that professional malware gangs are targeting both platforms at the same time (see zlob gang).
  • yet another wrong thought in the article was thinking that unix makes the difference (eg. "The real answer is UNIX") when in fact the first academic treatment of the virus problem (back when the term 'computer virus' was originally coined) had viruses successfully replicating across a user population in a professionally administered unix environment without cooperation from the admin.
  • the most damning, however, is thinking in yesterdays terms. the very fact that they're still focusing on viruses rather than malware in general shows just how outdated the thinking really is. most of the malware currently attacking pc's these days is NOT viral (either by normal pc definitions, incorrect mac definitions, or formal definitions). furthermore viral malware isn't really the biggest malware problem these days. huge numbers of non-viral malware are the biggest problem facing pc's and the malware gangs have been targeting both pc's and macs for years now.

mac users have largely ignored the malware problem, which is probably why what little they know of the problem is generally either wrong or out of date. the malware problem isn't ignoring them, however. they have an opportunity to get ahead of the problem, but if they keep living in the past that opportunity will be squandered.


Mo said...

Great read, and true. Your Blog is the newest entry in my RSS-Reader :-)

Uli Kusterer said...

Being a Mac user myself, I'm curious what malware problem we are ignoring. Could you elaborate on the last paragraph of your posting?

So far, I've heard of a handful of proof-of-concept viruses for the Mac, but nothing serious since the System 6 days. There's also one or two trojans I'm aware of (like a computer game that deletes files in your home folder whenever you kill an enemy).

Would be interested in getting more information on this.

Alex Hutton said...

I think that I believe I'm virus free, because there's no mac virus.

Or in the words of my favorite OS X anti-virus program:

"Today, the number of viruses actively attacking OS X users is...NONE!"

kurt wismer said...

@uli kusterer:
great question. mind if i answer it with another question?

why do you think ignoring (or not ignoring) the malware problem equates to ignoring (or not ignoring) the (relative) handful of malware that currently exists for the mac?

they're actually different things. the malware problem transcends platforms, what isn't on your platform today may be there tomorrow. we know a great deal about the malware that affects pc's, and we know that every bit of that information can potentially apply to macs as well.

the mac isn't magical, it's just a computer, and the low number of incidents are more by good luck than good management.

so, to elaborate on the last paragraph of my post, what i mean by ignoring the malware problem is that they (like you) only look at their little corner of the problem, which means they only look at what is, not what's coming. there are reams that mac users can learn from the pc-side of the malware phenomenon but they have to stop thinking in yesterdays terms. they have to stop comparing their experience with the virus/worm epidemics which largely no longer happen in pc-land. they have to stop thinking of malware writers as attention seeking kids since organized crime is now involved. and they have to stop thinking that targeting the largest market excludes them because now that malware gangs are porting their wares to other platforms the largest market is 'everyone'.

kurt wismer said...

@alex hutton:
what can i say, other than everything you know about mac malware is wrong, right down to your antiquated focus on viruses.

further, the number of self-replicating (and thus viral in some sense) osx malware seen in the wild is greater than zero (not much greater, but still).

Anonymous said...

Completely agree Kurt. Seems like tilting at windmills, but hopefully the message will get through


Sjan said...

As a Mac (& Windows) user and an administrator of Linux and BSD servers, I began my experience with Mac the same way I do with any *nix or BSD variant: by installing anti-virus (ClamAV is a good starting point). I do not assume that because I run a Mac I am immune. In fact, if you pay attention to security bulletins for Linux and BSD variants there are lots of things in the wild that are genuine concerns for Darwin BSD (the OS X subsystem.)

Having said that, OS X, DesktopBSD and Gentoo Linux are the only desktop systems I have regularly used for any extended period without a single infection. Every Windows variant I have used has been infected at some point, even with installed and up-to-date anti-virus and all patches. On the server side, however, I have dealt with infected servers running Windows, Linux (Gentoo, RedHat, Debian), Solaris (8, 9, 10), and BSD (OpenBSD, FreeBSD). The more services one opens on their desktop machines (Apache/MySQL via "Web Sharing", CIFS/SMB via file sharing, etc) the more possible attack vectors there are.
Moral of the story? If you aren't using an anti-virus you need to start now.

kurt wismer said...

it sounds to me like you're approaching *nix platforms with your eyes open. good for you.

i have to say, though, that your experience with *nix mirrors mine with windows (and dos, and slackware, and every other platform i've ever used). i've never had an infection - ever, on any platform.

you mentioned using an anti-virus as "a good starting point" and i think that's an excellent way to look at things. i certainly started there, but i've gone a lot further than that.

Anonymous said...

Me too, I am interested in what kind of malware are you talking about?

I understand that Windows has been so big that there is almost every kind of scary things to look out and it will eventually come to us Mac user.

I just don't understand that you say Mac users are stupid because they don't know what they are facing in the future even they don't have much to worry about right now.

I was a PC user. I have been affected by an old school virus formating drive C: 15 years ago and I know Mac is only a computer and the user is the biggest risk still. But that doesn't mean Mac user are stupid because they don't come telling you that hey we're only humans and we will make mistakes!

You should learn new ways in increasing awareness of virus AND malware than saying you're all stupid because you don't care about antivirus even thought you don't have much to be concerned right now. There's better way to let that information out.

kurt wismer said...

i didn't say mac users were stupid. i'm sorry if you feel insulted or that i implied such a thing, that was certainly not my intent.

what i did say is that they are ignoring the problem - the probable reason is that by and large it hasn't been their problem so far. most pc users only think about this stuff because they've been forced to by circumstance.

the part about it being their problem changes a little bit more every day, though, but it's gradual and is going largely unnoticed.

what kinds of malware are becoming more prevalent on macs? DNS changers used for pharming attacks, rogue anti-malware (which is weird considering the audience - but if you trick them into thinking they're already infected i guess anyone will fall for it), etc. i don't follow mac-specific malware trends all that closely so i don't know for sure if there are bots or banking trojans yet (though if there aren't they can't be far off).

Anonymous said...

I suppose there are a lot of new ways to trick the user, mainly because everyones uses internet so much and it doesn't matter if you use it with a Mac or PC. With that I am with you.

I still don't understand this:

"i don't follow mac-specific malware trends all that closely so i don't know for sure [--]"

But you are sure that Mac users are ignoring.

kurt wismer said...

i am sure that mac users are generally ignoring the malware problem. i'm sure of this because they repeatedly demonstrate ignorance of some of the oldest and most fundamental concepts in the malware domain (like what is a virus).

not to mention that the vast majority of mac users still believe their platform is virus free, in spite of the fact that that has been technically false for over 3 years (mac osx viruses in the wild date back to 2006, and it was well publicized) - there is no other explanation for that except that they're ignoring the problem.

Pepe Perez said...

Just to mention some of OSX malware spreading around (dates are established as of when antivirus companies have detected the malware):

25/10/2004 SH/Renepo-A
16/02/2006 OSX/Leap-A
18/02/2006 OSX/Inqtana-A
01/11/2007 OSX.RSPlug.A
23/06/2008 OSX/Hovdy-A
25/10/2008 OSX/Jahlav-A
06/01/2009 OSX/Jahlav-B
23/01/2009 OSX/iWorkS-A
23/01/2009 OSX/iWorkS-B
25/03/2009 OSX/RSPlug-F
12/06/2009 OSX/Jahlav-C
12/06/2009 OSX/Tored-Fam
29/08/2009 Troj/RKOSX-A


kurt wismer said...

@pepe perez/sergio
thanks for the data points.

Admin said...

There is absolutely secure systems. I use Ubuntu, but in complete safety do not feel, because the user depends on more than on the OS. If you are a fool even the best antivirus will not help.

kurt wismer said...

apologies for getting back to this so late


i'm afraid if you honestly believe there's such a thing as an absolutely secure system then you're deluding yourself.

the ability to support viral programs is inherent to the general purpose computing platform - it transcends operating systems, manufacturers, corporate philosophies, etc.

so long as it qualifies as a general purpose computer it supports viruses.