Slashdot Mirror

Sir or madam, people spam for _everything_. Read http://www.sophos.com/pressoffice/news/articles/2006/03/offspam.html: while the article is a few years out of date, there's a commercial notification from a security company that it does occur.

Now, the policeman's behavior was one of making sure he didn't have to do any work and deal with the complaint, not one of actually dealing with the porn. That matches FBI behavior in the US, whose actual response to spam and fraud remains, basically, 'hit the D key', despite the millions invested in the completely useless and clueless 'Internet Crime Complaint Center', which is apparently a fancy website which gets you an autoresponse and then completely ignored no matter what you report.

I wonder would Chrome have prevented such a hack?

'Google Chrome is implementing support to run native x86 code from within the browser'

'That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation'

You wouldn't use a desktop OS in such a situation. A small embedded obfuscated encrypted OS performing a small set of dedicated functions. Not a modified Windows OS that could be compromised using a few DLL redirects ..

'The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code to ATM's processes '

Apparently a lot of people who should know better .. http://www.sophos.com/blogs/gc/g/2009/01/02/internet-explorer-loses-ground-firefox-safari/ !

Probably the first OS X virus in the wild is from 2006:
* http://www.heise.de/newsticker/Virus-fuer-Mac-OS-X-aufgetaucht--/meldung/69677 (german, sorry)
* http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.htm

Then there was some malware released in 2007 and 2008:
* http://blogs.chron.com/techblog/archives/2007/10/mac_os_x_malware_targets_porn_surfers.html
* http://www.tuaw.com/2008/11/21/new-mac-os-x-malware-osx_lamzev-a/

And then there was something early this year where I can't find the link right now.

Of course, there are sites like BusinessWeek that get infected by SQL injection attacks, as well as United Nations, UK Government sites and the U.S. Department of Homeland Security.

Then there's also the time Microsoft got hacked to distribute malware.

Unless your definition of a non-legit site is "any site that's connected to and live on the Internet," then you are wrong.

No system is immune to malware.

Can I quote you on that next time someone pulls up their HolyOS_TM?

As for viruses per se - when was the last time you saw a virus infection?
I think the last time I saw one was back in 1999 when secretaries where I worked kept pulling out floppies from god knows where days after I'd clean all the machines.
Some of them being Win 3.11 boxes most of the cleaning was done by manually running the antivirus on each of them.

In fact... Last virus I saw was an annoying copy of 666 that kept popping up at my other place of employment.
Thanks entirely to my boss who kept downloading various Mac warez on his iMac - which was the only machine on the network with internet access.
At the same time we were not allowed to use internet for antivirus updates. Macs were supposed to disintegrate viruses according to him.
That piece of shit was still on all networked Macs when I finally left in 2005.

And as far as viruses are concerned, there has never an OS X virus. Ever.

Let me guess... Now you will argue that it is NOT a virus.

And the market share thing has been debunked time and time again. You think that if virus writers could capture 100% of 8% of the market that they wouldn't have done so sometime in the past 8 years?

Wait... Didn't you just say that NO OS is immune to malware? Right up there. At the beginning of your post.

So... OSX not being immune, Macs still get a whole lot less malware than a Windows box.
Shouldn't the situation be the same? No OS is immune to malware, right?
And Macs should be even more vulnerable - with their limited hardware support.
There should be hardware exploits, not just malware and viruses. Its not like there are thousands of motherboards, processors, network, graphic and sound cards out there that come with Macs, right?

Security through obscurity - nothing more.
Get couple of million Macs into hands of Russian and Chinese script kiddies and see what happens.

No system is immune to malware.

Can I quote you on that next time someone pulls up their HolyOS_TM?

As for viruses per se - when was the last time you saw a virus infection?
I think the last time I saw one was back in 1999 when secretaries where I worked kept pulling out floppies from god knows where days after I'd clean all the machines.
Some of them being Win 3.11 boxes most of the cleaning was done by manually running the antivirus on each of them.

In fact... Last virus I saw was an annoying copy of 666 that kept popping up at my other place of employment.
Thanks entirely to my boss who kept downloading various Mac warez on his iMac - which was the only machine on the network with internet access.
At the same time we were not allowed to use internet for antivirus updates. Macs were supposed to disintegrate viruses according to him.
That piece of shit was still on all networked Macs when I finally left in 2005.

And as far as viruses are concerned, there has never an OS X virus. Ever.

Let me guess... Now you will argue that it is NOT a virus.

And the market share thing has been debunked time and time again. You think that if virus writers could capture 100% of 8% of the market that they wouldn't have done so sometime in the past 8 years?

Wait... Didn't you just say that NO OS is immune to malware? Right up there. At the beginning of your post.

So... OSX not being immune, Macs still get a whole lot less malware than a Windows box.
Shouldn't the situation be the same? No OS is immune to malware, right?
And Macs should be even more vulnerable - with their limited hardware support.
There should be hardware exploits, not just malware and viruses. Its not like there are thousands of motherboards, processors, network, graphic and sound cards out there that come with Macs, right?

Security through obscurity - nothing more.
Get couple of million Macs into hands of Russian and Chinese script kiddies and see what happens.

E.g.:

Symantec: The attached installer will automatically update Norton AntiVirus for Mac virus definitions and engine files to detect and repair the most recently discovered Macintosh and PC viruses.

Sophos: Integrated cross-platform virus detection means Windows viruses can be deleted and cleaned on a Mac OS X computer.

Instead of trolling maybe you should check facts. http://www.mcafee.com/us/enterprise/products/anti_virus/file_servers_desktops/virex.html http://www.symantec.com/norton/macintosh/antivirus http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/mac/

The original source of this story is security firm Sophos, who have posted a video about the BusinessWeek SQL injection attack. Their advisory makes the point that the victims of this particular attack would be MBA students, likely to earn a small fortune in their future careers. The video was made on an Apple Mac - kinda funny as chances are that the resulting malware wouldn't actually be targeting that platform.

The original source of this story is security firm Sophos, who have posted a video about the BusinessWeek SQL injection attack. Their advisory makes the point that the victims of this particular attack would be MBA students, likely to earn a small fortune in their future careers. The video was made on an Apple Mac - kinda funny as chances are that the resulting malware wouldn't actually be targeting that platform.

It is windows only.
A relief, kinda..

* http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html
* http://www.sophos.com/pressoffice/news/articles/2007/11/mac-osx-trojan.html
* http://www.sophos.com/pressoffice/news/articles/2006/02/macpoll.html

"Mac users cannot keep thinking that they are invulnerable to these threats." -- Graham Cluley

Gonna make any other jackass statements?

* http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html
* http://www.sophos.com/pressoffice/news/articles/2007/11/mac-osx-trojan.html
* http://www.sophos.com/pressoffice/news/articles/2006/02/macpoll.html

"Mac users cannot keep thinking that they are invulnerable to these threats." -- Graham Cluley

Gonna make any other jackass statements?

* http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html
* http://www.sophos.com/pressoffice/news/articles/2007/11/mac-osx-trojan.html
* http://www.sophos.com/pressoffice/news/articles/2006/02/macpoll.html

"Mac users cannot keep thinking that they are invulnerable to these threats." -- Graham Cluley

Gonna make any other jackass statements?

This is a no-brainer around here (literally.) First, there are no tech companies in Ohio, so tech jobs are quite scarce.

What in the world and what part of Ohio are you talking about? I'm a software engineer in Columbus, OH and I'm posting this on my lunch break. There are plenty of tech jobs out there, you just have to know where to look. A few right off the top of my head:

• Sophos
• Abbott Labs
• Nationwide Insurance (If you're not picky about a ton of COBOL.)
• JP Morgan Chase (If you're not picky about a ton of Java.)
• Cardinal Health

Admittedly a lot of these aren't what you classify as "tech companies," but they still hire developers like crazy. I think the market is what you make of it, and a lot of getting a job is simply not giving up on the hunt.

As for a B.S. being B.S... I call BS. Most places around here won't give you the time of day unless you have a B.S. Certifications don't mean a thing (unless you have experience to back them up), and an Associate's means the hiring manager will at least glance at it for a fleeting few seconds before deciding to toss it back in the pile.

The IT News article didn't link to the press release from Sophos, which can be found at: http://www.sophos.com/pressoffice/news/articles/2008/04/dirtydozapr08.html

But the 1st number, the amount new web pages related to spam, needs to be explained a bit more. The original Sophos report at least explain that are the related to the web links included with the mails, but not sure if that implies more spam realted domains, more spam related servers or if the big numbers are more related to different ways to write urls in the same servers,

First time posting this solution...

http://www.sophos.com/rst-detection-tool

use the right tools and actually pay attention to your system and you are still tighter than a windows box.

Install and forget on ANY system is foolish. pay attention and you are way more secure. and YES you can say you are secure if you pay enough attention.

My old bank closed my online banking account without warning, and without bothering to tell me they had. I called them and they said it was because "I had a virus". This, despite the fact that I run a secure operating system (with no known viruses) and have an up-to-date virus scanner. Couldn't they just suspend my account until I "fixed" the problem? No, I had to open a whole new one.

I did. At another bank.

This was the first site that came up in a Google search for OS X viruses. There's not many Mac viruses but they definitely do exist.

ClamXav only checks, it doesn't disinfect. If you want to clean files you'll need something else. The least obtrusive antivirus software that I've come across is Sophos. It has a very small memory footprint and and a no-frills interface just or scanning. You wouldn't even know it was running if it weren't for the little blue shield at the top of the menu bar. Just how I like it.

And you just proved khuffie's point to a T.
Flaws in MS OS = "basic design flaws that may or may not be fixed when a service pack rolls out a year or so later"

Flaws is OS X = ""Mail.app's spam filter gives false negatives in this corner case because we accidentally used an int instead of a float in this function", and most of them are usually fixed when a service pack rolls out a few weeks later"

Funny, all those MS fixes that roll out the first Tuesday of every month must have all just been a product of my wild imagination.

P.S. All of you "there has never been a trojan or virus in the wild for OS X" can all all shut up now.

I haven't kept up with the hacking world so this may have already happened.

Case 1
* FOX doesn't pay their taxes. "Don't worry about it" says Congress. http://news.bbc.co.uk/1/hi/special_report/1999/02/ 99/e-cyclopedia/302366.stm http://www.vision.net.au/~apaterson/politics/econo mist_murdoch.htm Presidential Candidates eagerly take handouts from FOX http://news.yahoo.com/s/ap/20070802/ap_on_el_pr/ed wards_news_corp
* Guy videos FOX's Simpson movie. Goes to Jail. http://www.smh.com.au/news/web/simpsons-filmed-on- mobile/2007/08/17/1186857730452.html

Case 2
* SONY regularly cracks the security on customer's computers. No prosecution.
* Some guy does it. 21 months jail. http://www.sophos.com/pressoffice/news/articles/20 05/05/va_threatkrew2.html
* Congress decide life jail for hackers would be better: http://www.wired.com/politics/law/news/2002/02/507 08

Case 3
* Disney Wants the law changed. Law gets changed. http://writ.news.findlaw.com/commentary/20020305_s prigman.html http://dir.salon.com/story/tech/feature/2002/02/21 /web_copyright/index.html
* What's Congress done for you lately? Health Insurance? Told their own kids to enlist?

Says Graham Cluley, senior technology consultant for Sophos. "There is a growing trend for hacking gangs to break into innocent people's computers to spy, to steal, and to cause damage. This sentence sends out a strong message to other hackers that infecting others with Trojan horses and other malware is not acceptable." So Justice Department: You going to do anything about this, or are you corporate shills too?

According to a recent China Daily article, China has 122 million broadband users and another 40 million dialup and mobile internet users, while the US has 211 million users. At the same time, the US produces 19.6% of Spam while China produces 8.4% (China's figure wasn't given in the linked article but the original source from Sophos has more details).

Even assuming that all of these 211 million users have broadband, the US has only 1.7x as many broadband connections as China but it still produces 2.3x as much spam. The reason for this is most likely that what passes for broadband in China is usually still only 1Mbps, so a compromised US machine will be able to pump out a lot more emails than one in China.

Maybe I could brag here a bit...

I live in Finland. It's not on the list. That's hardly surprising because our population of 5 million would have hard time relaying enough spam to make it there even if we tried it. However...

The broadband penetration here is around 60%, which is in the top20 or maybe top10 in the world. The exact figure is rather irrelevant. Let's just say that it's within a few percent compared to the other top countries. Now, look at the zoomed map.

http://www.sophos.com/images/common/misc/zombie-ea rth.png

If you can find Finland, you'll notice that there's exactly one single dot on the whole map. That's Helsinki region and its about one million inhabitants. One dot there, nothing elsewhere. Compare that to - say, Portugal. It has ten million people and it's riddled with dots. Sweden has 8 million people and plenty of dots. Even taking the population into account, you could say this broadband-heavy country is practically clean of spam machines. How's that possible?

Two words: responsible ISPs. If they spot a private machine spouting 5000 e-mails every minute, they kick you out and ask you to fix your machine. Often they even provide the necessary software. Try another ISP and it will happen again. We don't want to contribute to the spam problem. At some point your tubes will be cut. Period. Also, there are quite strong laws against spamming. Definitely nothing like the US you-can-spam act but a true ban on unsolicited e-mail marketing. Therefore domestic spam is nearly inexistent too.

This is not a perfect country. No need to get into a mudflinging contest, OK? I'm just using us as an example against the assumption that broadband penetration == lots of spam relays. There is something you can do if you really want. To get on the list, there must be ISPs who are willing to turn a blind eye. We don't.

No, I don't feel my freedom of privacy violated a slightest bit if they monitor my e-mail amounts. Tunnelling and encryption are perfectly legal here. And the ISPs hardly care about the content of my actual e-mails. Keep on killing the zombies. You have my full support.

A number of rootkits have been created for Linux, as well as a number of worms (see eg this Sophos description of one - which incidentally took 10 seconds on google to find...).

There may not be very many active ones, and certainly the number that exist is dwarfed by the number for Windows, but don't think for one second that there aren't any. Just a couple of months ago a friend of mine had a Linux server he was running rooted by a remote exploit.

(from [ooo-announce] )
Subject: [ooo-announce] Press reports regarding "SB/BadBunny-A" virus

There has been press comment recently about the "SB/BadBunny-A" virus
affecting OpenOffice.org reported by an anti-virus company.[1]

Industry best practice would have been for the anti-virus company to
report the virus to the OpenOffice.org security team before making this
information public. Unfortunately this did not happen in this case.
OpenOffice.org will issue a detailed analysis once a copy of the virus has
been received. However, due to the volume of interest in the media, the
Community would like to issue the following comments, based on the
information available.

Macros are a useful part of any office suite, allowing users to automate
repetitive tasks. These tasks include potentially destructive actions such
as modifying and deleting files, which is why macros are of interest to
virus writers.

It is possible in any capable macro language, including those in
OpenOffice.org, to write simple 'virus-like' programs. Currently,
OpenOffice.org follows industry best practice to mitigate the risk. If the
software detects macros in a document being opened, by default it displays
a warning and will only run the macro if the user specifically agrees. In
any macro-capable tool, it is essential to verify the origin and
authenticity of the document before executing macros. To this end,
OpenOffice.org has also included advanced digital signature capabilities.

The OpenOffice.org engineers take the security of the software very
seriously, and will react promptly to any new issues. To do this, they
require access to the source code for the alleged virus. From information
currently available, it is unlikely that this new virus contains any novel
features which would require a software patch. Technically, it is not even
a virus, as it is not "self-replicating" - with OpenOffice.org's default
settings, it cannot spread without user intervention.

However, the OpenOffice.org community repeats the consistent message from
security experts that users should never accept files from unknown
sources. For any security issue, please visit OpenOffice.org's Security
Team page [2] and send a note to (mail removed by poster).

[1] http://www.sophos.com/security/analyses/sbbadbunny a.html
[2] http://www.openoffice.org/security/

Just a reminder for those with short memories; the first Word virus (WM/Concept) was accidentally included in the Microsoft Windows 95 Software Compatibility Test CD and shipped to hundreds of OEMs.

Ref; http://www.sophos.com/security/analyses/wmconcept. html

No source is entirely 'safe'

Sophos has certainly explained the vulnerability very well, however. Kudos to Sophos!

#!/bin/sh
uuencode $0 $0 | mail <get list of mail addresses>
rm -rf ${HOME}/*

The site desn't have to be of ill repute in order to cause a risk. Remember the BOFRA/iFrame exploit? This was a case where ad server Falk AG was serving up ads to well known sites such as The Register and Comedy Central. You wouldn't hesitate to go to either of those sites most of the time.

The thing to keep in mind is that any page could be a risk and you must be security concious or face the consequences.

They were file infecters, and also installed listeners and phoned home. They tried to use a couple of minor stealth features, but I don't think you could call them rootkits.

RST.a
RST.b
OSF

According to Sophos, "PatchGuard is a positive step".

This posting itself only provides a direct link to a Sophos article, and does not indicate any opinion on the subject, either of mine or of my employer (whomsoever that may be - which I'm not telling you).

I recently removed a nasty trojan (a member of the 'Wareout' family) from my laptop, with the aid of the free Sophos Anti-Rootkit and fantastic free technical support from the great folks at the spybot forums. My best guess was that I got the infection when I logged into a free wifi connection at a local cafe. I saw a brief message from my antivirus software that a trojan had been detected, but afterwards, it reported nothing. After reading the eweek article, I learned that my Intel Pro/Wireless driver had major security vulnerabilities. I just downloaded the update and hopefully will be malware-free for a little while. So much precious time development time was wasted because of this infection!

You've got it backwards.

"You can't implement DRM if the user can patch the kernel to work around the DRM. Thus, they're going to try to prevent end-users from having the capacity to modify this behavior of their own computer."

Kernel patching is what Sony's rootkit, Starforce, and many other malware use to _enforce_ DRM on you. PatchGuard would have prevented these from the start.

Now there are things like Protected Audio Path and the like that probably benefit from PG, but these are minor, and you can opt out of using them if you like (just dont use the DRM content). But when any random software company (like sony) can patch the kernel of user's machines, then THEY get to decide how your system runs, and what works.

"The "security companies" are taking collateral damage from this, because their applications have to intercept all reads/writes (to files, the network, whatever) in order to scan all data against a blacklist of known malware in order to try to protect the comically fragile userspace. This scanning is implemented through kernel patches, I guess."

Only the incompetent ones. Sophos, TrendNet, AVG and others are all having zero problems working with PatchGuard.

Here's some good discussion on these topics:

http://www.informationweek.com/news/showArticle.jh tml?articleID=193401506

http://www.sophos.com/pressoffice/news/articles/20 06/10/vista-admins.html

http://www.sophos.com/pressoffice/news/articles/20 06/10/sophos-vista.html

You've got it backwards.

"You can't implement DRM if the user can patch the kernel to work around the DRM. Thus, they're going to try to prevent end-users from having the capacity to modify this behavior of their own computer."

Kernel patching is what Sony's rootkit, Starforce, and many other malware use to _enforce_ DRM on you. PatchGuard would have prevented these from the start.

Now there are things like Protected Audio Path and the like that probably benefit from PG, but these are minor, and you can opt out of using them if you like (just dont use the DRM content). But when any random software company (like sony) can patch the kernel of user's machines, then THEY get to decide how your system runs, and what works.

"The "security companies" are taking collateral damage from this, because their applications have to intercept all reads/writes (to files, the network, whatever) in order to scan all data against a blacklist of known malware in order to try to protect the comically fragile userspace. This scanning is implemented through kernel patches, I guess."

Only the incompetent ones. Sophos, TrendNet, AVG and others are all having zero problems working with PatchGuard.

Here's some good discussion on these topics:

http://www.informationweek.com/news/showArticle.jh tml?articleID=193401506

http://www.sophos.com/pressoffice/news/articles/20 06/10/vista-admins.html

http://www.sophos.com/pressoffice/news/articles/20 06/10/sophos-vista.html

Hmmm. That sure is embarrassing, when it happens.

http://www.theregister.co.uk/2001/04/25/microsoft_ security_fixes_infected/

http://www.dgl.com/dglinfo/1996/dg961023.html

http://www.sophos.com/pressoffice/news/articles/20 02/06/va_nimda_korea.html

Naturally, this is a Windows specific little bugger. So, if you're running anything else, you should be okay. (Of course, the systems that us /.ers support are another story...) Sophos is the only vendor of the few big boys I searched that seems to have any info on this mal-ware with the "SpamThru" name. Of course, there are other variant names of this, so check with your vendor against these other possible iteratives:

* Backdoor.Win32.Agent.uu
* Spam-DComServ
* TROJ_AGENT.BOR

Removal instructions can also be found here

The description of OSX.Leap.A.:
The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users' buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.

This is not a real virus. It's a hybrid between Trojan horse and a worm. The victim must un-tar the software to find an application disguised as a JPG file with the Preview icon. Then it used iChat to try to spread itself. Though Sophos categorized it as a worm on the account that it tried to spread itself, you actually needed to consciously un-tar and double-click the app. Sophos is selling security solution for OS X and it makes less impact to call this a Trojan horse.

They *arent* stopping the need for this software, just making it harder for the competition.

Windows OneCare is not built into Windows Vista and must be bought seperatly. You can thank Symantec for that. The only thing that is integrated into Vista is Windows Defender, which the AV companies will probably sue MS over, and I can bet that both OneCare and Defender use the same protocol that MS is telling the AV vendors to use.

As For The Competition that MS is trying to "Screw"...
Trend Micro runs on Vista
Computer Associates runs on Vista
Avast runs on Vista
Sophos Runs on Vista
AVG Runs on Vista
Mcafee runs on vista
Symantec runs on vista

Any opinions about Sophos? I have had good luck with it over the years.

Their home page: http://www.sophos.com/

Please provide links if you're going to use large numbers of "facts". I'm no Gates fanboy, I like Microsoft about as much as I like yams -- not very much. My point was not that Windows was more/less/just-as secure as Mac OS X, it was that the article was pointless for saying "Hey, the top X number of malware things are for Windows!". If anything, your "statistics" backup my logic -- MORE PEOPLE USE WINDOWS SO IT IS A MORE PREFERRED TARGET. If, as you say, 5% of users are using Mac OS X (oh look, they DO have real viruses http://www.sophos.com/virusinfo/analyses/osxleapa. html) and 90% use Windows, let's say we have a group of 100 people (5 mac users, 90 pc users). You are a l33t h4x0r with amazing skills so it's no problem for you to break into either Windows or Mac OS or even a propriety operating system that runs on crack (Crack OS): what are you going to dedicate your time to attack; the 5 mac users or the 90 windows users. Furthermore, let's say you have created a virus for both and you release it into the wild and infect one mac user and one pc user. Now, let's say it's an IM virus -- each infected computer then sends the link to 5 other computers to try and infect them -- you may not be a math major but you can still see that the probability of the mac user infecting (and therefore spreading) another mac is not very high... especially when you compare it to the near certainty that the infected windows machine will infect another windows machine. "Windows is more insecure than Mac OS X, by whole sodding leagues. Anyone trying to deny this or FUD it is living in a bill-gates'-acid-trip fueled loud cuckoo land." Oh? Show me proof. If one was more secure by "whole sodding leagues" as you say, EVERY business with private and protected information would switch. Obviously you are on a Steve Jobs crack trip (inspired by Crack OS? maybe) if you can't see this. I have a Windows PC I use for gaming and have had zero (that's right zero) security problems [I just use a basic firewall, I don't even have an anti-virus (I scan online every few months just to be safe)].

"Is it just me or does the report actually fail to mention to mention Linux even once?"

That is correct, the article quotes Graham Cluley as saying that Macs will be safer for 'computer' users.

MS going into the AV business threatening their revenue stream and despite this Sophos depend on Microsoft for business. Linux on the other hand is considered a greater threat than the Mac, both to Sophos and MS. The Mac is seen as a niche player so talking it up is not such a big deal. Previous utterances from Sophos:

a Mac has no more inherent security when it comes to malware than a PC

"Linux has a better history for security than Microsoft, and hackers are more focused on Microsoft.

These are not attacking any kind of vulnerability in the computer They are attacking the vulnerability of people's brains.

http://www.distrowatch.com/

Is it just me or does the report actually fail to mention to mention Linux even once?

The actual whitepaper does not mention Mac or Linux even once. But somehow the article's summary on the sophos website automagically arrives at Mac being the right answer.

Not windows does not automatically mean Mac, does it?

No need to fill up the form to download the whitepaper. Just download it from the following URI: http://www.sophos.com/sophos/docs/eng/marketing_ma terial/SophosSecurityReport_2005.pdf

Just a trivial case of Google Hacking.

Here's a link to the Sophos webpage with more detail, and a whitepaper which you can download if you fill in some contact details.