Ready For the Big Mac Virus?

An anonymous reader writes "The IT security manager of the University of Otago, New Zealand, has been educating his OS X users in security best-practices. According to Mark Borrie, many Mac users believe they were immune to security problems -- a trap many Mac fans seem to have fallen into. He said around 40 percent of the computers at the uni are Macs. "On the security side of things I reckon the Mac community has yet to wake up to security. They think they are immune and typically have this idea that they can do whatever they want on their Macintosh and run what they like," said Borrie. "If I can get our Mac users up to speed and say 'you are not immune' -- so when [the malware] hits, hopefully we will be pretty safe," he said. "We want to be ready for the first big Macintosh virus -- because it will come. Some day, somebody will say 'I am going to create a headline and write a virus for Mac'," said Borrie."

Are you ready?

[AKAImBatman]

Ready For the Big Mac Virus?

I'm sure the question on everyone's mind is, "Does it come with two all beef patties, special sauce, lettuce, cheese, pickles, onions, all on a sesame seed bun?" If so, BRING IT ON! I'm hungry! =)

(And in case anyone is wondering why I'm making a joke out of this, it's because it *is* a joke. While Macs can and have had security issues, the system is nowhere near as vulnerable as your average Windows box. The design of the system guarantees that most of the problems we see on Windows can't happen on a Mac. No default open ports to send overflows through, no default root access to the system, no easy way to send executable email attachments, etc., etc., etc. We'll need a completely new class of highly sophisticated attacks to make a dent in the stronghold that is OS X. Nothing like this skript-kittee crap we've seen.)

Re:Are you ready?

[AKAImBatman]

This POV is betrayed by the fact that the Unix platform was being hacked, rootkits and viruses eating into them, long before Microsoft was anything more than some company placing quarter page ads in computer magazines for something called "DOS".

This POV is betrayed by the fact that parent doesn't know what the hell he's talking about.

You've posited a great deal of hyperbole, but you haven't actually backed up any of it. Yes, viruses were a problem on early networked Unix machines. Then again, network security (and security in general) was not taken as seriously back then. Since the early days of the Morris Worm, there have been very few viruses and worms directed at Unix systems. The majority has actually targetted Linux, a heritage that OS X does not share.

Yet even the oldest Linux box could be made secure if you turned off every network service on the machine. How can you remotely attack a machine that has no ports open? Answer: You can't. You have to find another vector.

Which means that you need to use social engineering to trick the user. On a wide scale that has meant email attachments and browser flaws. Email attachments simply can't cause the problems on Macs that they do on Windows. The Mac interface *will not* execute even files that are marked as executable! It will only execute .APP directories, which means that the attacker would need to pack the app into a DMG file, then somehow convince the user to extract and run the file. None of this "mydoc.doc .pif" crap.

So that leaves the web browser. Putting aside the difficulty of convincing tons of people to visit your site that will hack their computer, yes this is a problem even on Macs. However, any sort of damage is mitigated by the fact that root access cannot be obtained without a password. Which means that access and/or damage would be limited at best. More likely you'd just crash the browser in your attempts due to the more complicated Macintosh memory model.

The end result is that Macs simply aren't vulnerable in the same ways that Windows machines are. They aren't even as vulnerable are other Unix machines! And spouting tons of hyperbole isn't going to change that fact.

Re:Are you ready?

[HTTP+Error+403+403.9]

Why would anyone want to write a virus for a Mac?

It's like developing a biological weapon that only affects left handed, redheaded midgets. There are not enough of them to spread the virus.

Wow, I am really gonna get modded down by the left handed, redheaded midget Mac users.

Re:Are you ready?

[ScentCone]

and they bought off the Bush DoJ to get a slap on the wrist

Come on, you're not even trying, here. How does Haliburton figure in? And you haven't even mentioned FEMA or global warming yet!

Mac OS X is more secure, period.

[daveschroeder]

This assertion - that someone is going to simply decide "I'm going to write a Mac virus" - is very wrongheaded. It's been tried. The most people can come up with are feeble ages-old UNIX/Linux-style rootkits and/or numerous trojans that depend on social engineering. Never a virus or worm with an automated vector of spread. Marketshare is only one very small, albeit very helpful, reason why this is the case.

But this doesn't mean that Mac users shouldn't have current AV/malware protection and use standard computer security best practices.

What follows below is an answer to a query raised during a Chronicle of Higher Education colloquy. Yes, I have posted this to slashdot before, but it is still very much relevant, and I believe it touches on the major issues here.

Question from Lisa L. Spangenberg, UCLA:
Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don't more institutions adopt Macs and encourage faculty to use them?

Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple's periodic release of security fixes to counteract them.

First, that isn't true, regarding viruses. To date, there are no known viruses that specifically target Mac OS X. Last week's "trojan" was nothing more than an application with a different icon and misleading name that displayed a dialog box (which was an example posted to a USENET Mac programming group to illustrate this fact that has been known and possible on Mac OS for over twenty years; an antivirus vendor apparently thought this an appropriate time to dress it up, incorrectly, as some new, terrible exploit easily adapted for malicious means, when in reality it's nothing more than an application).

If you're referring more broadly to security issues in general, almost all of the security and security-related updates for Mac OS X to date have been updates for primarily server-type services that ship with the OS, all of which are disabled by default, and the lion's share of which are never even enabled, much less touched, on the vast majority of systems. I'm not saying that they should be ignored, but Apple's comprehensive and swift response to the most minor security issues does not rise to the level of the staggeringly numerous, sometimes completely automated, remote exploits, worms, and so on for Windows. It is no longer possible to even get through a full installation Windows XP on a machine connected to a public network without it being exploited before you even have a chance to patch it.

It's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware - Mac OS X is not invulnerable, and no sensible person would claim it to be. But the underlying philosophical design principles are fundamentally more secure than Windows, period. Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, and no current known ways to exploit a machine remotely, not to mention that potentially exploitable network services are disabled to begin with anyway (and remain that way unless explicitly enabled), a stark contrast to Windows. Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit. On the other hand, there are still, to this moment [at the time of this writing], unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a message, and nothing more. There is simply no equivalent to this on any other platform. Microsoft's track record and attitude

Bring It On

[ToddWDraper]

> Some day, somebody will say 'I am going to create a headline
> and write a virus for Mac'," said Borrie."

I've been hearing this for years. I'm still waiting.

Re:Where's that power button again?

[sammy+baby]

Have you gone into the Apple Store and seen the populace that buys these computers? I'm not going to say *all* of them are novices, but I've noticed a fair amount of the people are mom-and-pop types who have zero computer experience.

Have you gone into a CompUSA and seen the populace that buys those computers? I'm not going to say *all* of them are novices...

If Apple has a reputation for making a computer that's easier to use than a PC, more power to them. I use my PowerBook constantly at home, and find that for ease-of-use and productivity it compares favorably to every other computer I've ever used.

(For the record, I'm a system adminstrator who manages Linux and Windows 2k3, and came out of a position where I did desktop support for Windows 95, 98, and XP.)

I'm more concerned

[WormholeFiend]

about the data Hamburglar...

I heard someone did try and write one once...

[SuperKendall]

I had heard there was one group trying to develop an OS X virus, but the first attempt got them flamed so hard for deviating from the user interface guidelines that they retreated to caves in the Himilayas and vowed never to touch a computer again.

So possibly if the virus writers avoid Brushed Metal, they might have a chance.

bull.

[sammy+baby]

Fer chrissake, Opener is a bash script .

In order to work, someone must either run the Opener script with Administrator privileges, or the attacker must have physical access to the machine to use an alternate boot device and select "ignore permissions" on the internal drive. Sure, it will do bad things to a Mac. I'm unaware of any system in common use on which running untrusted programs with administrator privileges is a Bad Idea.

One version of the Opener script can be found here.

Re:Where's that power button again?

[Darth+Daver]

    You are criticizing Apple for marketing its computers as "easy to use"? Is "easy to use" bad? Don't numerous Microsoft cheerleaders on Slashdot drone on and on about how superior Windows is to Linux because it is easier to use? Don't they say Linux won't make it on the desktop until Grandma can install an application? Let me tell you something. Grandma can't install applications with Windows now. People like me do it for her. Also, doesn't Microsoft take the same "easy to use" marketing approach as Apple, although Windows is not nearly as easy to use as OS X?

    You are criticizing Apple users as being novices? The vast majority of Windows users are completely incompetent. Many IT professionals supporting Windows are not much better. Why am I reinstalling Windows systems for two friends who contracted viruses recently? How difficult is it to pop in a CD and install Windows. (The answer is, "More difficult than many Linux distros I have used." Windows drivers/hardware support has been giving me fits on one of these systems.) Why am I doing the most fundamental Windows system configuration for another friend (a dentist, not a dumb guy)? I thought Windows was supposed to be easy. Regardless, Windows has been getting eaten alive by security problems in contrast to the "easy" OS (OS X) and the "hard" OS (Linux).

    In the article, some clown made the statement that Linux has been secure by accident instead of design, as if it was one or the other. The "more popular target" argument is only part of the equation. Linux and Mac benefit from better designs. That does not make them invulnerable, but it makes them less vulnerable. Think Pinto (Microsoft) versus Volvo (Linux & OS X).

    Microsoft once made the choice to auto-execute or allow the execution of email attachments. By default, Linux and included email apps did not set the execute bit for attachments. Those are design choices affecting a system's vulnerability to attacks. Linux and OS X have benefitted from their Unix-like heritage. Microsoft did their own, ill informed thing. Linux and OS X are not perfect, but they are better secured and more securable. Windows-heads like to believe their system is most attacked purely based upon its market share, attempting to shirk all responsibility for inherent design flaws and user incompetence. Until they stop deluding themselves, they will continue to have problems.

Trojan executables on OS X

[ThreeDayMonk]

The Mac interface *will not* execute even files that are marked as executable! It will only execute .APP directories, which means that the attacker would need to pack the app into a DMG file, then somehow convince the user to extract and run the file. None of this "mydoc.doc .pif" crap.

Not strictly true. You can do a "mydoc.doc.pif"-style trick on OS X.

I have made a proof-of-concept trojan horse that appears to be a JPEG file, opens a JPEG in Preview, and to the layman appears to be a JPEG file. In fact, it's an Application in the form of a .app directory.

OS X is smart enough to realise that an app called "foo.jpeg.app" is nefarious, and displays its full name. If, however, the first period is replaced with a similar-looking Unicode punctuation character, the OS displays just "foo.jpeg". With a suitable application icon, it looks a lot like a genuine image. (The only obvious difference is the absence of size information under the filename, but I think most people wouldn't notice that.)

Admittedly, you still have to package it as a .dmg or .zip, so it's not as gaping a vulnerability as on Windows.