Slashdot Mirror
New Mac Trojan Installs Silently, No Password Required
An anonymous reader writes "A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult, an added extra that is more common with Windows malware than it is with Mac malware."
Yeah, right.
if it ain't from the app store it aint gettin installed, bitch.
ping 176.58.100.37 -t
how about an article on every windows- or android-based trojan.
Everything is "more common on windows" than mac regarding malware, because hitherto that's the softest, most rewarding target. With so many idevices, that's changing.
I love my MacBook, but this goes to show that security through obscurity isn't a great way to go.
It's not a virus.
This is not a Virus, this is a Trojan. At least try to read the summary, I bet even your kids can do that.
I also have Windows 7 on it with Bootcamp and run AV scans on both operating systems, because no OS is infallible.
if you actually read the article this is just some bullshit proof of concept made by a anti-virus company to shake down mac users. it's never actually been seen outside of a security website.
Hopefully LIttle Snitch alerts about this, and can block it?
The Invisible Hand of the Free Market is what punches workers in the nuts.
This is not a Kid, this is a Virus. At least try to read the summary, I bet even your Trojan can do that.
Well, it "was", the problem is Macs and OS x are no longer "obscure" ...
that a new version of OSX has just become available to purchase, better rush out and buy it.
Nullius in verba
This is really good to hear. Lately, remembering all of those passwords
has been a problem (and I'm sure many others have had the same experience),
so the fact that it installs without a password is a real convenience for me.
Let's face it, these kind of things give the lock-in architecture more credibility,
so I'm suspecious of the money driving these types of thing...
Just sayin'
CAPTCHA = actually (Really!)
They don't, but you can't fix stupid, which is what trojans exploit.
The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult...
However, blocking the threat is as simple as an ACL on your router...
That that IP comes under an extremely heavy DDOS about now?
That's not a trojan, that's Mountain Lion.
I love my MacBook, but this goes to show that security through obscurity isn't a great way to go.
Security through obscurity has always been a myth. :P If it was truly the case, why did (does?) malware on pre-OS X (System 7.5 - Mac OS 9) greatly outnumber that on OS X systems? :P
To catch outgoing calls.
repetitive much?
No, its not. The product is "OS X". The version is 10.5.
What else would you say? "OS X 5"? That's neither the product, nor the version.
Security through obscurity was never an Apple thing. This sort of comment is made by people who don't know anything but want to sound like they do.. Prior to OS X there was plenty of malware for Macs which had a far smaller market share than they do now. But OS X being Unix based did not offer the opportunities of pervious mac OS' or Windows. It was hard to do.
Now there is a tiny amount of malware for OS X including this one which has never been seen in the wild. Of course slashdot doesn't mention that because they are all about the page views now.
The the Windows kids with their Best Buy laptops daddy bought them get on and say how somehow the thousands of viruses and malware they deal with are just the same on Macs. Right.
Don't forget the Android contingent. Also predominantly teenage boys whose daddy bought their phone on a BOGO offer they never miss an opportunity to ry about Apple like the ignorant whiners they are.
Kids and Viruses have a lot in common. They delete all your stuff, cost tons of money in repairs. The big difference is that you usually like it more when your kids replicate.
how about OS 10.5?
repetitive much?
"also writing "OS X 10.5" is like ATM machine..."
If there was only a little bit of truth in that statement:
OSX 10.5 doesn't get security patches anymore, as written here: http://www.sture.ch/node/196
So using 10.5 (and if the link is correct also 10.6 from now on) is a bigger security threat than this single Trojan reported here.
So they just assign these viruses an arbitrary nickname, right? I think "Crisis" was a pretty funny shot at Apple, seeing as how they refuse to admit the last month or two has been one for them because of viruses. But if anyone can just randomly assign it a name, why not go all the way and name it Lol@Apple then the next one Lol@Apple2 etc?
Sorry, didn't get it. My reply therefore doesn't make sense.
Disassemble it and follow the code. Even if some of the code is encrypted something in the virus will have to decrypt it before it can be run and you'll have that on hand too.
I'm not saying its easy but its not protected by some magic ward.
If you had a trojan you might not have kids or catch a bad virus as easily
-KI
#include bier;
It's called "Morcut" by Sophos and they offer a free anti-virus product for Mac OS X.
They claim it's designed to access these things: mouse coordinates, instant messengers (for instance, Skype [including call data], Adium and MSN Messenger), location, internal webcam, clipboard contents, key presses, running applications, web URLs, screenshots, internal microphone, calendar data & alerts, device information, address book contents
::golf clap::
It seems more and more these days, that malware is becoming user-mode to avoid the nasty popups that comes with trying to gain administrator mode.
Which makes sense as a lot of stuff you need to do as malware can be done strictly as usermode without needing to get admin priviledges. This one apparently checks to see if it can get admin or running in a restricted user account.
So even malware these days are learning to be friendly and compatible with users who aren't admins and not requiring admin for everything.
Obscurity is just one valid tool in a security arsenal -- but it shouldn't be the only one. Ranked high above it in importance is "user education" - a feat that's nearly impossible as we continue to dumb down the computing experience.
But OS isn't the name. So while it would probably be easy to tell from context what you are referring to, it's hardly redundant to call OS X 10.5 by it's designated name (and version).
In other words, you are wrong. Get over it.
I answer this question so much I should just put it on my blog and link to it. System 7.5 - Mac OS 9 had NO SECURITY whatsoever and software was shared with write-able disks, and so, many people wrote malware for fun and fame in those days. Since around Mac OS X's release, software is distributed on read-only media (CDs, DVDs. blu-ray is still a bag of hurt I hear) and the threats come from exploiting programs over the network or social engineering to trick the user to download a trojan. Exploiting a program and social engineering mean selecting mac users on web sites when they are outnumbered 10:1 by Windows users typically, with malware being profit driven now-a-days because all of the mainstream OSes are basically secure against the trivial threats of 90's malware, it hardly ever makes sense to target 5% over 90%. In the same sense that most games are not available for macs, the profit incentive is not there. The argument that your logic leads to is that Macs are not infected because they can not be infected, but this and other malware prove that wrong. Mac malware thusfar does not do anything profound that Windows malware doesn't do, basically the user is tricked into downloading it and it does what it wants. It's not like mac malware so-far is some mission impossible type stuff and more difficult to deploy than windows malware..
"...I think the Microsoft hatred is a disease." - Linus Torvalds
>>>The product is "OS X". The version is 10.5.
So macs have been using the same OS since 2000? Wow. And I thought XP had a long lifespan. At least we XP users got our versions (SP0,1,2,3) for free and didn't have to pay for them.
According to ars techica the proper pronouncement of OS X 10.5 is "O.S. ten ten point five" so yeah the grandparent poster was correct. It's redundant.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Pure awesome.
You are entitled to your own opinions, not your own facts.
"The latest threat further underlines the importance of protecting Macs against malware with an updated antivirus program as well as the latest security updates. That means you should start by geting OS X 10.8 Mountain Lion when it comes out Wednesday "
From the bottom of the article..... so is this an actual computer threat or a nefarious marketing ploy by Apple to make you upgrade?
sudo make me a sandwich
In Mac land, that would imply you had some non-existent version of classic Mac OS in which development had proceeded beyond version 9. "Mac OS" is not the same as "Mac OS X"
li446-37.members.linode.com [176.58.100.37]
This is not a Virus, this is a Trojan. At least try to read the summary, I bet even your kids can do that.
But even children can understand the point of him saying that. Even a child can understand sarcasm. So obviously youre less than a child.
The point was every mac fanboy screams "MAS DONT GET VIRUSES!" because its the only single positive they can be brainwashed into using as a defense in the face of the fact that windows pc's are far superior in every way and are a lot less expensive.
The point is whether it be trojan or virus they are both intrusive pieces of software that are bad for anyone who gets them and meant to cause harm. So really there is no difference in their intent. Youre just trying to argue scemantics because you feel the need to make smug comments and completely avoid context just so you can have a sense of self satisfaction at "Really telling someone how it is". Go away.
yeah, it would take one brain cell (and a weak one at that) to know the difference ... and I say this as a long-time mac OS user.
thanks! maybe every on here is from the iOS generation, and doesn't know the difference :(
Assuming this is not simply a proof-of-concept, it should be easy enough to report the offending IP address to Linode and have them shut things down. It's in clear violation of their TOS, and the company provides an email address for reporting just such things.
Btw, whois shows that "this block is used for static customer allocations".
Firefox has a horrible record on security.
http://www.mozilla.org/security/known-vulnerabilities/firefox.html
"Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
Awful lot of those. Sure you can install all kinds of addons like noscript to make it a bit more secure, but Chrome requires no such thing.
Firefox being secure is just a myth. If you read slashdot these bugs are obviously never reported unlike other browsers where every single bug is trumpeted from the rooftops as the end of all computing.
$>pico /etc/hosts
176.58.100.37 localhost
[save] file.
Done.
HIV and a broken femur will both put you in the hospital. But it certainly isn't semantics to argue that a broken femur is not a virus.
Same goes for this argument. A trojan is not a virus and saying so is not a smug comment. Saying "Windows PCs are far superior in every way to Macs" however, is a smug comment.
Now Windows viruses are affecting Macs. Thanks Microsoft!
If you had a trojan you might not have kids or catch a bad virus as easily
-KI
I am a Trojan you insensitive clod... and while we are on the subject, where the hell do you get off dragging the name of my home town through the mud?
>> So macs have been using the same OS since 2000? Wow. And I thought XP had a long lifespan. At least we XP users got our versions (SP0,1,2,3) for free and didn't have to pay for them.
In Apple's numbering scheme, when you see Mac OS X 10.AAA or Mac OS X 10.AAA.BBB, the AAA indicates a major release (like XP vs. Vista vs. 7 vs. 8). The charges for upgrading a single copy of a major release have varied from $20 to $129; even $129 is generally cheaper than what Windows users must pay for THEIR major release upgrades. The BBB releases ("service packs", "components of service packs") have always been free (to people with the same major release).
I think Apple has probably used this scheme so they can stay with "Mac OS X" and that large "X" as a logo, instead of having to go to "XI", "XII", etc. Then again, Intel has been at least as bad. They supposedly went from "80486" to "Pentium" to make it harder for chipmakers like AMD to use similar names. But once Intel was on Pentium (which implies "5", as in "80586"), they stayed with it, introducing the Pentium II, Pentium III, and Pentium IV.
Simple encrypt all the code. Not sure why anybody would want to burden their computer with constant RAM scanning tools but that isn't too difficult to avoid: Start/work/stop/zero ram/exit. An additional wrapper to the decrypt process which inserts random junk code plus minor modifications (1st step after decrypt is to load more decoding layers.) For example, change memory allocations to randomized sizes, add various kinds of null ops, jump (goto) is your friend...
Use standard library calls to decrypt making the decoder smaller - one could create multiple variations on the decoders (including using scripting languages... Perl would really be great for stopping reverse engineering...) Thread code sucks to watch. System libraries allow for scheduling; starting at login or running every day might be easy to spot IF one is looking there; many other triggers exist.
On disk, you install in many different locations and in different ways-- the tiny decrypt routine does not have to be copy/pasted into position 0. It can be placed anywhere in a binary and the code can be interlaced with LEGIT program code. It can get so bad that a percentage of them never fully function or never are executed and the infected apps might become "buggy."
Process lists and system values are not guarded that well from reading, one could detect tools, modes, processes, installed software and change behavior accordingly. With all the AIDS stuff getting attention in the 80s I'm surprised every virus didn't immediately attack every threatening program. I would have immediately corrupted preference files... Besides doing things like noticing when the Installer is launched and spoofing the user when they are mindlessly clicking Continue. Then you have the local network... every moron IT person thought and many still think firewalls protect them when they do so little - when Wifi came out people finally started noticing the problem (I think.)
When I was a teen I thought up all this stuff... before I learned the OS had no security. It is not difficult; security work - now that is difficult.
Signed apps will make this more difficult and the new BSD-like jails system will also make it difficult.
the golf clap is a nasty one
Balderdash!
There is *supposed* to be an item in "Foundation.framework" called "XPCServices", but it's not a folder, it's a shortcut.
If you actually have a FOLDER called that, then you're infected.
So macs have been using the same OS since 2000?
Other than compatibility has been broken numerous times. Kind of like saying Win95 is the same as WinXP because the UI looks similar and they're both called "Windows".
The product line is OS X (née Mac OS X), which is a proper name for a family of products (that coincidentally also matches with the version number), meaning it's not redundant. 10.5's official name is "OS X Leopard", since Apple dropped the "Mac" in all references to the OS, even older versions, with the release of Mountain Lion, and they haven't used version numbers in the official names for some time. If you want to specify the version number, the proper way to do so is not to merely add it after the X (so you are correct about that), but to insert some indicator of what the number represents. For instance, in the requirements for Mountain Lion, they specify that it needs "OS X v10.6.8" or later.
Since the majority of Mac Owners don't know how to protect themselves which is why they own Macs:
1) Launch Terminal
2) sudo ipfw add 1000 deny all from any to 176.58.100.37
3) Enter Your Password
It's not the greatest thing ever, but it's still worth turning it on. Would probably stop this here trojan from calling home.
They don't, but you can't fix stupid, which is what trojans exploit.
That is just blatantly wrong. How can so many people here not know what a trojan horse is?
Running something that has all the outward characteristics of a computer virus can be stupid.
Trojans are designed to look like any legitimate program so they can be snuck in through legitimate software repositories.
You know, like the Trojan Horse....?
When a Gatekeeper check does occur, however, the behavior depends on which mode Gatekeeper is in (set in System Preferences). There are three modes: "Mac App Store" (the default), in which only apps downloaded from the Mac App Store are allowed to launch
By your own text it sounds like his guess was close to the mark. By default an app has to be from the app store and that means signed by Apple.
http://lkml.org/lkml/2005/8/20/95
These may be famous last words, but I have used Macs for 15 years and the only trouble I ever had involving viruses was when I briefly installed Norton antivirus back in the day. I promptly removed that and have never looked back. I use reasonable caution, I don't download executables from entities that seem suspicious and, from time to time, I monitor network activity and logs for anything that looks funky. However, I am not shy about the sites I visit. The funny thing is that the only people I KNOW are infected are the friends and colleagues on Windows that unknowingly send me spam emails - corporate clients no less.
As has been pointed out here, this is not a virus, it's a trojan and it doesn't seem to be a problem. There is a reason Mac haven't been the ones on the news with huge numbers of machines infected. And, no, it isn't because of market share. Apple sold 5.2 million macs last quarter alone - the target is plenty big, the user base has money to steal and the hackers are bitter at Apple. So where's all the viruses?
"The world is a construct of forceful imagination. Those who don't know walk around in the reailties of those who do"
remap 176.58.100.37 to 127.0.0.1
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Hey guys, I found our monsanto shill!
I am a Trojan you insensitive clod... and while we are on the subject, where the hell do you get off dragging the name of my home town through the mud?
Well, for one your leaders were stupid enough to bring a giant wooden horse that randomly appeared outside your secure town into said town. The Greeks inside the opened your gates and let the Greek army in, who destroyed your town.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
My post may have been technically redundant, but the one who posted before was an anonymous coward :p
the golf clap is a nasty one
Which is why nobody should still be on 10.4.
The IP address, 176.58.100.37, is hosted at www.linode.com - has anyone tried contacting them to get the account suspended?
>>>The product is "OS X". The version is 10.5.
So macs have been using the same OS since 2000? Wow. And I thought XP had a long lifespan. At least we XP users got our versions (SP0,1,2,3) for free and didn't have to pay for them.
According to ars techica the proper pronouncement of OS X 10.5 is "O.S. ten ten point five" so yeah the grandparent poster was correct. It's redundant.
10.Y.X releases are free, and you don't have to pay for them.
The latest Windows version is NT 6.1, and it is the "same OS" as NT 5.0 (Windows 2000) but you call it "Windows 7" just like you call OS X 10.8 "Mountain Lion"
How far down this retarded rabbit hole do you want to go?
For most users upgrading from a previous OS, the vast majority of the apps loaded by the system won't have been signed by Apple, but will still load. That makes the statement pretty much completely wrong. As I said, the check only occurs at first launch of a given app, not every launch, so once you have done the whole control-click thing to force it to let you launch a new app, you can freely run apps that are not signed by Apple, even when in the strictest Gatekeeper mode.
Also, the fact that Gatekeeper can be turned on (in the more lax mode) while still allowing apps not signed by Apple to launch (even when you just downloaded them) makes that statement even more wrong.
For a non-power-user who doesn't want to learn about Gatekeeper and security, and who has no non-Mac-App-Store applications installed, yes, the original poster's description was a good first approximation, but it is a drastic oversimplification that, if spoken to a power user, could lead those folks to knee-jerk disable Gatekeeper, which would weaken their security for no good reason. For those reasons, such oversimplifications, at least on a tech site, are dangerously wrong. :-)
Check out my sci-fi/humor trilogy at PatriotsBooks.
However, blocking the threat is as simple as an ACL on your router...
to the average Apple user. So simple to do...
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Steve Jobs was betrayed by the ones running Apple. Of course it would only make sense to haunt them as part of the revenge! I'm personally waiting for the iKillYu virus which shows a picture of Ahmed the terrorist saying "I kill yu!" over and over again while simultaneously deleting your core files.
Yep, and a computer with system32 deleted isn't bricked.
But try telling either of those to the population as a whole. Lemme know how that works out for you.
Hey! I resemble that remark!
According to ars technica the proper pronouncement of OS X 10.5 is "O.S. ten ten point five" so yeah the great-grandparent poster was correct. It's redundant.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
First, anyone with "vistapwns" as their handle should be regarded as having zero cred, geek or otherwise...
Getting to the point: CD-ROMs were quite popular in OS 9 days and it scarcely made any difference in virus propagation on the old platform. Apple transitioned away from floppies years earlier than PC mfgs did.
The fact remains: When Apple switched to Unix, malware that propagates automatically (viruses) became rare curiosities that functioned for any length of time only in test environments. That resurgence of viruses on Macs, long awaited by pro-MS trolls who copiously dump their BS on stories like this, never materialized.
Unix is not magic, but it raises the bar significantly for malware authors. OTOH, Microsoft continued running on their "the worse it is, the better" MO for _many_ years longer than they should have, and that malign neglect was the single biggest mistake that allowed online crime syndicates to become entrenched and highly resourceful to the degree they are today.
Maybe the AV people should write an OS.
I'd like to suggest legislation that requires all future trojans be to incorporate a password. //safety
Yes, trojans are designed to resemble legitimate items. When was the last time you saw a Mac trojan from a reputable source however? Just as the Trojans were foolish to accept the horse, so too are users who accept software from disreputable sources acting foolishly.
As I said, you can't fix stupid.
No, you insensitive clod. If he wears it loose, then his hair catches fire when he sticks his head in his bar-b-que.
Unix is not magic, but it raises the bar significantly for malware authors.
How?
What is it that Unix does that you claim Windows doesn't? What is the secret sauce that is so elusive that you can only speak of it in general terms?
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Phones home to a single IP address? What are they thinking? Any competent engineer would see the need to make it a bit more resilient than that.
According to WHOIS that IP is on Linode...
Amateurs.
Like 10.5.8?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Injecting code on a Mac is super easy. When an archive is opened, it creates the objects listed and calls -initWithCoder: on that object. So all you need to do is craft a suitably nefarious archive and trick a user into opening it with some app.
Mountain Lion actually addresses this vulnerability, but developers are going to have to rev their code to use the updated API. I'm surprised it hasn't (AFAIK) been used as an attack vector by trojans because it does seem a glaring hole. I hope I'm not going to regret pointing this out...
* Unix or *nix are built around the concept of getting work done _away_ from superuser privileges.
* The points of distributing software for *nix platforms tend to be few and secured. Even a Mac user tends to understand that the prospect of downloading small utilities and games from sources that don't start from Apple.com, Macupdate.com or versiontracker.com seems to "smell bad". With Windows, a culture has developed that software can be expected to come from just about anywhere (and bizarrely, at just about any time, which I think is a holdover from when Active-X was in vogue).
* Different implementations, so binary compatibility is iffy or nonexistent (compatibility is more at the API level)
* My theory: The inner workings of most *nix systems are easier to lookup and are better understood by the power users and admins who run and service them -- It is more difficult to hide malware in such an environment.
To me, the level of cleanliness of a Windows system seems like a big, ongoing guessing game: This is particularly true given that the norm for operating Windows, even in a malware emergency, is to depend on the services of the installed, running, _infected_ system and users are often encouraged to download antivirus tools using the infected system to get rid of the existing malware (so the success rates of removal are lowered and the user ends up with a bogged-down or broken system). To the Windows culture, booting and tooling around with a secure ROM image to remedy problems is odd if not alien, and some of the live CD images (like Kaspersky) that do exist for use on a Windows system are actually Linux-based.
I'm not claiming that the above are always better to have for a computer, but they are almost always better for security. Apple seems to have (with OS X) the best mix of security culture and security features; If Apple switched to a Linux-distro model for software distribution tomorrow, I believe it would hurt OS X's appeal immensely even though it might gain slightly in security. Actually, with 10.8 they are adding one of Window's few strengths to OS X, which is to do some enforcement based on code signatures.
No, by default an app has to either be from Apple's Mac App Store, or signed by a third-party with their Developer ID certificate (which is signed by Apple). It doesn't need to be from the App Store.
I have this AWFUL virus!!! It is INCREDIBLY pernicious! I have a three monitor macpro, and it's gone after me! I installed the new OS, and hHere's what it does: when I select "full screen" for an application, IT BLANKS AND HIDES EVERYTHING ON MY OTHER MONITORS!!!!
Then I tried to run an application I bought and IT WOULDN'T LET ME!
I CAN'T FIND MY LIBRARY FOLDER! It's just GONE!
OMFG what should I do!!!1!one1!!
Sorry, my bad. You're right. The middle setting is the default setting. So the original poster wasn't correct, even by default, even for newly downloaded apps.
Check out my sci-fi/humor trilogy at PatriotsBooks.
But, unfortunately, so will two dozen different updates. Adobe Reader, Windows Live Mail, Adobe Flash, up until recently (maybe even currently) Firefox, and dozens of other apps that "automatically" update all require admin privileges. Most users just start clicking yes or entering their password for every dialog that pops up.
I'm responsible for a fair number of PC's used by "regular" staff... they get to use Limited user accounts in XP (or Win7) and giving them an admin password is very much frowned upon. Sooner or later they'll write it on a post-it note by the screen. The number of update requests is frustrating, to put it mildly. Google Chrome is looking better all the time.
I'm still surpised nothing similar to Little Snitch exists on Linuxes...
Herve S.
* Unix or *nix are built around the concept of getting work done _away_ from superuser privileges.
So is Windows. And it is actually only partly true for Unix. Unix is too much dependent on UID 0 for too many things. And when you need to perform those actions you need to elevate to root - and break least privilege principle. Windows doesn't have that problem, it has a much more granular security model and "power user" privileges can be delegated - you don't need to elevate root/administrator to be able to back up a system, for instance.
So is Windows. And it is actually only partly true for Unix. Unix is too much dependent on UID 0 for too many things. And when you need to perform those actions you need to elevate to root - and break least privilege principle. Windows doesn't have that problem, it has a much more granular security model and "power user" privileges can be delegated - you don't need to elevate root/administrator to be able to back up a system, for instance.So is Windows. And it is actually only partly true for Unix. Unix is too much dependent on UID 0 for too many things. And when you need to perform those actions you need to elevate to root - and break least privilege principle. Windows doesn't have that problem, it has a much more granular security model and "power user" privileges can be delegated - you don't need to elevate root/administrator to be able to back up a system, for instance.
* The points of distributing software for *nix platforms tend to be few and secured.
That is not a Unix component - and certainly not an OS X component until Mountain Lion. You can argue that Linux repositories comes with added trust because the packages are signed. But Sites like download.com, tucows etc. also allow Windows users to download malware-free software. Have there been cases of malware found in these repositories. Yes, both in Linux repositories and in Windows repositories. You are just blowing hot air. It doesn't really matter if software in repositories is signed or not - what matters is the vetting process. And nothing suggests that Linux repositories are any better at that.
Even a Mac user tends to understand that the prospect of downloading small utilities and games from sources that don't start from Apple.com
No they don't. 10% of mac users caught the flashback infection. That's worse than anything on any operating system, ever!
* Different implementations, so binary compatibility is iffy or nonexistent (compatibility is more at the API level)
Good point. Security through voluntary obscurity and incompatibility. Is this part of Unix architecture?
* My theory: The inner workings of most *nix systems are easier to lookup and are better understood by the power users and admins who run and service them -- It is more difficult to hide malware in such an environment.
BS. kernel.org and linuxfoundation.org were compromised for (at least) the better part of a month by and old and known rootkit. And nobody noticed until they started receiving error logs from components which should only be installed on desktops. All OSes in use today are so complicated that there is tons of ways to hide malware. Even if the malware doesn't try to activelt hide itself, do you think regular users have any idea of which daemons and/or network ports should be running/open on their systems?
To me, the level of cleanliness of a Windows system seems like a big, ongoing guessing game: This is particularly true given that the norm for operating Windows, even in a malware emergency, is to depend on the services of the installed, running, _infected_ system and users are often encouraged to download antivirus tools using the infected system to get rid of the existing malware (so the success rates of removal are lowered and the user ends up with a bogged-down or broken system).
Actually 64 bit Windows
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
This is not even worthy of news... i can go and repackage a trojan for OS X right now and there will be yet another non-wild OS X trojan in existence. The only OS (even in concept) that you cannot willingly cough up admin privileges to install a trojan on is an OS on a ROM... it's worthy of news of someone packages a trojan cleverly enough or a software vendor is malicious enough to package one with their software.