Computer 'Worms' Turn on Macs

Carl Bialik from WSJ writes "Macs have been laregly immune to the viruses, worms and malware that have plagued PCs, but the Mac's recent popularity uptick has meant that 'bad guys appear to be casing the joint,' the Wall Street Journal reports. Among the signs: two recently discovered worms and the discovery of a vulnerability in Mac OS X that leaves Safari open to a hack. A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows. 'Some security experts believe hackers are becoming more interested in writing nasty code for Macs precisely because of reports of its relative immunity to security woes,' the WSJ reports. 'Apple itself has gone out of its way not to promote the Mac's relative safety, lest it tempt hackers to prove the company wrong. Apple declined to discuss the topic of security in depth for this article.'"

Symantec?

[matt4077 (581118)]

A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows.

Now there's a neutral party with no agenda when it comes to security!

Honestly, the worst Mac malware I've seen so far had a Symantec sticker on the box.

Re:Symantec?

[dantheman82 (765429)]

Apparently, they've had slow sales on the Mac platform recently. Perhaps a real worm/virus in the wild would be some newsworth info...

Re:Symantec?

[peragrin (659227)]

a recently symantec update did more damage to users systems than the so called recent virus script looking like an image did to all the computers it actually attacked.

So yea symantec sales would be slow.

Re:Symantec?

[twocents (310492)]

No kidding. Symantec would love their user base to expand, especially since MS is selling anti-virus software. It is legit to promote awareness of possible OS X exploits, but it ridiculous to rely upon any information from a company such as Symantec - they have a vested interest in scaring the hell out of people that don't know any better.

WSJ: "What the rich want you to think."

[Futurepower(R) (558542)]

Agreed: If you want Mac malware, you have to go to a store and buy it.

It's completely unacceptable that Slashdot editors would post this garbage. From the referenced article:

"In the past two weeks, information-security companies like Symantec Inc., Sophos PLC and McAfee Inc. have identified several security issues related to the latest version of Apple's Mac operating system, called OS X. Among the concerns: two "worms," programs written by unknown hackers that were designed to spread themselves to other Macs through Apple's iChat instant-messaging software and Bluetooth wireless-communications capability."

Translation: Some public relations drone, with no technical knowledge, paid the Wall Street Journal to post the article. The Wall Street Journal is a "What the rich want you to think" publication, and, in my experience, usually unreliable for anything useful. Note that the article jumps from subject to subject rapidly, apparently to hide the fact that there are no actual incidents of Mac infections to report.

Another translation: Symantec, a maker of very buggy security software of poor design, and other "security" companies want Mac users to buy their products.

Some people, in my opinion, spend their entire working lives being dishonest, trying to trick other people. In my experience some of them work for WSJ.

-
Cheney's company is rapidly [nytimes.com] building prisons [halliburton.com] for the U.S. government.

Re:Symantec?

[Golias (176380)]

One of the recent worms relies on iChat.

I use iChat every day, and have other Mac users on my "Buddies" list, yet I've still yet to get this particular worm delivered to me, and it's been well over a week since I heard about it being "in the wild." There was even a story about it over on Drudge, so somebody must have been hit by it, right? Yet, I still have yet to hear a first-person account of somebody getting this particular worm sent to them.

Part of the reason for this might be that the Mac gives all kinds of warnings about the nature of incoming files, and even requires that you type in your admin password before running anything that hits any important part of the OS. (Hint: just installing an application or performing trivial tasks does not require a password. Whenever you get a password prompt on a Mac, you know that the app in question is trying to do something which requires root-level access.)

Installing antivirus software on a Mac is worse than useless. Should a virus ever come along which can get past both MacOS security and simple user awareness, currently-existing anitvirus software won't be ready for it anyway.

Plus, I know enough from running antivirus software on my Windows PC at work (which I would never DARE go without) that anitvirus software means a performance hit and less stability of the operating system.

I think I'll just stick with common sense and Apple's frequent OS update patches.

Re:Symantec?

[John Newman (444192)]

Unlike Windows, it's perfectly safe to run full-time as the "Administrator" user, and nearly every OS X user does.

It's mostly safe, not perfectly safe. The iChat virus/trojan suggests one reason why. Since an admin has free access to /Applications, a bug running under that user's permissions can modify apps in that folder, helping the bug to spread itself either locally (next time another user on the machine opens an infected app) or remotely (e.g. via a modified iChat). A second reason is that admin users can sudo with their own password. If the admin account's password is compromised by a bug or hacker, root control of the machine goes with it. This is not the same as running as root, like Windows admins do, and viruses running under the admin user's permissions do not have root access. A regular user must enter an admin's username/password to sudo, making the virus/hacker's job more complicated.

Nearly ever OS X user on a single-person machine runs as admin, and that's what Apple sets up by default. But it's not a bad idea to reocnsider.

not a worm or a virus!

[minus_273 (174041)]

seriously if you have to manually download the program and enter your admin password, it is not a virus or a worm. I dont know why people keep calling it that. It is a Trojan and those have existed since the first rm -rf / script.

Re:not a worm or a virus!

[Dausha (546002)]

"It is a Trojan and those have existed since the first rm -rf / script."

I don't get it. I tried running the "rm -rf /" script, and got nothing. I tried it again as root. It just sat there and worked patiently for a few minutes before returning a prompt. Was it supposed to do something cool? If so, maybe I should have run it on a desktop instead of the production server? Any hints at what I did wrong?

Maybe I should try it on my Windows machine next? Shouldn't I type "C:\" instead? Or, is this script not that portable?

Re:not a worm or a virus!

[AKAImBatman (238306)]

How hard would it be to convince some average uses that the worm/virus/trojan that they're downloading is actually an amazing tool to "tweak" some aspect of their computer's performance (internet/speed/ram/etc...)?

The difference between the security hole approach and the social engineering approach, is that the latter starts and ends with stupid users. The worm cannot force its way onto the computers of more savy users like the RPC worms in Windows did. Instead, it will set off a huge number of warning flags with more experienced users, and perhaps prompt them to take action to clean other user's computers or encourage them not to run anything that asks for their password.

The end result is that such viruses could not spread as fast or as far as their Windows counterparts.

I disagree with this

[pHatidic (163975)]

Windows has had what, like 200,000 Virus's in the last year? Apple has had two or three theoretical exploits that either require the user to run code by hand or else target services that most mac users don't turn on. Sounds like Apple is doing its job to me. And honestly this idea that as Apple gets more popular there will be more viruses is largely a load of crap. The notoriety of writing the first real virus for OS X would be vastly more than for writing yet another windows virus. The reason why no one writes viruses for Apple is most likely because people like Apple and want them to succeed. I think if people start writing viruses for Apple it will be because Apple gets lazy and stops innovating, or else stops at least trying to fix the bugs in its software. Because right now both the means and the motive or there, but it's just not really happening.

Why would criminals care if Apple succeeds?

[djtack (545324)]

The reason why no one writes viruses for Apple is most likely because people like Apple and want them to succeed.

Considering that the main incentive for virus writers these days seems to be economic (profitable criminal activity such as spamming, phishing, DDOS blackmail, identity fraud), it seems unlikely to me that these criminals care if Apple succeeds. More likely, the profit motive isn't there, probably a result the combination of greater security on OSX, and smaller installed base.

I guess this will test ...

[hattig (47930)]

I guess this will test whether Apple's approach to security (i.e., pretty much like Unix's) is better or worse than Microsoft's.

I.e., will these worms affect the whole computer because of a fault in the operating system, or will they affect only a single user on the computer because of a software issue that let the worm in to play in that user's space, or will it affect people only because of user stupidity ('ooh, really, clicking on this will make my pen0r bigger!')?

Note that Microsoft gets critical security issues fairly often with their approach.

The recent Apple issues have been lowest rated security issues.

Certainly I think that not having users run as root by default will help Mac OS X, but that doesn't stop them entering their password when prompted.

You can't secure against user stupidity except by scanning each file that they try to execute for viruses. And that means virus checkers, and the associated slowdowns they bring.

It's not that Mac OS X is "virus-proof"

[jht (5006)]

It's never been that (at least for most people). The advantage of Mac OS X is that it is less vulnerable than Windows (making Windows an easier target), and that Apple made decisions in the design process that mean that the typical consequences of a flaw are less severe. In recent years, Microsoft has attempted to harden Windows further and reduce their exposure - in W2K3 Server, for instance, they've done a pretty good job of it.

Even if Apple magically pulls some sort of super OS-jujitsu that reverses their market share and Microsoft's, the basic architecture will stay the same underneath - and that means Apple will have their relative advantages intact for the foreseeable future. Windows is, as its heart, an OS that has traded off many security options for ease of access and ease of programming. Apple had the advantage of seeing what was already happening to Windows when they made their decisions about how OS X would be designed, plus the system it was derived from was pretty robust to begin with.

There will be viruses that attack Mac OS X. Some will do a pretty good job of attacking. I'm kind of surprised it's taken this long to get there. But I'm also not expecting it ever to compare to Windows in that regard.

Wired article re: Mac security

[Kaimelar (121741)]

A recent columnist at Wired said what I was thinking already [wired.com]:

From the linked article:

"These Mac security holes are a storm in a teacup. They've inspired hundreds of stories in the press and even the national network news, but if they were Windows holes, no one would have blinked.

That's because holes in Windows are routine, business as usual, while it now appears the Mac is under attack thanks to Apple's brand-new high profile. But this isn't the case.

Last month, there were four "massive" virus attacks on Windows, according to Commtouch, an antispam and antivirus vendor. Indeed, viruses are now so aggressive, they routinely outpace attempts by antivirus companies to distribute protective signatures.

This state of affairs is now so common, I hadn't noticed -- and I work for a technology news site. "Virulent computer virus infects millions worldwide, other non-news at 11."

These Mac "threats" are only news because of their novelty, not the threat level they pose."

Man bites dog journalism

[plopez (54068)]

Typical 'man bites dog' approach. If it is unusual, it is news. Microsoft Windows is a bug ridden unsecure OS, but since everyone (or at least 90% of users) use it it is not news. No one questions why a defective product exists or what it is actually costing in lost productivity. It is normal in most users' worlds, those users who never have experienced anything else.

OS X exploits are news only because they are unusual (though it does serve as an early warning, I sincerely hope Apple is busy auditing their code base). The fact that they are not as severe as Windows exploits, requires more user intervention and are often limited in scope are not discussed or probably understood by most people.

Argh, what crap

[ThousandStars (556222)]

I already had a relative send me a link to this article. I'll copy my e-mail response:

The guy who wrote this article doesn't know what he's talking about. "Worms" spread without any user interaction -- they can infect millions of machines on the internet in hours. Those are the kind of vulnerabilities that got Microsoft in trouble in 2003. Viruses require user interaction to work. All the "vulnerabilities" described in the article require the user to install a program and it's trivially easy to be destructive once you have the user's trust.

In addition, virtually all the vulnerabilities described by the article are local ones -- meaning a malicious person needs access to the machine. Truly dangerous vulnerabilities offer remote access, which means any random hacker on the Internet can control the machine from afar. AFAIK, none have been discovered in most Linux distributions or OS X. If OS X did ship with remote vulnerabilities, THAT would be huge news.

The only relevant part of the article comes at the very end:

Many viruses and worms, for instance, don't exploit security holes in operating systems. Instead, they use what are called "social engineering" techniques to trick users into doing things that they shouldn't do, like unwittingly installing programs. The Anna Kournikova worm from 2001, for example, infamously tricked Windows users into installing it by masquerading as photos of the leggy Russian tennis star attached to e-mails.

Rather than weaknesses in operating systems, such approaches exploit "a bug in peoples' brains, which is much harder to patch," Mr. Cluley says.

That should have been the lead. The rest of the article is idiotic.

Re:Immune?

[SpooForBrains (771537)]

but don't think that running an "obscure" OS makes you safe

*sigh* We don't. We think running an operating system with proper security makes us safe.

Re:Immune?

[IamTheRealMike (537420)]

No they aren't. You don't need admin privs to relay spam, hijack a web browser or force yourself to load at startup, which are just some of the things malware gets up to.

I haven't seen any compelling evidence that Linux or MacOS X are more secure than Windows is against the twin threats of malicious software and badly trained users. They're all based on similar security ideas, which just don't cut the mustard. A better security model [plan99.net] does exist, but it's not implemented in any desktop operating system today.

Re:Immune?

[theAtomicFireball (532233)]

How many Mac users today run anti-virus software?

Hopefully very few. With the current state of affairs, anti-virus software for the Mac is a case of the cure being much worse than the disease. Even these recently discovered worms and the Safari vulnerability are relatively benign and can be protected against with a little common sense. In fact, most users hopefully are already safe from the Safari vulnerability since the "Open Safe Files" option was already the source of another vulnerability a while ba

Re:Immune?

[east coast (590680)]

Running anti-virus software is a stupid thing to do when you can FIX the system instead.

What's the phrase? There is no patch for human stupidity?

Go ahead, be smug about it. But the bottom line is that as Mac becomes more popular you're going to have idiots who are going to let thing thru simply because they don't understand what they're doing. Do you really think that Windows user who keep their systems up to date and use a bit of common sense are the ones you're reading about? Windows is insecure in a l

Re:They could report a worm a day ...

[TubeSteak (669689)]

The could report a worm or virus a day for the rest of my LIFE and they'd still have a better security record than Windows.

I guess the real question is: "How many of those bugs will remain unfixed by the time you die."

We already know Microsoft's answer, but how does Apple deal with bugs in Mac OS 8 and Mac OS 9? (And does anyone still use Mac OS 7?)

Re:Popularity decides if an OS is secure.

[theAtomicFireball (532233)]

An OS's security is directly related to its popularity.

Hardly. There's a correlation, but it's not even close to being a direct correlation. If it were, there would be somewhere in the realm of 15,000 exploits in the wild for Mac OS X.

The situation just isn't as simple as you believe it to be. Sure, the number of people who use an operating system tends to have a relation to the number of people who develop for that system and also the number who have the skills necessary to create a virus, trojan, or worm. But there's more to it than that. Windows, although it's getting better, and hopefully Vista will be much better, has architectural issues that make it easier to exploit. It also has consumer-targeted development tools which have the sole intention of lowering the bar to new programmers. Combine these two, and you have a societal petrie dish ripe for creating malware authors - not only are there more people using the OS, but there are proportionately more people capable of writing malicious software and a system that is easier to exploit.

If the Mac had 95% market share, there would certainly be more malware, but the situation would simply not be as bad as it is for Windows right now.

Re:Popularity decides if an OS is secure.

[SpooForBrains (771537)]

The only supporting argument for this oft-repeated fallacy is that Windows has the biggest market share and the biggest number of security holes.

Far be it for me to shatter your little bubble, but Apache Web Server is more popular than IIS, and has significantly less critical exploits.

God, it feels like Karma whoring just pointing out something so bloody obvious.

Re:Lets be fair, folks

[99BottlesOfBeerInMyF (813746)]

Now is it right for me to say that my linux computers are more secure just because they are running linux? No, that's stupid.

Why is that stupid? There are real architectural, operational, testing, and implementation differences between Windows and Linux. Obviously one of them is more secure and less likely to be compromised than the other. There is nothing stupid about looking at those differences and at the track record of both OS's and making predictions and making usage decisions based upon that information. "They're all the same," is the argument of a lazy man or someone trying to justify a bad choice by trying to make all choices look equally bad.

The same thing applies with this story - Macs can be exploited because that is the nature of the business. We usually find the holes because some numbnut exploits it.

No one is arguing that Macs can't be exploited. They certainly can be and are. We do not, however, find most exploitable holes by seeing exploits in the wild. The majority of holes are discovered by developers coding the products. The next largest chunk are found by users and legitimate security researchers. Then a few are found when they are exploited in the wild by hackers. How many zero day exploits have their been for Linux or OS X? The answer is very, very few if any. There have been some for Windows, but most of the underlying vulnerabilities were probably discovered by MS, but they just did not get around to fixing them.

Sure there will be exploits and even zero-day exploits for OS X, but they are just not likely to spread widely or be much of a problem for the average user. If they are a large threat they will be well-known and quickly fixed. A major worm for OS X would be news and it would be unusual. For Windows it is business as usual.

But don't assume that just because no one has broken into your house yet that your house is completely secure.

This is a very good analogy. My house is concrete block and was built with only glass block windows on the first floor. Actually the block is two thick on the first floor. Before I bought it, someone had wired a security system and outdoor flood lights. A few months back someone busted into my shed, but ran off without getting anything. The items in my shed are relatively large an not all that valuable.

I'd say that is a good analogy for OS X. It is built with security in mind on well tested, industrial grade framework. They have added onto it and made it more secure in some ways and less secure in others, but it will likely never be as insecure as the neighbor's ranch style place with two plate glass doors and a key under the mat that you see the kids get out every day.

OS X had someone break into the shed (try to distribute a trojan) but nothing has been taken. It is a good sign that maybe Apple and OS X users should be paying attention and maybe doing some more security reviews, but it is in no way comparable to the apartment complex down the street that have been burgled at least once a month for several years and where we always hear about people getting shot.