Forgot your password?
typodupeerror
Security Apple

Game Theory, Antivirus Improvements Explain Rise In Mac Malware 319

Posted by Soulskill
from the apple-blames-solar-flares dept.
Sparrowvsrevolution writes "Four years ago, security researcher Adam J. O'Donnell used game theory to predict in a paper for IEEE Security and Privacy when malware authors would start targeting Macs. Based on some rough assumptions and a little algebra, he found that it would only become profitable to target Apple's population of users when they reached 16% market share. So why are we now seeing mass attacks on Macs like the Flashback trojan when Apple only has 11% market share? O'Donnell says it turns out he may have underestimated the effectiveness of the antivirus used by most Windows users, which now makes overconfident Mac users a relatively vulnerable and much more appealing target. Based on current antivirus detection rates, O'Donnell's equations now show that victimizing Macs becomes a profitable alternative to PCs at just 6.5% market share."
This discussion has been archived. No new comments can be posted.

Game Theory, Antivirus Improvements Explain Rise In Mac Malware

Comments Filter:
  • Hogwash (Score:3, Informative)

    by getto man d (619850) on Friday April 20, 2012 @12:25PM (#39747011)
    We all know it's due to momentary lapse in prayers to the Almighty Jobs.
  • by concealment (2447304) on Friday April 20, 2012 @12:28PM (#39747051) Homepage Journal

    Back in the 1980s, Macs were very tempting virus targets. They had multitasking operating systems at a time when the rest of us were running DOS or CP/M (although Amiga users and users of DOS multitaskers like DESQview had a small market share). Luckily this was before the internet, so the only real risk was downloaded software.

  • by SJHillman (1966756) on Friday April 20, 2012 @12:39PM (#39747205)

    Linux does have significant marketshare in the server and smartphone arenas. Servers are generally more secure than desktop machines (not to mention better maintained), so there's naturally fewer points of vulnerability - this holds true for Windows servers as well. As for smartphones, I've seen a lot of articles about Android malware recently although I haven't personally encountered any.

  • by Drinking Bleach (975757) on Friday April 20, 2012 @12:48PM (#39747313)

    Generally more secure, but Linux servers are still vulnerable, especially when they are neglected from being looked after. I have signed onto a company that kept a mail server running for years with no updates -- turns out that exim had a security vulnerability and there was a rootkit living on the system for at least a couple years. If the machine was being properly monitored, the chances of infection would be very low (keep on top of updates!), and it would have been detected rather quickly even if it did happen despite that first point.

    I still don't know what the attacker gained but apparently it pays off enough to pry on mismanaged Linux servers.

  • Re:Correct (Score:5, Informative)

    by Anonymous Coward on Friday April 20, 2012 @01:08PM (#39747553)
    Actually, here is what Apple says:

    http://www.apple.com/why-mac/better-os/#viruses [apple.com]

    A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.

    Is this true? Yes, but only because the malware they are talking about was written specifically for Windows. It has nothing to do with the "built-in defenses in Mac OS X that keep you safe". It is at best disingenuous because the average user reads that to mean "Macs can't get malware".

  • by man_of_mr_e (217855) on Friday April 20, 2012 @01:42PM (#39747963)

    Yeah, it's not like Apple has ever done anything to encourage that thinking...

    http://www.youtube.com/watch?v=GQb_Q8WRL_g [youtube.com]

  • by beelsebob (529313) on Friday April 20, 2012 @01:48PM (#39748025)

    Notably, "macs don't get viruses" is not the same as "macs can't get viruses". The former was true in the early 2000s.

  • by Tharsman (1364603) on Friday April 20, 2012 @02:02PM (#39748221)

    I'm sorry; I love my Macs BUT this last Flasback virus would easily get into your computer without doing anything. All you had to do was visit a page with the virulent java applet for your computer to be infected. Once infected it may attempt to ask a password off you to dive further into your system, but even ignoring it did nothing, the virus was fully active in your system.

    Some tech geeks love to think "I'm too smart for me to be infected", and blame anyone with a virus of being stupid. Ironically, those tech geeks" tend to be some of the most vulnerable users for real virus infections, since they refuse to use any anti-virus solution because it will "slow down their system" or patch their systems with latest updates because "it's working fine and I know what I'm doing."

    That’s how viruses actually work. Everything that requires you to do something to accept it is qualified as a Trojan. No amount of tech savvinnes makes anyone less likely to get virus infections (unless you are savvy enough to update asap and run some form of antivirus.)

    THAT being said:
    0.7% flashback victims were Linux machines
    0.6% flashback victims were Windows 7 or Windows 8 PCs
    0.3% flashback victims were FreeBSD
    0.5% flashback victims were machines running an unidentified OS.

    How on Earth does Linux got more Flashback infections than Windows??? Hint: I said why above. At least Macs have the excuse of Apple negligence at patching the vulnerability.

  • by Tharsman (1364603) on Friday April 20, 2012 @02:04PM (#39748241)

    To add (thanks for the edit button, slashdot!)

    Source of the numbers [arstechnica.com]

  • by Anonymous Coward on Friday April 20, 2012 @02:12PM (#39748335)

    Flashback is not a virus, it's a trojan. This is sort of like saying to someone who bragged that they don't get skunks in their neighborhood "Well, after those coyotes ate your dog, I guess you'll be taking that skunk problem a lot more seriously now!" Viruses and Trojans work completely differently - one infects programs and data files, then spreads all over your computer when you access those files, and the other is a program all of it's own that hides and sneaks onto your computer, then runs separately. Viruses infect your files, Trojans invade your whole system (and generally don't attach themselves to individual files).

  • by Cinder6 (894572) on Friday April 20, 2012 @02:38PM (#39748621)

    At the same time, having basic security practices still thwarted it from being installed on your system. From F-Secure [f-secure.com]:

    On execution, the malware checks if the following path exists in the system:
     
    /Library/Little Snitch
    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
    /Applications/VirusBarrier X6.app
    /Applications/iAntiVirus/iAntiVirus.app
    /Applications/avast!.app
    /Applications/ClamXav.app
    /Applications/HTTPScoop.app
    /Applications/Packet Peeper.app

    If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

    So doing something basic and sensible, such as having a common (and free) antivirus program, or having a popular (but non-free) firewall meant that you wouldn't get the trojan. This particular piece of malware was specifically targeted at people who don't follow common security practices. (And before anyone says that Mac users haven't needed AV software in the past: It has always been recommended, if only because you don't want to risk passing a virus on to a friend's PC if you email him a file.)

  • by Anonymous Coward on Friday April 20, 2012 @02:40PM (#39748635)

    The first variant did. The second did not.

    Just hit up the previous Slashdot Flashback article and you'll see the article title that specifically said that it could go "without user interaction." -- i.e. it was a drive by that installed itself without user interaction.

    Sounds like a virus (by anon's definition) to me.

    I have a different interpretation: Trojans are applications that pose as legit programs (like codecs or games) that trick you to run the program. Viruses (trojans being a subset of viruses) is any software that was specifically written to do bad stuff (delete files, spam, etc). This may or may not be with user interactions.

  • by Anonymous Coward on Friday April 20, 2012 @02:47PM (#39748707)

    /slam head against desk

    Difference between Virus and Trojan:

    Trojan disguises itself, pretending to be something else, to get into your system (named after the Trojan Horse [wikipedia.org].) A program that says pretends to be a photo file (with a jpg icon) or pose as an antivirus installer would count as a Trojan.
    Virus simply activates and goes into your system when, lets say, you insert a floppy disk or visit a website. As long as it can infect a machine without the user opening it up, it's considered a virus.

    The last java based Flashback was a virus, not a Trojan.

    Not only did it require the user to provide a password, as oh_my_080990890 points out, but even if it hadn't, it still wouldn't be a virus, and it still would be a trojan. Trojan versus virus is not a case of "happens with or without user interaction". Viruses infect files - VBS viruses can even infect .html files (ie: Code Red and others from a while back), or image files, or anything else, but they do need a file there to infect, of whatever type of file that virus is intended to infect. Yes, the boot sector on a floppy disk is also a type of file. Trojans pretend to be some other type of program, and get the user to run them - in this case, by being a Java applet in a web page, which of course means that if you've shut off Java running in your browser (I do because it annoys me. The only site I commonly use that wants to run Java is my work webmail, which oddly works better with Java disabled completely...) it's not a problem, regardless of your operating system, and it's not a virus, it's a trojan. Even the article Tharsman (at ars technica) linked to calls it a Trojan, and not a virus. Same with the initial article way up at the top.

    The Mac people (and their advertizing) have been saying "We don't have viruses", and they're still right. (For now.) Regardless of the coyotes eating people's dogs, there still isn't a skunk problem.

    Linux on the other hand, actually does have a virus available - there were several slashdot articles about it a few years ago, provided by a security researcher at an AV company. In order to get it to run, you need to install a specific version of the Linux kernel, and then apply a patch kindly provided by Linus Torvalds after he analyzed the code to figure out why it wouldn't work for him. It takes advantage of three separate kernel vulnerabilities which, sadly, never all co-existed in the kernel simultaneously (unless you install the patch). Much like just about everything else fancy at the time (expensive video cards, TV tuners, ...), getting the virus to actually work required re-compiling your own kernel.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...