Follow Slashdot stories on Twitter


Forgot your password?
Security Apple

Game Theory, Antivirus Improvements Explain Rise In Mac Malware 319

Sparrowvsrevolution writes "Four years ago, security researcher Adam J. O'Donnell used game theory to predict in a paper for IEEE Security and Privacy when malware authors would start targeting Macs. Based on some rough assumptions and a little algebra, he found that it would only become profitable to target Apple's population of users when they reached 16% market share. So why are we now seeing mass attacks on Macs like the Flashback trojan when Apple only has 11% market share? O'Donnell says it turns out he may have underestimated the effectiveness of the antivirus used by most Windows users, which now makes overconfident Mac users a relatively vulnerable and much more appealing target. Based on current antivirus detection rates, O'Donnell's equations now show that victimizing Macs becomes a profitable alternative to PCs at just 6.5% market share."
This discussion has been archived. No new comments can be posted.

Game Theory, Antivirus Improvements Explain Rise In Mac Malware

Comments Filter:
  • by pwnyxpress ( 2597273 ) on Friday April 20, 2012 @12:25PM (#39746997)
    How it security by obscurity treating you now?
    • by Samalie ( 1016193 ) on Friday April 20, 2012 @12:27PM (#39747035)

      Stupid people doing stupid shit with technology and getting viris outbreaks?

      Yeah, that's confined to ANY particular OS.

      Sorry, but if Linux had enough market share, they'd be targeted too. Computing is by definition insecure, because you'll always have stupid people doing stupid shit.

      • by Luckyo ( 1726890 ) on Friday April 20, 2012 @12:32PM (#39747121)

        Pretty much this. In most cases the weakest link is between keyboard and chair and chain is as strong as its weakest link.

        • Re: (Score:2, Funny)

          by Anonymous Coward
          Thank you, Captain Cliché, for pointing out the obvious and already stated!
        • by davester666 ( 731373 ) on Friday April 20, 2012 @12:59PM (#39747447) Journal

          What's funny is that NONE of the anti-virus products blocked it, indicating just how useless their products are.

        • by Tharsman ( 1364603 ) on Friday April 20, 2012 @02:02PM (#39748221)

          I'm sorry; I love my Macs BUT this last Flasback virus would easily get into your computer without doing anything. All you had to do was visit a page with the virulent java applet for your computer to be infected. Once infected it may attempt to ask a password off you to dive further into your system, but even ignoring it did nothing, the virus was fully active in your system.

          Some tech geeks love to think "I'm too smart for me to be infected", and blame anyone with a virus of being stupid. Ironically, those tech geeks" tend to be some of the most vulnerable users for real virus infections, since they refuse to use any anti-virus solution because it will "slow down their system" or patch their systems with latest updates because "it's working fine and I know what I'm doing."

          That’s how viruses actually work. Everything that requires you to do something to accept it is qualified as a Trojan. No amount of tech savvinnes makes anyone less likely to get virus infections (unless you are savvy enough to update asap and run some form of antivirus.)

          THAT being said:
          0.7% flashback victims were Linux machines
          0.6% flashback victims were Windows 7 or Windows 8 PCs
          0.3% flashback victims were FreeBSD
          0.5% flashback victims were machines running an unidentified OS.

          How on Earth does Linux got more Flashback infections than Windows??? Hint: I said why above. At least Macs have the excuse of Apple negligence at patching the vulnerability.

          • by Tharsman ( 1364603 ) on Friday April 20, 2012 @02:04PM (#39748241)

            To add (thanks for the edit button, slashdot!)

            Source of the numbers []

          • Re: (Score:2, Informative)

            by Cinder6 ( 894572 )

            At the same time, having basic security practices still thwarted it from being installed on your system. From F-Secure []:

            On execution, the malware checks if the following path exists in the system:

            /Library/Little Snitch

            If any of these are found, the malware will s

      • by cpu6502 ( 1960974 ) on Friday April 20, 2012 @12:35PM (#39747161)

        So does Ubuntu Linux have 6.5% share yet?

        • by jedidiah ( 1196 )

          I wonder if the Atari ST or Amiga had 17% market share when either of them were fertile ground for malware infections.

          • Depends on what you define as market share and what market you are referring to. Back then even though the PC was clearly pulling ahead the race wasn't entirely over. The Atari ST while never getting a foothold in the US was very popular in the UK.
          • The Amiga did, at least during the 80s. Commodore 64 had greater than 50% market share and Amiga had half that. (After 1988 the IBM PCs became dominant.)

      • by SJHillman ( 1966756 ) on Friday April 20, 2012 @12:39PM (#39747205)

        Linux does have significant marketshare in the server and smartphone arenas. Servers are generally more secure than desktop machines (not to mention better maintained), so there's naturally fewer points of vulnerability - this holds true for Windows servers as well. As for smartphones, I've seen a lot of articles about Android malware recently although I haven't personally encountered any.

        • by Drinking Bleach ( 975757 ) on Friday April 20, 2012 @12:48PM (#39747313)

          Generally more secure, but Linux servers are still vulnerable, especially when they are neglected from being looked after. I have signed onto a company that kept a mail server running for years with no updates -- turns out that exim had a security vulnerability and there was a rootkit living on the system for at least a couple years. If the machine was being properly monitored, the chances of infection would be very low (keep on top of updates!), and it would have been detected rather quickly even if it did happen despite that first point.

          I still don't know what the attacker gained but apparently it pays off enough to pry on mismanaged Linux servers.

        • by msobkow ( 48369 ) on Friday April 20, 2012 @01:00PM (#39747461) Homepage Journal

          Servers are more secure than desktops in the Linux arena primarily because there is no idiot user sitting in front of the keyboard to click "Ok" when malware tries to install itself. Also, servers aren't typically used for surfing and downloading, so the malware doesn't get a chance to try to install itself.

          Only once since I started programming in the late '70s have I seen a machine that was infected without the intervention of a user disabling the anti-virus or installing pirated/downloaded software. Once.

          • Servers are more secure than desktops in the Linux arena primarily because there is no idiot user sitting in front of the keyboard to click "Ok" when malware tries to install itself. Also, servers aren't typically used for surfing and downloading, so the malware doesn't get a chance to try to install itself.

            That's true of Windows too. In fact, it's true *regardless* of the OS.

      • by ByOhTek ( 1181381 ) on Friday April 20, 2012 @12:45PM (#39747273) Journal

        Yes, however, I think the GP just venting due to all of the "I have a Mac, so I'm immune to malware" and "Oh, they had problems because they used a PC, they should have gotten a Mac!" that has being going on for so long, even by some here on slashdot.

        But, of course, you are correct, it is the user that is the biggest security vulnerability of a computer, in most cases.

      • by betterunixthanunix ( 980855 ) on Friday April 20, 2012 @12:52PM (#39747347)

        Sorry, but if Linux had enough market share, they'd be targeted too.

        "Linux" is not one operating system. There are very secure distributions, and then there are distributions that are not so secure, and then there are distributions that can be secure if you stick to best practices.

        • by jd ( 1658 )

          Just as important, there are multiple distributions. Just as it makes it hard to write commercial software that will run under any version of any distro, it makes it hard to write a virus that will work under any version of any distro. The odds are that Linux viruses will be predominantly scripts because those are relatively portable and applications which run scriptlets don't have nearly the same level of security as the OS itself.

          Even then, the massive fragmentation of the application base will severely l

      • by Charliemopps ( 1157495 ) on Friday April 20, 2012 @01:05PM (#39747509)
        as stupid as windows user are... and I'll grant you they ARE stupid... Absolutely nothing compares to the apple market. There's a price to be paid for making your OS so easy to use that you don't even need to be smart enough to tie your own shoes to use it... namely, that your OS will attract all of the people not smart enough to tie their own shoes.

        Now, I know all you apple "power users" are going to get all mad and scream "You're calling me dumb! I'm not dumb!" I'm not saying you're dumb... I'm saying all your friends are dumb... and you make bad technology choices... I'm sure you made a very smart, well informed decision when you chose the wrong operating system.
      • by Lumpy ( 12016 )

        Linux IS a Target, MOST internet servers are Linux, and Linux servers hold a lot of money in information.

        But you see, they are such high value targets they do hacking to get into them and not a spray and pray virus.

        • by Lumpy ( 12016 )

          That's called sniff testing. your logs are full of "is there something here?" and "is this ran by a moron using one of these 20 common passwords?" after that it's handed to a real hacker.

          read up on what you are really seeing, these guys are getting sophisticated at their automation to find soft targets.

    • by WrongSizeGlass ( 838941 ) on Friday April 20, 2012 @12:34PM (#39747137)

      How it security by obscurity treating you now?

      Security by obscurity was not the problem. Complacency was the problem.

    • How it security by obscurity treating you now?

      It's actually been a pretty good strategy thus far. Even if I'd gotten this particular Trojan, my score would still be much lower in the Mac column than in the Windows column. I'll take the 20 years of virus-light computer use, thank you :)

      The real question is, now that we have "caught up", are there any decent anti-virus packages for the Mac?

    • by wzinc ( 612701 )
      Doing fine. This was a Java trojan, not native. Supposedly, Apple was late with an update Oracle released months ago. Apple needs to leave Java to Oracle. That way, it's not Apple's responsibility to update software they didn't write.
  • Hogwash (Score:3, Informative)

    by getto man d ( 619850 ) on Friday April 20, 2012 @12:25PM (#39747011)
    We all know it's due to momentary lapse in prayers to the Almighty Jobs.
  • I would have guessed 5-15%. Well.


    • And honestly that's about as good of an estimate as you can make.

      Maybe it makes sense that they wouldn't start actively targeting Apple until 11.6% market share, but somebody's got to be first and if you are a virus-guy and come across some big vulnerability that will allow you to rapidly infect a ton of go for it. Maybe he wasn't even targeting apple but stumbled across a vulnerability that would work and jumped on it.

      Also, how much does one account for the purpose of the attack? If yo

  • by MikeRT ( 947531 ) on Friday April 20, 2012 @12:27PM (#39747049)

    In all of the fights between Windows and Mac users over the disparity in viruses for both platforms, I've never seen a Windows user point out the fact that Windows is often used on infrastructure that is valuable to compromise. No major business runs their corporate infrastructure on Macs. No major sites with valuable data I know of are hosted on Apple hardware. What has changed with the marketshare is that now Macs are used by the upper-middle and upper classes extensively at work and at home. So even at 6.5% of the market, you're far more likely now to compromise a Mac with valuable data or access to it now.

    Compromise a Mac today and you might get access to a corporate network, a richer man/woman's bank information, etc. That wasn't true 10 years ago.

    • by SJHillman ( 1966756 ) on Friday April 20, 2012 @12:32PM (#39747127)

      So what you're saying is the fact that Apple overcharges for Macs is actually a factor in the increase in Mac malware? Oddly enough, makes sense.

      • It's a factor insofar as it is part of the process of turning Macs into status symbols. Price alone is just one variable; it's the price factor which separates the product from the hoi polloi who couldn't stomach a $2000 professional laptop when a $500 meets their needs easily. It's everything from the packaging, to the build quality and taste, to the marketing and product integration.

        Macs were always expensive, but 10 years ago, they were more of an eccentricity or specialty than a high quality replacement

    • by Hatta ( 162192 )

      What has changed with the marketshare is that now Macs are used by the upper-middle and upper classes extensively at work and at home

      Apple computers have always been expensive. Even as far back as the Apple II, it was the high end 8-bit computer. Later, the Atari ST was based on very similar hardware to the Macintosh, but it did color, and cost half as much.

    • by Tyr07 ( 2300912 ) on Friday April 20, 2012 @12:55PM (#39747399) Homepage

      I've frequently pointed it out to people.

      I've told many 'smug' mac users that the only reason they're not getting viruses like PC's are is because it's not worth it. No one cares about your myspace profile or your doodle you did this morning.

      Major businesses handling credit card information or valuable corporate information is ran on PCs, it has all the financial data and so on, hence the target.
      As soon as macs become popular and worth while, they'll get viruses too.

      And here we are.

      • Most malware these days isn't out to get your personal data, it's only purpose in life is to add another machine to the botnet. For this kind of thing, home computers are actually more valuable, because they're less likely to be firewalled etc.

        And from botnet pespective, the only thing that matters is bang for the buck - how many boxes can you infect per dollar spent writing the malware. Which, of course, still favors Windows machines, simply by virtue of there being many more of them.

      • by wamatt ( 782485 ) *

        Smugly said Sir, you tell them! :P

    • I've pointed that out before, here on Slashdot. You have a lot of businesses using Windows, not only for their infrastructure, but for the majority of their desktop/laptop computers. A lot of companies only do perimeter security, so once you get inside the firewall, you have a nice, ubiquitous, unprotected network to target, perhaps with hundreds of computers, and profitable data to steal.

      If you target Macs only, you get what? Home users? The design department of a company? A lone executive, maybe? I

  • by concealment ( 2447304 ) on Friday April 20, 2012 @12:28PM (#39747051) Homepage Journal

    Back in the 1980s, Macs were very tempting virus targets. They had multitasking operating systems at a time when the rest of us were running DOS or CP/M (although Amiga users and users of DOS multitaskers like DESQview had a small market share). Luckily this was before the internet, so the only real risk was downloaded software.

    • by Luckyo ( 1726890 )

      You rarely if ever downloaded software in 1980s. Stuff was moved around on floppies and other magnetic media such as audio tapes for example. There was some stuff done over BBS but downloading stuff over slow analogue modems was a pain in the ass (I'm thinking 9600 baud and lower that was common in late 1980s).

      • You aren't kidding. I'd download some stuff from bbses to use personal or to just put on my bbs, but the majority of the stuff I had for download was obtained from friends in person. My favorite part of the day in was recess / lunch where I'd get to swap disks.

      • More like 2400 baud for the late 1980s. About an hour per megabyte. And yet there was a lot of downloading from BBSes. Things were a lot smaller then, and at least when you pirated some 10MB game you knew it had a fair chance of it running versus finding out that disk 7 of the split archive from the sneakernet was corrupted.
      • by msobkow ( 48369 )

        On the flip side, most downloaded applications and games in the '80s were way under a megabyte in size. So although the modems were slow, it really didn't take more than a few hours to do a download.

        So I call bullshit. I and most "bit heads" I knew downloaded software and games voraciously in our university days from the BBS systems of the day. What was different is that each of us would download something different, copy it to multiple floppies, and we'd each have a copy.

        When the links are slow, yo

    • Back in the 1980s, Macs were very tempting virus targets. They had multitasking operating systems at a time....

      But that was not why they were tempting. They were tempting targets because it was REALLY easy to spread a boot-sector virus on floppy discs, even when you didn't hand out the discs yourself you'd just include it on a floppy disc image of some game or utility that was being pirated and it would spread like wildfire from that person to all friends...

    • by Hatta ( 162192 )

      Mac OS wasn't any more multitasking than DOS was. Programs like DESQview allowed you to switch tasks in DOS, which is done pretty much the same way as "multitasking" in Mac OS. Macs didn't support preemptive multitasking until OS X. The Amiga had it in 1985.

    • Everything got viruses back in the 80's. Why? Because viruses were new and cool, and kiddies liked writing them.

      Nowadays, kiddies prefer hax0ring the interwebs. Writing viruses is passe. So now, the only people that write viruses are those trying to make money from it.

      When you don't have a large marketshare, making money is more difficult. So smaller platforms are simply ignored.

      This new model suggests that the financial benefits of attacking windows have become less than the benefits of attacking Macs

  • Perhaps the model wasn't off by much, rather the rate of mac growth being so high that 16% is already a guarantee with the current adoption/switch-over rate.
  • by ledow ( 319597 ) on Friday April 20, 2012 @12:31PM (#39747097) Homepage

    He says himself that the equation is vastly oversimplified, and a small change in antivirus detection range changes the answer from 16 to 6%. That means the equation is all-but useless and pointless to try to "predict" anything except, apparently, in hindsight.

    I could have plucked any number I liked out of the air and wrote a (reasonable) equation to make it come out with whatever answer I wanted, even basing it on "game theory" (which has very, very, very little relevance here, actually) - I could have done that even before I graduated in mathematics (including Game Theory) over a decade ago.

    When enough Mac's exist to make it viable (and market share has little to do with it compared to "number of computers active on the Internet" of that particular model), viruses will target them. Guess what, same for every other platform on the planet. If someone miraculously sells a popular device based on MINIX that millions start buying, eventually someone will write a virus for that platform.

    Seriously - don't give it the press.

    • by Nidi62 ( 1525137 )

      I could have plucked any number I liked out of the air and wrote a (reasonable) equation to make it come out with whatever answer I wanted, even basing it on "game theory" (which has very, very, very little relevance here, actually) - I could have done that even before I graduated in mathematics (including Game Theory) over a decade ago.

      I'm curious to know what model in game theory he used. My experience with game theory from my Master's degree is political in nature, so the ones I'm most familiar with are the Prisoner's Dilemma and the Stag Hunt. Neither of these really apply in this situation. I can see what he's trying to say, that the combination of Apple's marketshare growing large enough while Microsoft's users average growing more security-conscious makes Apple that much more attractive of a target, I just don't know what game th

    • That means the equation is all-but useless and pointless to try to "predict" anything except, apparently, in hindsight.

      Welcome to the world of soft science, where everything causes cancer and housing prices continue to rise without limit.

    • The point of game theory isn't to make precise exact predictions about social phenomenon. They are just trying to show how the relationship of many factors could cause a platform to be targeted by viruses.

      Rarely does the math of game theory make precise predictions in the real world. They give you a general guideline, but there are too many variables to account for everything.

  • Winning formula (Score:4, Insightful)

    by chepati ( 220147 ) on Friday April 20, 2012 @12:31PM (#39747103)

    Let's see what our wise men can come up with:

    1) Write a "scientific" paper, make assumptions, use some "algorithm", predict event A
    2) Wait
    3) Observe empirical evidence
    4) Revise initial paper
    5) Bask in peer admiration

    Did I miss anything?

    • Re:Winning formula (Score:4, Insightful)

      by Haedrian ( 1676506 ) on Friday April 20, 2012 @12:45PM (#39747269)

      That's how Science works.

      You build a model, you predict things, you test it. If it fails, you fix your model, you test it again.

      Now we'll see how his next prediction holds and we can then judge his model

    • Wrong. In your example that's the equivalent of saying the Ideal gas law is:
      PV = nRT + C where C is some constant and r is 8.3144621 J/mol K so the pressure
      is (nRT + C)/V

      A better example is claiming that the pressure P is (nRT)/V with a given value of nRT and V.

      In the former case the model is simply wrong, in the latter case the model is right and has a given starting condition.

      All they've said is now that the temperature has changed the pressure is P'. You could easily plot the necessary market share vs

    • Did I miss anything?

      6) ????
      7) Profit!!!

  • by Shamanin ( 561998 ) on Friday April 20, 2012 @12:32PM (#39747109)

    Now even you can quote Game Theory thanks to Stanford Engineering online course offerings!

  • Since the number of hosts a virus will likely infest grows exponentialy with the share of the population not imune to it (until that share reaches somewhere near 25% of the hosts), those anti-virus should make infecting a Windows machine orders of magnitude harder.

    As usual, the press article doesn't include the actual equations. So, it is impossible to know if the study took actual infection spread equations into account.

  • by Loopy ( 41728 ) on Friday April 20, 2012 @12:36PM (#39747167) Journal

    While I realize there may be some outrage over the "overconfident" label, it does make sense in terms of learned behavior. More specifically, Windows users have known malware has been rampant for so long that:

    A) they're used to having to use antivirus, firewalls and other "security" type apps

    B) Windows has steadily improved its built-in firewall and anti-trojan features to combat real and perceived vulnerability

    C) Windows-based PC OEMs and system builders install anti-virus by default and have for quite some time now.

    I can't say whether Macs get a/v software by default but despite our joking about macs not being susceptible to malware, that view is held by far too many mac users. While it might be true statistically speaking relative to Windows, it is unhelpful in being a rightfully vigilant denizen of this wretched hive of scum and villainy we call the Internet.

    • Mac have no A/V stuff on them by default. Apple does do some anti-malware fighting on a per-item basis these days with updates, but there's no A/V program as you'd normally think.

      You can get them, but they don't come installed, and Apple doesn't have or recommend any because they are interested in admitting that viruses are now a Mac thing too. Some of the major A/V vendors have Mac versions. Kinda hit and miss as to which companies have decided it is worth it to port to the Mac. Sophos is one I know does (

  • Security through obscurity is no way to go through life.

  • Apple has dominated the high end of the -personal- computer market at least in the US, making it a more lucrative target for attempts to steal personal information.

    On the other side, is there any way to measure how easy/difficult it's been to develop successful viruses on platforms, MacOS, Windows (XP, Vista, 7, 8), various Linux distributions, etc?

  • by LetterRip ( 30937 ) on Friday April 20, 2012 @12:42PM (#39747233)

    Probably failing to take into account the value of the targets compromised was the biggest flaw.

    Since the average apple user will be far more profitable (apples are a luxury good and thus will have a higher percentage of wealthy users) to compromise than the average pc user, he needed to adjust the numbers downward to take that into account.

  • by SilverJets ( 131916 ) on Friday April 20, 2012 @02:38PM (#39748615) Homepage

    It doesn't matter the platform. Mac, Windows, Linux. Stupid users get viruses. They're the ones clicking on every farking attachment in every farking e-mail they receive without first doing a simple visual check of the email (ie. reading it). They're the ones downloading executables from unknown or untrusted sources and running them on their computers. They're the ones that believe every little farking web browser pop-up informing them that their computer is infected and THEY MUST CLICK HERE NOW!!!!! (Hint: web browser != anti-virus )

  • by Rambo Tribble ( 1273454 ) on Saturday April 21, 2012 @11:10AM (#39755991) Homepage

    Mac owners tend to occupy a higher-income demographic, increasing their attractiveness to criminals. Would you target someone with a $500 bank account or a $50,000 account?

    This factor helps Linux, with its third world popularity, but complacency is always the Devil's playground.

When you are working hard, get up and retch every so often.