Malware, Macs, and crying wolf: Doing the math
Love Apple gear? Like math? TUAW's Doing the Math series examines the numbers and the science that lie behind the hardware.
The contentious subject of Mac security has been back in the news in recent weeks following the emergence of a fake antivirus package called MacDefender (also known as Mac Security and Mac Protector) that managed to steal a number of users' credit card details, and a new piece of "crimeware" called Weyland-Yutani BOT which allows non-technical hackers to easily create password grabbing webpages that specifically target Mac browsers.
This prompted a fresh round of "the Mac is under attack! Malware will drown us all! Exclamation!" blog posts, followed by the usual backlash against them. On the alarmist side, Ed Bott wrote "Coming soon to a Mac near you: serious malware", predicting doom, gloom, and dogs and cats living together.
The case for the defence was eloquently made in an article entitled "Wolf!" by Mac uber-blogger John Gruber where he simply collected assorted "Mac malware is inevitable" quotes from prominent analysts... going back to 2004, and all clearly unfulfilled in the sense of widespread attacks or exploits in the wild. Bott responded with a thoughtful post where he made a more reasoned case that malware for Macs really is inevitable in the long run, regardless of how inaccurate previous predictions have been.
So who's right, and who's wrong? Is it time to run to the hills or are people just sounding the gong of panic unnecessarily? In this post I'm going to try and dive a little deeper into the issues surrounding Mac malware, hypothetical and real, and separate the headlines from the facts.
I'm on the hunt, I'm after you
Why does malware even exist? Broadly, there are a few reasons why someone would choose to attack the security of your computing platform, whatever it may be:
- Intellectual curiosity, security research, and bragging rights.
- Vandalism -- perhaps casual or highly-targeted cyberwarfare attacks.
- Botnets -- using the infected computer for nefarious ends.
- Data stealing -- spyware and keyloggers.
Think about how these motivations intersect with the world of Apple products. The intellectual curiosity angle is an excellent reason to hack Macs -- and, indeed, we regularly see annual hacking contest pwn2own highlight previously unknown OS X security flaws (in 2009, 2010, and 2011), with the researchers walking away with big cash prizes for doing so. Indeed, Mac OS X and iOS's reputations as more secure platforms mean greater bragging rights for successful attacks -- so Apple OSes tend to attract attention to hackers who are in it for the challenge (and/or the headlines).
However, these researcher guys are not the people to be worried about. They are mostly "white hats", meaning that when they uncover an exploit they tell Apple about it and then keep quiet until it can fix the problem and issue a security update. The direct threat to users from their work is minimal. They're not out to hurt anyone.
I'm lost in a crowd
The other malware motivations -- vandalism, botnets, and data theft -- are clearly very different. These are hostile attacks and, petty vandalism aside, there's big money to be made from them. Botnets made up of millions of infected PCs can be leased as spam engines pushing out knock-off pharmaceuticals, porn, and intricate stock pump-and-dump schemes. Spyware can automatically capture credit card numbers by the tens of thousands, uploading them to central servers for the creators to collate and sell on to organised crime. If they can get iTunes passwords, they can place fraudulent purchases in the App Store and bank any royalty payments Apple pays out before they're rumbled. There is an entire black market economy behind almost all modern malware activity -- and it's thriving.
The Mac has one big security blanket in this area: market share, or more specifically, the lack of it. Calculating market share is tricky, and depending on how it's done, gives quite different results. For example, research firm Gartner showed Mac sales making up 7.4% of all sales in 1Q09 which had grown to 9.7% by 4Q10. MacRumors has a nice graph of Gartner's estimates between 2006 and mid 2010.
Gartner is only considering sales of new computers, so its figures don't reflect how many computers are actually in use out there; consider that older Macs often enjoy a longer life than older PCs. A different approach to allow for this was taken by Pingdom, which tallied up hit counts, tracking which operating systems visitors to popular web sites were using in February 2011. It suggests that market share in some areas, including the US, Canada, and a number of European nations was between 11.7-17.6%.
So what does that mean for the malware vendors? It's reasonable to assume that if all the computers in the world were Macs, then all the hackers would be after them; if just a handful were, then clearly the hackers aren't going to bother. The critical question is where the line lies between the two extremes. An interesting 2008 article (PDF link, or there's a good summary), by Dr. Adam J. O'Donnell, then working at Cloudmark and now at SourceFire, for IEEE Security & Privacy, used game theory to attempt to answer that question.
O'Donnell asks at what point malware would reach a "tipping point" -- how many Macs do there have to be in the world before malware targeting them would give a better return on investment than malware targeting Windows PCs? With the assumptions that PC virus scanners are 80% effective and that no Mac users use antivirus, the answer was 16%. In other words, if 16% of all the computers in the world were Macs, then the black hat hackers would make more money from attacking Macs than they do by attacking PCs.
Taken with the Pingdom result, and assuming for a moment that you don't want to quibble with the assumptions and mechanisms, this is a disquieting result. It suggests, for the first time in history, Mac malware is becoming economically desirable -- partly due the the Mac's rising market share and partly because better security in the Windows world is changing the balance.
Even if you can pick holes in either Pingdon or O'Donnell's methodologies (and please feel free to do so in the comments), I do think the conclusion O'Donnell arrives at is a common-sense one. As Mac market share increases, the amount of money to be made from writing Mac malware increases with it. Logically, there has to come a point at which the "X" in OS X starts to look like a plump and juicy target.
Stalked in the forest, too close to hide
What about that really powerful meme that Macs are secure by design and don't suffer from the security holes of Windows?
Unix was originally designed as a multi-user operating system, and as such, it's built around the idea that not every user is created equal. System administrators can do everything; normal users can access only their own files and cannot make changes in the base OS; server software like the Apache web server is usually configured to run with as little control as possible. If an attacker finds a security problem in Apache and takes control of it, they can't go on to run amok on the computer. Mac OS X inherited this structure from NeXTStep and the Mach kernel at its heart, and iOS inherited it from Mac OS X.
Windows, famously, didn't have these baked-in concepts. For many years and through many versions of the operating system, every program that ran on Windows ran at the same security level, which means things like viruses could more easily spread from machine to machine. Additionally, many pieces of built-in software like the SMB networking layer used for file sharing weren't built with security in mind, and were broken into time and time again.
However, this view of Windows is rather outdated. In Windows XP and Vista, Microsoft paid a lot more attention to these matters, the most user visible result of which was the much reviled User Access Control. In Windows 7, it's generally accepted that Microsoft's security story is as good as it's ever been, meaning malware authors and criminal enterprises tend to focus on the lower-hanging fruit of the less-well-protected Windows XP (still the world's most popular OS by a wide margin).
Malware gets into your computers in (broadly) one of three ways: it finds a hole in something you're already running, it tricks you into running something new that seems innocuous, or it piggybacks on something legitimate. As Microsoft has improved its base security, most malware on Windows has moved, and is now focussed on fooling the user into installing something they think they want which turns out to also contain the password grabber or botnet client they certainly didn't.
Macs are equally vulnerable to these sorts of techniques. Consider also how often, when installing a piece of software, Mac OS X pops up a dialog asking for your password, and you enter it. That step has some very serious ramifications; the software installer now has much greater access to your operating system and can install anything it wants -- good or bad -- with impunity. And yet most of us don't pause to think about what we're doing, we just enter the password and let it get on with things. Even without that password, there's still plenty of nefarious things that a program can do.
OS X's Unix underpinnings help, but they aren't a magical shield either. Consider the recent problem with Skype, or the large number of security holes in OS X itself that Apple fixed in the April 2011 security update for OS X 10.6.7. Third-party browser plugins and OS components are also notorious for bringing along their own security issues (Java, Flash, etc.).
The best you can hope for is that Apple has done its work well, found most of the holes, and closes the other holes quickly when they are uncovered. Unfortunately, that's not always the case. Gruber has noted that its response is sometimes sluggish, for example taking 75 days to issue a patch for a serious problem with Open SSL in 2009.
Aaaaand I'm hungry like the wolf
So, lots of words later, who's right? Is the year of Mac malware like the year of Linux on the desktop, or is it time to crack each other's heads open and feast on the goo inside? Is continued sarcasm about the Mac malware threat dangerous? Don't forget, many of the security experts warning us to invest in Mac security also work for security firms selling security products. When umbrella salesmen predict rain, it's wise to be skeptical. (And on the gripping hand, journalism that tries to navigate nuance between the poles of hysteria and sarcasm rarely attracts as much attention as more hyperbolic writing, so keep that in mind when evaluating media coverage of the issues I am discussing here.)
I believe it's a little of both, but I'm more on the skeptical than the panic side. Certainly, I don't run any antivirus on my Mac, nor am I about to start doing so (although other TUAW team members do, for various reasons, and there are good free options). On the other hand, I'm sure there are people out there who's naïve belief that their Mac is immune to security threats is so strong that they end up falling for phishing scams delivered via an email they just happen to read in Mail. I think that worldview is perilous.
You have to make up your own mind. At the very least, I'd urge you to be conscious of the issues, and don't blindly download and run programs from sketchy websites. If you feel you'd like to go further, there's a good overview of Mac security options on Lifehacker, and we've covered many security programs on TUAW.
I'm going to give the last word to Graham Hibbert, who said in response to the Wolf! post on Daring Fireball, "The point of the story that I think John [Gruber] missed, is that the last time, there was a wolf, and no one believed the boy."
Share
Love Apple gear? Like math? TUAW's Doing the Math series examines the numbers and the science that lie behind the hardware. The...
Add a Comment
Show me ONE single SYMPTOM from a "virus" or "malware" on OSX *WITHOUT* the user running an installer, and inputting their admin password. You won't be able to find any. Their hasn't been a single SYMPTOM from any of these "threats" EVER on OSX. Anyone can install a program to f**k up their computer - duh! I can also willingly shoot myself in the foot! Should I walk around with bullet proof shoes to prevent myself from shooting myself in the foot? I know, I know ... I'm getting really philosophical here. But isn't philosophy what this issue is really about? People *think* their are threats to Macs, however the only threats have been things that would be considered a comical self inflicting wound. Again, show me ONE symptom that has appeared on OSX without the user going through a full blown installer.
What did the MacDefender program even do to the OS? NOTHING! OOOHHHH NOOO it put a startup item in my startup items list!!!! OMG!?!!?! Ok lemme start this serious virus removal by removing the startup item! OK done...that was friggin hard!!!
If I really gave a rats behind about some self inflicted wound that I did to myself such as MacDefender, all I would have to do is boot off my Leopard disk and run an "Archive and install" which would leave my user folder and applications intact while completely rebuilding the OS. All better, and without any noticeable change! Too bad rebuilding your computer on Windows isn't as easy as that! Poor Windows users =[ . So let it be known that even in the case of the laughable "Macapolipse", all the Mac users will need to do is boot off the OSX Boot DVD and run an "Archive and install". Sounds scary!
Their aren't any current threats to OSX other then the user's stupidity. I don't like to resort to insults, but when people act like these lame-duck attacks are anything Mac users should be worried about - it's insulting to the truth. As I said before, when ONE person can show ONE symptom from an attack without running an installer and entering your admin password - then I'll give two s**ts about what these ignorant fear mongering n00bs say about Macs.
"Show me ONE single SYMPTOM from a "virus" or "malware" on OSX *WITHOUT* the user running an installer, and inputting their admin password." -> you realise almost all Windows malware these days requires the user to run an installer and click through the User Access Control dialog, right? Viruses that spread automatically haven't been a focus for for-profit malware authors for years, because once the security hole the virus targets is patched it's useless. On the other hand, users can always be tricked into installing things.
So if your argument is that "Macs don't have a malware problem because users won't click to install malware" then Windows doesn't have a malware problem either. Unless you think Mac users are less likely to be fooled than Windows ones, perhaps?
Does Windows have a malware problem, in your opinion?
There's a fast and easy program that kills all the MacDefender strains on Macupdate.com: http://www.macupdate.com/app/mac/38520/macdefenderkiller Works great for a lab environment when you have hundreds of CPU's that are infected. It even patches the pref in Safari to not allow safe files to run.
May 19 2011 at 10:06 AM Report abuse Permalink rate up rate down ReplyDennis Fisher wrote: "Security is about technical measures, like the strength of the locks on your doors and windows. Safety is about the likelihood that you’ll actually suffer from some sort of attack. The evidence suggests that Mac OS X has been and remains secure enough to be safe, and safety is what real people actually care about."
May 15 2011 at 12:46 PM Report abuse Permalink rate up rate down ReplyThat quote was from John Gruber commenting on Fisher's post, rather than by Fisher himself:
http://daringfireball.net/linked/2009/05/13/security-safety
It's also two years old (dated 13 May 2009). That doesn't mean it's necessarily invalid today, but two years is a long time in computing; statements about the state of the art need to be re-examined from time to time. A lot of people lost credit card numbers to Mac Defender. Those people clearly weren't safe.
And how many is many, do we have even a ballpark numerical figure yet? I wonder what the overlap between those users and the people who got nailed by that iWork Trojan a few years back.
http://www.tuaw.com/2009/04/23/pirated-iwork-contains-botnet-trojan-breaks-hearts/
The ability learn and think critically are life long skills. If one doesn't use them computer malware is the least problem. I'm not saying this isn't a good shot across the bow of us Max users and Apple, and feel for those who got social engineered into, however scams are scams.
Just the other day I had a "grass roots" organization come to my door looking for members join so they could "x" (forgot what, it was something public good like parks or public land). They seemed fairly pushy about getting me to sign and make out a check so I asked for a card so I could take my time and consider. Turned out they were legit, but I'm not impressed with thier track record. That could have been real life malware after the fasion of the good old widow scammers.
Maybe Apple is right to put a more iOS front end single application environment in Mac OSX. Maybe that way unknowlagable users will have a better understanding when pushy malware dumps them out of the browser app and begins looking odd.
"With the assumptions that PC virus scanners are 80% effective and that no Mac users use antivirus, the answer was 16%. In other words, if 16% of all the computers in the world were Macs, then the black hat hackers would make more money from attacking Macs than they do by attacking PCs."
Right. So their calculation is PC's are at 100%-16%=84% of the market, and 20% of those are vulnerable, so that's 84%*20% = 16.8%. Oh, so the Mac 16% of the market that is 100% vulnerable (because no one uses antivirus) is just as big a target, all else being equal.
Problem is, all else isn't equal.
How about the sensitivity on that calculation?
What if Windows antivirus is 90% effective, not 80%? Well, then only 8.4% of the market is vulnerable Windows machines, making Macs ALREADY the bigger, juicier target.
Or, maybe Windows antivirus is only 70% effective. In that case 25.2% of the market is vulnerable Windows machines, and Macs are nowhere near the critical level.
So the wet-finger-in-the-air assumptions in that calculation are so nebulous that the result is completely worthless.
Hi Bruce,
Did you read the article you are criticising? I provided a link to it in my post:
http://www.securitymetrics.org/content/attach/Metricon3.0/j3attAO.pdf
Yes, have you?
As I pointed out, it all depends critically and sensitively on the estimation of the parameter "p", the probability of attempted defense being successful and that this is at best known only very approximately.
O'Donnell agrees with me on this.
I quote:
"AV engines fare far worse on new malware samples, with the accuracy rates at 80 percent for the best engines and a median accuracy rate below 50 percent across all products tested."
"If we assume that the accuracy on new malware stays at an optimistic 80 percent and that the malware writer’s economy remains constant, then the Mac platform won’t become appealing to attackers until it makes up 1/6th of the market for client systems."
He says that 80% effectiveness is optimistic and then goes on to use it anyway.
In my previous post I chose to use a relatively minor perturbation of that, 70%, and came up with Macs not being an attractive target until they reached 25% market share (actually, if you solve it properly the answer is 0.3/1.3 = 23.0769%).
But let's see what happens if we use the 50% effectiveness O'Donnell gives as his lower bound but doesn't follow up on. In this case, according to his formulas, Macs don't become an attractive target until they achieve 0.5/1.5 market share or 33%.
An elderly couple asked me about how to email their credit card number to an online store at a internet cafe many years ago, Netscape was still around then.
They asked me what the CC field was for on the email client, back then I didn't know what it stood for, I knew more or less what it does. Sensing my uncertainty they convinced themselves CC meant Credit Card and left me.
No one who is well-informed in technology is foolish enough to say that any OS system is malware proof - that state doesn't exist. MacOSX IS inherently virus resistant due to the effect of the systemic underpinnings of its kernel and the bottom to top rewrite to introduce it to replace the virus-ridden and problematic OS9 and pre-genitors. BUT it is time those of you who have friends who are new to Macs to educate them in basic security when the opportunity presents itself. Things like convert your default login into an admin account with a very secure password, and set-up a standard user account for everyday use. Make sure that your browsers are set to not auto-open downloaded material. Set Stealth on in the Security settings and/or "block all incoming" mode, depending on their needs. These are basic security controls that up the ante on protection and have very little impact on average consumer daily use by way of restrictive behavior.
Anti-virus, firewalls and encryption are not effective remedies or preventatives for general stupidity, and fools, such as they are are both incidentally innovative and persistent.
And oh - I forgot - good article!
May 14 2011 at 10:23 PM Report abuse Permalink rate up rate down Reply------any OS system is (not) malware proof - that state doesn't exist------
that actually is an incorrect statement, the correct statement is that no user of an OS system is malware proof,
you can easily have an OS system that is malware proof, by cutting out the user.... and i've proven it, i have an OSX sever system that hasn't even been updated for 6 years, sitting with no user interaction, except that it is queried from the internet, it has only one main purpose, to be a honey pot.
no user touches it, and it hasn't even been updated, and it has never been "exploited" obviously, because no user can change it... and OSX was designed against exploits from pinging, and querying and such..
this article shows how much more secure OSX is naturally out of the box.
http://www.usatoday.com/money/industries/technology/2004-11-29-honeypot_x.htm
this isn't an either or case.
there is no malware that spreads by itself on a mac, the only malware that one should be concerned with on a mac, is the same kind that PC users have to add to their long list of concerns, the kind that is social engineering kind.
(the kind that assumes you are a fool and you will download anything if asked, or give up your password if asked in an email)
if you are Mac user, you can protect yourself 100% by simply being just slightly skeptical... if you are a PC user you have to be completely skeptical, and own AV software to protect from the many other viruses and worms.
if you are a mac user, and you install "anti-virus" software, you have just increased your odds of losing data from that software by 1 million times over losing it to normal malware, because of bugs in that AV software, worse that "anti-virus" software did not do anything for any mac user wanting to download the "mac-protector" or what ever software.
that is how dangerous and useless "legit" AV software is.
so to be 100% protected, (on a mac)
1. never install AV software, (unsurprisingly this would eliminated the most recent threat)
2. never install any video "plugins" (or flash updates) that websites wish you to install. (that advise protects from the rest of the known malware threats for a mac)
3. and to be extra special, just plain don't install software where it asks you to verify your admin password from any source you have not actually gone to specifically to buy/get a program. or respond to emails doing the same. (even if it is from your bank, instead go to your bookmark instead)
then you are completely protected.
Even on the PC platform antivirus software is often more of a hindrance than a help. It encourages people to engage in risky behaviour because they think it will save them, while simultaneously playing on their fears so they're more likely to fall to 'defender' style trojans.
False positives keep users on a high level of alert, I remember last year spending hours trying to explain to somebody that his PC hadn't been virused by Blizzard and that World of Warcraft didn't contain a trojan. I'm not sure he ever really believed me. Symantec could do no wrong in his eyes.
I'm increasingly convinced that home AV software is itself a form of virus, or at the very least the equivalent of a guy who turns up at your door asking for 10 bucks a quarter 'protection' money.
Definitely to put AV software on a Mac would be daft at this point.
I read Bott's post, and my perspective is that it was a non-inflammatory repetition of FUD. He made the projective case, but the post ignored some substantial differences -in architecture- between Mac OS X and Windows. I don't know if it's because he doesn't consider those differences sufficiently significant to make a difference in his arguments, or he just doesn't understand the Mac platform.
May 14 2011 at 4:35 PM Report abuse Permalink rate up rate down ReplyThis is the first article on security I've seen written by an Apple user that is actually sensible. Every other one I've read takes too hard a line in one direction or the other.
These days most of the infections on PCs either come through holes in third party applications (finger is pointing at you, Adobe!), or through social engineering. Last week I cleaned a bunch of viruses off of a roommate's computer that got there because he clicked on a popup in a browser telling him he was infected, which then installed all of the spyware and other bad stuff on his then-clean PC. Macs are fully susceptible to both of these. Nothing in the operating system can mitigate the effects of these types of attacks. Some third party app will always have bad code, and a certain portion of an established user base will always be gullible enough to fall for a social attack. Unfortunately, Mac users are probably more susceptible to the second type because so many believe their computers are totally immune to infection, when this is just not the case.
Kudos for taking a sensible approach. I wish all Apple users would do so.
That said, I do wish Apple took security more seriously. Safari in particular is a veritable hunk of Swiss cheese when it comes to security. And taking months (and in a few cases, years) to fix known vulnerabilities is just inexcusable. The arrogance of the company could be its undoing if it doesn't remedy its practices.
One simple way to increase your online security is to use an account which does not have admin privileges whenever you're online. So, while it may be possible to mess up some user files, the OS and applications are protected. I use my computer's admin account only while offline. Also, all my sensitive financial and personal data is stored under the admin account.
There is no such thing as perfect security, but being careful and maintaining regulsr backups will certainly help.
Deals of the Day
more deals- Apple iPhone 4 8GB for Verizon, AT&T, or Sprint for $50 + pickup at Best Buy
- Unlocked iPhone 4S 16GB for GSM (AT&T, T-Mobile) for $619 + free shipping
- Apple iMac Core i7 Quad 3.4GHz 27" w/ 24GB RAM, 2TB HDD for $2,677 + $29 s&h
- Used Apple Magic Mouse for $36 + $4 s&h
- 9-Piece iPhone Bundle, includes 1,900mAh battery for $8 + free shipping
- Skullcandy Riot Earbud Headphones for $10 + free shipping
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
47 Comments