Ready For the Big Mac Virus? 560
An anonymous reader writes "The IT security manager of the University of Otago, New Zealand, has been educating his OS X users in security best-practices. According to Mark Borrie, many Mac users believe they were immune to security problems -- a trap many Mac fans seem to have fallen into. He said around 40 percent of the computers at the uni are Macs. "On the security side of things I reckon the Mac community has yet to wake up to security. They think they are immune and typically have this idea that they can do whatever they want on their Macintosh and run what they like," said Borrie. "If I can get our Mac users up to speed and say 'you are not immune' -- so when [the malware] hits, hopefully we will be pretty safe," he said. "We want to be ready for the first big Macintosh virus -- because it will come. Some day, somebody will say 'I am going to create a headline and write a virus for Mac'," said Borrie."
Re:Are you ready? (Score:1, Informative)
MMMMmmMM HmmMMM I can't hear you!!! Viruses don't exist HHHHMMMMMMMM LA LA LA LA LAAAAAAAAAAA!
Durrrrr, it's thinking like that that leads to compromises.
Re:Are you ready? (Score:2, Informative)
Apple is now the fourth largest home computer distributor, experienced 30% growth last year, and has been slowly reducing the market share of Windows XP. Some figures place the current Mac market share as high as 16%. If you have a point, you're not making it.
Re:Are you ready? (Score:3, Informative)
Apple wasn't the only one. Tandy/Radio Shack and Commodore were also pretty major players during the early and mid-80s, but either also dropped off, leaving Apple to barely hold on as a niche player, with a far smaller orbit of developers.
Re:Hardware damaging virii (Score:4, Informative)
The monitor on the original IBM PC was borrowed from the IBM Displaywriter, which wasn't user-programmable. The PC's display card allowed setting the horizontal and vertical sync rates in software, not so you could change the resolution but just because the hardware was built that way. The monitor turned on when it got vertical sync. The horizontal sync, in typical TV style, was used to generate the input waveform for the high voltage supply for the CRT.
So if you set the vertical sync to normal and the horizontal sync to zero, the flyback transformer saw DC. With no inductive reactance to block the current, the flyback transformer would burn out. This would produce smoke. And there were viiri that did this.
But that's ancient history. Modern hardware-damaging viruses attack boot programs, firmware, and the keys in "trusted computing" systems. The effect can be a dead PC that cannot be restarted.
Re:Not BSE at McD's (Score:1, Informative)
"Paul Ducklin, head of technology in Asia Pacific for antivirus firm Sophos, agrees that security discussions about Mac OS -- and Linux -- are not constructive because too many users believe they are "secure by design".
"I know a lot of people that are 'linux heads' and they believe they are secure by design rather than accepting that they are actually secure by accident," said Ducklin, who pointed out that last year a very dangerous piece of malware was discovered for Mac OS X.
Dubbed Renepo (alias Opener), Ducklin said the malware: "turns off system accounting, turns off the OS 10 firewall, turns off auto updates, turns file-sharing on, opens an SSH back door, downloads and installs an open source video conferencing program and opens it in 'do not advise the user mode'."
Opening up an SSH back door certainly seems to be an effort to 'steal personal info'. It's exactly the belief that Macs are either secure by design, or not popular enough / too obscure to make them a tempting target for the authors that will make the first major widescale virus attack completely catastrophic for unprotected Mac users.
Re:Question about old Mac Viruses (Score:5, Informative)
At that point, it would do its virus things inside that emulation layer, probably corrupting some aspect of the environment. When you close the environment (just like any other application), the virus's activity would cease. The fix would be simply "reinstall the environment."
So if you needed to use the "Classic" environment for an old application, and you for whatever reason decided to install the virus or place a disk with a virus on it in your computer and run it in the Classic environment, yes, you could give yourself that virus. But that's hardly that much different than the numerous "Proof that you can intentionally break your system" scripts and applications that are around for every operating system.
In my experience, all of the old viruses that Macs got were Macro viruses from old versions of Word. They have no way of propagating without writing to new documents, but the newer versions of word are pretty innoculated against Macro viruses IIRC.
The short answer to "What happens" is "not much if anything."
Look at the facts (Score:3, Informative)
Exploiting flaws in networked services
This is how Zotob got around. Microsoft shipped Windows with (I think) seven open ports by default. This colossal mistake ensured those too clueless or lazy to turn off unnecessary services would be the most vulnerable.
Microsoft finally fixed this with SP2, I believe, but the repercussions of all those insecure installs (and continuing insecure installs for non-SP2 Windows CDs) will take years to play out. That's why a worm like Zotob is still possible.
Needless to say, OS X has always shipped with zero ports open by default. (OS X does have mDNSResponder, which launches whenever you use Rendezvous, but that's all).
E-mail worms
ILOVEYOU spread by tricking users into launching a program. Outlook for a while didn't do a sufficient job of warning users that they were opening a potentially malicious applications. Mail, as of Tiger, warns about executable programs before it lets you open them, making it more difficult to trick users.
It's not entirely rosy for Mac users. I don't think OS X has any particular protection against Word macro viruses (e.g. Melissa). But overall, it seems to me that OS X does a better job protecting against the two main vectors that viruses use to infect Windows.
Re:Not BSE at McD's (Score:5, Informative)
Re:Where's that power button again? (Score:3, Informative)
At any rate, I agree with you that Apple computers fare better with ease-of-use and productivity, and my point is that the two are not at all unrelated. Having an easy-to-use computer isn't just nice for grandmothers - it can be nice for advanced users as well.
P.
Re:Are you ready? (Score:3, Informative)
Linky 2 [slashdot.org]
And I made a mistake on the growth figure. It's 37%. But then again, you're just trolling to see how many Mac users you can make mad, aren't you?
Re:Are you ready? (Score:5, Informative)
Re:Not BSE at McD's (Score:5, Informative)
Not even close. Prions are non-functional isomers of protiens that can catalyse their functional form of the same protein into the prion form.
Viruses are packets of genetic material and enzymes that instruct the host cell's mechanisms to replicate the virus.
Prions are so much simpler than viruses that there's probably no link. Remember, Michael Crichton is a fiction author.
Re:Question about old Mac Viruses (Score:4, Informative)
Why it's not as much of a problem (Score:3, Informative)
Now up to that point it still sounds similar to what you are saying. Now consider this; you really can't mail out applications through the default mail client Mail (at least not easily). So right off the bat the virus has few places to go. People are just not used to running programs from Mail.
Also, Macs undergo a much more rigourous automatica update schedule than do Windows - once a week they check for updates. As they are generally very quick and easy to let in, people don't tend to disable this at all. So if an exploit is found Apple can get fixes in to protect most of the boxes.
FUD, FUD everywhere, but not a drop to drink (Score:4, Informative)
Microsofties (MS-fanbois) always like to ask "If OS X (or Linux) are superior, then why aren't they dominant?"
Fact: There isn't a SINGLE OS X worm or virus out there that isn't an equivalent of rm -rf
While theoretical vulnerabilities may exist, the fact of the matter is that you could buy a mac mini, turn off the firewall, plug it directly into a cable modem, and it WON'T get owned. Not within 5 minutes, not within 20 minutes, not within 6 months.
Obviously, good security practices will protect you in the future. Obviously, its a good idea to monitor which services you are running, and to run a firewall.
You always here Microsofties say things like "Windows is better because of install base. Greater software avaliability trumps superior architecture"
Or the $ per 'unit of performance' metric--- At any given price, a Windows prebuilt box will end up being cheaper, even though a Linux or Mac prebuilt box could theoretically perform better.
Well, you CAN'T have it both ways: At any given deployment level, an OS X box will not get owned. Period.
Eat it.
I'm tired of all this FUD. To idiots like the article author, and the guy quoted: Feel free to discuss how the *nix sky is falling (in terms of security) when we get daily exploits, and large corporation are shutdown because their *nix servers/workstations are passing e-mail viruses or tcp/ip worms back and forth.
Until then, SHUT-UP. Much like Duke Nukem Forever, the Phantom console, and economically viable Fusion, I'll believe it when I see. Keep repeating to yourself: There are NO Mac OS X viruses. Not one. Not 1/2 of one. Not a shadow of one.
End of story.
How about some actual numbers? (Score:4, Informative)
Re:But are users sufficiently secure? (Score:3, Informative)
Once the app is running, it can connect to port 25 on any computer it likes, and email itself to everybody in the world. That's the way Windows trojans work and I don't think OS X has any way to stop it. The only advantage OS X has is that if you mail to xjdfher@hotmail.com the odds of it being another OS X user are pretty low. But trojans are patient; what else have they got to do?
(On Windows I use ZoneAlarm which lets me know if a program is unexpectedly trying to use an outgoing port, and I assume Mac has an equivalent available, but I don't believe it's on by default because it's kind of a pain for inexperienced users to manage.)
More than one Windows trojan has gotten plenty of traction that way. Yeah, it involves an intervention on each and every new infection, but the ILoveYou virus spread pretty damn fast.
Re:Mac OS X is more secure, period. (Score:2, Informative)
The problem with this is that FreeBSD uses ELF binaries, and Mac OS X uses Mach-O binaries (not to mention that almost all Macs are still PowerPC based systems, and the PowerPC port of FreeBSD still very alpha and not in widespread use). Therefore a Mac user would have to recompile the FreeBSD virus before it would run on his/her system. This would probably require a fair amount of social engineering, not to mention some moderately detailed instructions.
Remember the Morris worm? (Score:3, Informative)
What separates that from today is that it wasn't designed to do any actual damage (bugs in the code caused it to replicate wildly, causing the actual damage), and depended on there being a C compiler available.
Sigh, regardless of the damage done back then, it all seems so quaint in comparison to the stuff running around today.
Re:Are you ready? (Score:4, Informative)
Below are some excerpts from a US Department of Justice report [usdoj.gov]. Read them, and then decide if you want to face the facts or if you prefer continue to hide your head in the sand. The facts are: our government can be (and was, and is) bought and sold like a cheap whore. Just because you think the claims sound outrageous doesn't mean they aren't true.
Between 1995 and 2000, Microsoft donated more than $3.5 million to federal candidates and to the national parties, about two-thirds of which was contributed during the 2000 election cycle alone.6 Including company and employee donations to political parties, candidates and PACs in the 2000 election cycle, Microsoft's giving (that of the company, its PAC and its employees) amounted to more than $6.1 million, far more than has been previously reported. 7 Nearly $1 million came in the 40 days immediately before the November 7th election. As most political operatives know, these late contributions often are made by donors who don't want their participation known until after the election, when financial reports for the final days of a campaign are due, and public and news media attention are no longer focused upon the election. The effect of delaying contributions until very near the election is to thwart efforts by the news media and the political opposition to make disclosures meaningful to voters before they vote.
Comprising the majority of Microsoft's campaign contributions was soft money.8 Like their overall presence in Washington, Microsoft's soft money donations grew substantially since the beginning of the antitrust trial. In fact, in the seven days preceding Judge Thomas Penfield Jackson's ruling against Microsoft, the company donated more in soft money to the national political parties than it gave to federal candidates and political parties between 1989 and 1996.
23. During the 1999-2000 election cycle, Microsoft and its executives accounted for some $2,298,551 in "soft money" contributions, according to FEC records. For context, consider that this was two-thirds more than the $1,546,055 in soft money contributed by the now-bankrupt Enron and its executives during the same period.
As one business commentator put it: "there's something quite disturbing about watching the world's richest man trying to buy his way out of trouble with Uncle Sam Gates's actions undermine the legal system itself."
25. While Microsoft has donated to both national political parties, the company has tended to favor Republicans, who have been more vocal in their defense of the company. Between 1995 and 1998, 72% of Microsoft's contributions went to Republicans, while the GOP received only 55% of the company's donations during the 2000 election cycle.11 Republicans received a total of $3.2 million, about half of which $1.69 million went to the national Republican Party.
37. While Microsoft contributed $100,000 to the Bush/Cheney Inaugural Committee in January 2001, virtually all contributions to presidential campaigns were made prior to July 31st , with the exception of contributions to Libertarian Party candidate Harry Browne's campaign. (This is presumably because, to be eligible for federal matching funds for the primaries and federal funding for the general election, major party candidates receiving are not allowed to solicit or receive campaign contributions after they are nominated at their conventions.) Only four primary presidential candidates received contributions greater than $10,000: Bill Bradley, $33,400; George Bush, $57,300; Al Gore, $28,000, John McCain $39,448.
Re:Are you ready? (Score:5, Informative)
both of you are completely wrong, and the "The IT security manager of the University of Otago, New Zealand" is very right.
You both give false evidence why a Mac is more secure, and you think your evidence is right.
E.G. ever heared about AppleScript? What you think how difficult it is to write an AppleScript that traverses the Adress Book and sends an email to every one in it with Mail.app?
No SMTP needed
Same for attachments. They are not "executeable" by double click, but when you get a mail from a "friend" telling you to save the script and launch it
A script/virus send to a Mac user has all rights the user has, besides exploites aiming to more rights. So the script/virus can do everything, the user can do: like searching the hard drive and mailing the last presentation, Excel file or Word file to a given adress.
With the architecture of the OS writing basic virus programs is even far more easy than on windows, only the automated execution and exploit traversal via the Internet Explorer/Outlook/IIS and the gaining of root access is harder.
angel'o'sphere
Re:But are users sufficiently secure? (Score:5, Informative)
Now if you thought you just opened a jpg file, this should give you a little something to think about. Considering that a first-run for a program happens reletively rarely for most users, it isn't too distracting, but adds quite a bit of security.
Re:Remember the Morris worm? (Score:3, Informative)
Re:Are you ready? (Score:4, Informative)
An applescript that does something malicious is really no different than tricking a coworker or friend into typing "sudo rm -rf" at /, true?
However, I can tell you that Applescript is fine for individual use, or when rolled out across a controlled network, but scales poorly across different versions of applications. We use applescripts for numerous tasks at my workplace, and we need to get in there and tweak the source every time we update the OS or the applications.
Still, I don't see how "malicious script that triggers when clicked" is equivalent to a self-propagating virus.
I DO know exactly how easy it is to willfully destroy an OS X system, even on Tiger. I've taken the OS X 'help desk' class where the last test is where you run an applescript that destroys the system. It freezes the boot process, causes the loginwindow system to kick the user out after 30 seconds, changes all the user passwords, and more, and the "test" is to fix it all. Like most viruses, it is fixable with the proper knowledge, but it's truly a pain in the butt.
But, as I said above, convincing a user to run a malicious script just doesn't seem like a virus to me. In fact, it's not: [wikipedia.org] In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents (for a complete definition: see below). I don't see how that makes us "very wrong." Nothing that you say has anything to do with a virus. Just malicious scripting. Yes, a virus could trigger a malicious script, but those are two separate actions -- the virus that infects and propagates and delivers the payload. The payload is the script, which runs and corrupts the system.
Re:A petri dish for your DOOM, I say! (Score:3, Informative)
(in other words, Apple's move to Intel isn't going to mean a damn thing to virus writers, unless it's by virtue of more people installing Virtual PC.)
Re:A petri dish for your DOOM, I say! (Score:2, Informative)
I wonder because 1) Doesn't Linux run on Intel systems? and 2) Doesn't Windows also run on AMD systems and still get infested?
Re:Where's that power button again? (Score:3, Informative)
i'll further emphasize your point by slightly correcting this statement of yours: "The ports that don't need to be on, are off, by default"
Actually, a default installation of the end user version of Mac OS X does not have a single port opened. Run nmap on your LAN against a freshly-installed Mac, you won't find a single port opened. It has always been the way of Mac OS X, since its very inception. There is absolutely no valid reason for a default installation of an end-user version of an operating system to be listening on any port. Apple grokked that. Duh. :)
A malicious program can be written for any platform. An actual virus will successfully spread itself. I wish crackers good luck with that on OS X.
Re:Are you ready? (Score:2, Informative)