Mac Malware (again)

An interesting comment was made to my last blog on Snow Leopard, Mac malware and all that. I’ve approved the comment, but since people who read the blog earlier won’t necessarily go back to see what comments it’s attracted, I’ll answer it here, at more length.

Mac User said that “Currently, the only way to get malware onto Macs is to persuade the user to install it.”

Commenter Adam said:

That’s probably true. If you know of Mac malware found in the wild that doesn’t work by tricking the user, then it should be easy to provide a few examples to rebut that argument. If you can’t, the argument still stands.

Clearly there’s a difference in interpretation here. To me, Mac User’s statement says unequivocally that there is no way right now to get self-launching malware onto a Mac. My point is that there certainly is.

Whether there is or isn’t “In-the-Wild” malware that is self-launching (and leaving aside the technical issues as to what “In-the-Wild” actually means) is a different issue. I don’t buy into the idea that if it isn’t “In-the-Wild” it doesn’t pose a problem: in the current threat landscape, the distinction between ItW and non-ItW is often meaningless in the face of sample glut and mutation through mechanisms such as server-side polymorphism. There is OS X malware that keeps re-serving modified code, but we’re obviously talking about a tiny fraction of malware compared to the millions of Windows-specific samples. But there’s a longer-standing objection to confusing “problem” and “ItW”: what isn’t ItW today, might be tomorrow, which is why commercial antivirus has never focused purely on what is technically “In the Wild”.

Adam continues:

Of course it doesn’t mean that “there is no way to install malware without the active participation of the computer user—period.”

I don’t know if that’s what Mac User meant, but it’s certainly how the article reads to me. If that’s how it reads to anyone else, then they need to know that the argument doesn’t hold water.

Who said that “all the Windows malware is self-launching”?

Having been a Mac user since 1989 (and having spent many of the intervening years supporting both Macs and PCs, among other platforms) I have read (and written) an awful lot of posts to Mac mailing lists, and I promise you that I’ve seen that assumption made many, many times.

There must be some way to pull this off, you’d need an unpatched vulnerability to weaponize and exploit and then to hijack a few websites to distribute the goods. I can’t see why it would be impossible (except that you probably couldn’t find one at the moment).

You could. And while I’m not going to be specific on that particular topic, you might want to think about how many vulnerabilities have really been dealt with by an operating system provider that not only supplies an older, less secure version of Flash with its latest OS release/upgrade, but apparently downgrades properly patched Flash versions to the same less secure version. 🙁

Apple are on a steeper learning curve than the company and some of its customers seem to realize: I just hope its customers aren’t going to pay for that educational process. And I say that even though I happen to think that there have been things that Apple has done better than Microsoft in the past, such as avoiding the Autorun trap.

And that’s not what that guy implied, he said that currently the threat is limited to a few trojans. True enough, this has been the case for the last 2 years. (The DNS changer trojan was first found in fall 07.)

Trojans matter. Irrespective of platform, they have far more overall impact nowadays than replicative malware, the occasional spike notwithstanding. And there’s more Mac malware around than you seem to realize: fake AV, rootkits, PoC viruses, fake codecs etc. By the way, technically, DNSChanger is more of a category than a specific Trojan or even Trojan family, though OSX/RSPlug.A is sometimes referred to as OSX/DNSChanger. But it’s not the only malware to use that particular approach.

As a matter of fact, some Windows vulnerabilities are used in website drive-by-download attacks, that’s a big difference between Windows and OS X.

And that is exactly my point. It’s a significant difference in current Mac malware, but not an intrinsic difference. Let’s be very clear: it’s only a “big difference” as long as there are no active exploits of Mac vulnerabilities.

User-launched malware matters but is less scary, it’s targeting the user.

And, despite some very high-profile, high impact Windows-specific worms, it accounts for most Windows malware. That may not scare you, but it does me, simply because it’s so successful. And I believe that it has the potential to be even more successful with Mac users as long as they believe that the “innate superiority” of OS X will provide them with more protection than is or can actually be the case.

At least users can learn good security practices, learn to recognize social engineering, etc. The File Quarantine feature, which already existed in Leopard, has been enhanced and it could help, too.

Windows users can also use protective measures (and do), and do learn good security practice. In fact, some of us have been attempting to help with that educative process for many years. But let’s not be naive. It hasn’t fixed the problem (though, unlike many security professionals, I do believe that education does mitigate it).

In all, I don’t see how MacLand is getting to be more dangerous, the number of known malware didn’t increase dramatically.

It’s undramatic compared to Window malware. It’s even undramatic compared to pre-OS X malware, especially if you factor in macro malware. But it’s steadily increasing, and if you look at it on a percentage basis year-by-year it’s not a trend you should be ignoring.

David Harley
Director of Malware Intelligence