Apple malware flourishes in a culture of denial

Apple malware flourishes in a culture of denial

Summary: It looks as though Apple's Mac OS X users have seen their first significant outbreak of malware, with Dr Web researchers claiming that more than 600,000 Macs have been botted by the drive-by Trojan, BackDoor.Flashback.

TOPICS: Tech Industry

It looks as though Apple's Mac OS X users have seen their first significant outbreak of malware, with Dr Web researchers claiming that more than 600,000 Macs have been botted by the drive-by Trojan, BackDoor.Flashback.39. Since Macs make up only a small percentage of the PC market (65 million Macs vs 1.3 billion PCs), this would be roughly equivalent to the Conficker outbreak, according to F-Secure's chief research officer Mikko Hypponen.

Flashback's success has been assisted by the culture of denial that -- with Apple's encouragement -- exists in the Mac market. Most Mac users don't use anti-virus software because they believe that their machines are impervious to malware. This outbreak could make the Apple ecosystem more secure by encouraging more Mac users to defend their systems.

Apple could help. The company spent many millions of dollars on TV advertising that contrasted a hipster-style Mac guy with a more businesslike PC character, and the Mac's freedom from virus infections was a core message. One misleading advertisement may also have damaged the Windows security ecosystem by discouraging users from upgrading from XP to the more secure Windows Vista.

Apple could usefully spend a few millions running some more TV adverts to say: "Sorry, Macs CAN be infected, and we recommend you take precautions." Obviously, Apple will not spend any of its spare $100 billion helping its users in this way.

One of the interesting things about Trojan BackDoor.Flashback.39 is that it encourages a culture of ignorance among the most knowledgeable Mac OS X users. If Flashback finds that its target Mac is running certain geeky programs -- Little Snitch, Packet Peeper, Xcode, some anti-virus software -- it deletes itself. In other words, it tries to avoid infecting those Macs where it is most likely to be discovered, reported and ultimately disassembled.

If all Mac malware does this, then Mac experts will truthfully report that they can see no evidence of malware infections. This will reassure the ignorant majority of Mac users, whose systems can then be infected more easily.

Now, it is far from certain that Dr Web is correct in saying that more than 600,000 Macs have been infected. Dr Web used sinkhole tactics (PDF) to measure the size of the botnet, so the number is believable. What is not so certain is that they are all Macs.

Today, Aleks Gostev (@codelancer), chief security expert at Kaspersky Lab, tweeted that:

Last night we sinkholed one domain of #Flashback. We can officially confirm size of the botnet – more than 500k infected hosts. We are not sure that all 500k #Flashback bots are Mac users. I have some suspicions that probably bot for Windows also presented itw

To which Lucian Constantin (@lconstantin) replied:

Dr Web told me they counted unique IOPlatformUUIDs sent by bots to the C&C. Isn't that a HW ID unique to the Mac OS X platform?

Whatever the case, it remains a fact that a large number of Macs have been infected, and that a very large number are still undefended and (as Pwn2own has shown) easily hacked.

If Apple is not going to do the decent thing, then it still has other things to do.

For a start, Apple can improve its security updates, which lag behind the rest of the industry. In the current instance, which exploited a Java flaw, Apple patched a vulnerability in April that Oracle and others fixed in February. Often, Apple is even further behind.

Apple should also improve its processes so that it writes more secure software, as Microsoft did a decade ago. Again, this would also improve the Windows security ecosystem, since Apple programs -- along with Adobe software and Oracle's Java -- are among the most vulnerable installed on most PCs.

It remains to be seen whether Apple will go through the sort of malware crisis that led Microsoft to develop the SP2 to save Windows XP. After all, Mac OS is still a very small target compared with XP, where malware authors can profitably exploit security holes that Microsoft fixed at least two years ago. (The incidence of Conficker in large organisations, for example, proves that it's not just naive end users who are either too stupid or too incompetent to use some form of Windows Update.)

Let's hope Apple gets the message now, rather than waiting until its brand name is further tarnished in The New York Times.


Topic: Tech Industry

Jack Schofield

About Jack Schofield

Jack Schofield spent the 1970s editing photography magazines before becoming editor of an early UK computer magazine, Practical Computing. In 1983, he started writing a weekly computer column for the Guardian, and joined the staff to launch the newspaper's weekly computer supplement in 1985. This section launched the Guardian’s first website and, in 2001, its first real blog. When the printed section was dropped after 25 years and a couple of reincarnations, he felt it was a time for a change....

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • If anything, Apple should provide a free malware removal tool like Microsoft does. Mac OS X already has some protection against malicious downloads, although it's very basic. Mac OS X like Windows, is still proprietary so you will continue to see 3rd parties develop anti-virus and anti-malware software for a price, which will discourage some from using these products. It's not like GNU/Linux where all of the software is free and open, and also free as in cost, in which case the only resource required is a few extra minutes of time.

    I remember viruses that used to get spread by media such as zip disks and floppies before Mac OS X, so viruses on Macs is nothing new. Any operating system is vulnerable, but some are simply more vulnerable than others. I still see malware and viruses on the latest versions of Windows 7 with all of the patches. It happens. Incidentally, it should be pointed out that this latest wave of OS X malware was dependent on a security hole in Java (no surprise there).