Trojans, viruses, worms: How does malware get on PCs and Macs?

The hardest part of talking about computer security is getting everyone to agree on the nature of the problem. It’s especially frustrating when you’re trying to weigh the pros and cons of different strategies with someone whose view of the PC security landscape is outdated and inaccurate.

Case in point: What’s the best way to deal with malicious software on PCs and Macs?

You can’t answer that question—you can’t even start talking about it—until you know how malware gets installed in the first place. And there’s where the disconnect begins.

Judging from the reactions to my recent posts on OS X and malware, the Mac community has a pretty consistent collective understanding of how computer security works. Their worldview is based on opinions that might have been close to the mark in 2004 or 2005 but are just plain wrong in 2011.

They think, incorrectly, that Windows is inherently insecure. They assume, with no support, that large numbers of PC users are infected every year just by visiting websites or opening e-mails. And they believe, sincerely but also incorrectly, that OS X is inherently secure and that they are basically immune as long as they avoid doing stupid things.

Here’s the reality, for PCs and Macs:

• The traditional labels for malware categories—viruses, worms, Trojans, and so on—aren’t nearly as meaningful as they were 10 years ago.
• If you install security updates regularly, your risk of being affected by a drive-by download is virtually zero.
• A very small number of malware families account for virtually all malware infections.
• The overwhelming majority of malware is installed by the victim, who is fooled by social engineering.

Much of the discussion I read comes down to shorthand, like this: “There's malware [on Macs], yes. No viruses though.”

I have read variations on this theme over and over again in the Talkback section of this blog recently:

Mac Defender is NOT a virus. ... Mac OS X has ALWAYS been free of viruses... as opposed to Windows which has hundreds of thousands of viruses and new ones coming each day.

Indeed, that obsession with the word virus is a recurring theme in Apple’s support forums. Search for the phrase “there are no viruses” at discussions.apple.com and you’ll find plenty of examples, like this one from January 2011:

There are no viruses that run on OSX. None. Zip. Zero.

There is some "malware," such as Trojans, for Macs, though. But (unlike viruses that can get onto your system without your knowledge), you must approve their installation (via your Admin password) and/or operation (via the "This application was downloaded from the internet ..." prompt).

Sorry, but that’s not true. The Mac Defender gang already proved they can sidestep the requirement to enter an Administrator password. They already convinced tens of thousands of victims to install a small program that then downloads and installs additional malware without any user interaction. And it’s just a matter of time and financial motivation before they begin whacking at vulnerabilities in OS X.

And categories don’t matter. These days, actual viruses are almost unheard of. Melissa, back in the late 1990s was a real virus, the kind that copied itself to documents and spread via e-mail. Today, security professionals are more interested in what a particular family of malicious code does. The delivery mechanism is usually separate.

If this were simply a matter of semantics, I would let it slide. But it’s not. The obsession with these technical labels reflects a dangerously outdated view of computer security. If you can’t see past those labels and get an accurate view of the current threat landscape, you won’t be able to make smart, informed decisions for yourself or for others.

Or, put another way: We can’t even have a discussion if one side thinks the world is flat and the other thinks it’s round.

So let me give you the lay of the security landscape that PCs and Macs share in 2011, starting with how malware gets on PCs and Macs in the first place.

Page 2: Where does malware come from? -->

<-- Previous page

Where does malware come from?

On Windows machines, some malware comes from drive-by downloads. You visit a website, you get infected by a piece of script that triggers a buffer overflow that allows the malware to stealthily install.

If you keep your system fully patched, you are almost certainly not that victim. Those types of attacks are typically successful only with PC owners who haven’t installed the latest security updates. Most such exploits, in fact, target vulnerabilities that were patched years earlier. A 2009 Kaspersky report concluded, “With very few exceptions, the exploits in circulation target software vulnerabilities that are known – and for which patches are available.”

The number of drive-by installations is small. So how does the majority of malware get on a PC or Mac? Most attacks today succeed by convincing the victim to do the actual work.

A 2010 study by Bruce Hughes of AVG Technologies, says “Social engineering trumps a zero-day every time.” It concludes that “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.”

How do those big numbers translate into the actual families of malware that end up on user’s machines? You can get a pretty good idea by looking at data from Microsoft’s most recent Security Intelligence Report. The report contains two interesting top 10 lists representing threats faced by consumer and enterprise populations, respectively. In all, this combined list accounts for between 54% and 56% of all malware that was detected on Windows PCs by any Microsoft security product in 2010.

Let’s go through the list (note that because of overlap between the consumer and enterprise lists there are fewer than 20 entries here).

The biggest infection of 2010, by far, was Conficker. This is a worm that spreads via file shares, mostly on corporate networks. At its peak, it represented 22% of all infections detected on domain-joined computers.

Conficker’s means of propagation is a vulnerability in the Windows Server service. This vulnerability was fixed in October 2008 by Security Bulletin MS08-067, which patched Windows 2000, XP, Vista, Server 2003, and Server 2008. (Windows 7 was never affected.)  There’s no excuse for that patch not being installed nearly two years later, in 2010.

The lists contain multiple families classed as Trojans, which typically rely on social engineering to spread:

• Frethog and Taterf are password-stealing Trojans that show up in both the consumer and enterprise populations. They were originally identified in May and June 2008, respectively.
• Alureon (aka Zlob) is a data-stealing Trojan found mostly in the enterprise space. It dates all the way back to March 2007.
• Renos is a family of fake security software that’s classified as a Trojan Downloader & Dropper, much like Mac Defender. It dates back to April 2007. FakeSpypro, a more recent variant, was originally identified in May 2010.

RealVNC, a legitimate remote terminal program, also made it on the list, under the category Potentially Unwanted Software. If it’s installed by an intruder, it can be used for malicious purposes. It was detected on more than 5% of domain-joined PCs.

In the consumer populations, four browser-based families of threats—not malicious, just annoying—made the Top 10 list. All are typically installed by means of social engineering.

• Adware:JS/Pornpop.A, added to the encyclopedia in August 2010, isn’t a piece of software at all. It’s a snippet of script from a web page that is activated within an iFrame in any browser. Microsoft’s security software usually picks up on this one when it scans the browser’s cache.
• Zwangi is a browser hijacker, first spotted in October 2009.
• Hotbar, which has been around as long as I can remember, is an annoying adware program.
• ClickPotato is a relatively new family of “multi-component adware” that displays pop-ups and ads. It often tags along with Hotbar.

The latter three programs are typically installed along with smileys and other bits of fluffy software aimed at noobs and rubes.

Finally, there are a family of interesting Trojans that combine social engineering with the AutoRun feature of USB drives and file shares:

• Autorun is a generic worm that attempts to copy itself to mapped drives, then writes an autorun configuration file (Autorun.inf) pointing to the executable file. It’s usually accompanied by other malware variants
• Rimecud is a backdoor that spreads by way of removable drives and instant-messaging programs.
• Hamweq is an IRC-based backdoor program that spreads via flash drives.

The AutoRun feature doesn’t actually install the malware. Instead, it uses the AutoRun feature to open a dialog box that tries to trick the user into running an installer.

The behavior that made this social engineering possible was changed before Windows 7 was released. The behavior was modified in the same fashion for Windows XP and Windows Vista by means of Optional updates that were published in February 2009 (KB967940) and August 2009 (KB971029). As of February 2011, they are delivered as Important updates through Windows Update.

So add it all up. Among the top 10 threats in both the consumer and enterprise populations, one exploited a vulnerability that had been patched more than a year earlier, and the rest consisted of Trojans and worms that relied on social engineering to land on a victim’s PC.

Page 3: Malware, viruses, and worms -->

<-- Previous page

What's a virus, anyway?

I’ve been writing about Windows security since before the turn of the millennium. Every edition in the Windows Inside Out series of books, starting in 2001, has had a lengthy section on security. Back in 2002, I co-wrote Microsoft Windows Security Inside Out for Windows XP and Windows 2000.

In every previous edition, the section on malicious software started with a lengthy glossary, explaining the differences between viruses, worms, Trojans, spyware, and other esoteric terms.

For the Deluxe Edition of Windows 7 Inside Out that went to the printer this week, I ditched that section completely. In 2011, those lines have become so blurred as to be practically meaningless.

Microsoft’s most recent security report lists threat categories by family. (The totals add up to more than 100% because some variants fall into multiple categories.)

You’ll find viruses down at the bottom of the list, just above spyware, which was a very big deal in 2005 but is practically nonexistent now.

I asked Microsoft for details on what exactly was included in the Viruses category, and they were kind enough to provide a list that wasn't in the original report. Interestingly, the two entries at the top of the category were already on the top 10 list. Some variations of the Alureon and Frethog Trojans can be technically classed as viruses, because they inject code into system files as part of the infection process.

I found the last entry on the Top 10 Viruses of 2010 list even more interesting. Microsoft’s virus encyclopedia goes on for page after page with variants of malware in the Delf family. It starts with Adware:Win32/Delf and continues over 40 pages until Worm:Win32/Delf.ZAB. That’s 2,359 variations from a single obscure family, covering just about every category in the malware universe.

And there’s the numbers game in a nutshell. I saw a headline from someone today marveling at the fact that there are 67,000 new threats aimed at Windows every day. Well, that’s only sorta kinda true. Most of those “new threats” are microscopic variations on an existing one, cranked out on the fly by automated malware toolkits that have learned how to slide past signature-based antivirus software.

And so we come full circle. Although it’s an odd way to look at things, malware is actually a market. An unfortunately healthy, thriving market. On the PC side, it’s large and mature, with reasonably skilled coders cranking out malicious product quickly, and an army of white hats well equipped to deal with them.

In the Mac universe (and in Android-land too), the malware market has only just begun to take off. The opportunities for malware developers on new platforms are practically endless. So, unfortunately, are the challenges for those who have to fight them off.

The good news about the bad guys is that they’ll be using a very predictable playbook. Those in the Mac security business who are willing to learn hard-won lessons from their PC counterparts will find life considerably easier. Those who insist that Macs and PCs are fundamentally different are in for a rude shock.