Why malware for Macs is on its way

Why malware for Macs is on its way

Summary: This isn't about Mac-versus-Windows. It's about engineering and (shady) economics. I see convincing evidence that the tipping point is here, or will be soon. Read on and make up your own mind.


Follow-up: Malware attempts that use Apple-focused social engineering are now in the wild. I just found one via Google Image search. See for yourself: What a Mac malware attack looks like.

Oh, the rationalizations people come up with to explain away what they don’t want to hear.

Last week, when I wrote Coming soon to a Mac near you: serious malware, I expected to get an earful from Mac partisans telling me how wrong I was. They didn’t disappoint.

In this post, I want to respond, in detail, to the arguments that I heard in response to that post. They’re the same ones that come up over and over again when the topic turns to Macs and malware.

First, there’s the contention that OS X is architecturally superior to other operating systems, that its very design confers immunity from infection. Second, there’s the perfectly reasonable question of numbers: if Macs and Windows PCs are equally vulnerable to attack, how come there are hundreds of thousands of Windows viruses and only a handful of specimens of Mac malware?

Those are reasonable arguments, and I want to address them fully, with enough evidence to help you make your own conclusions. This isn’t about Mac-versus-Windows religion. It’s about engineering and economics.

I’ve got my flak jacket fastened, so let’s dive in.

Is OS X architecturally superior to Windows?

That’s the argument several commenters made in response to my post. Here’s one example, complete with obligatory homage to Steve Jobs:

The architecture and methodology is different at Apple, which is why so many developers (and hackers) hate Macs and iPhones, they can't get in to do anything really serious. Not to deny anything is possible, but I still feel left out when I use PCs that get infected regularly. And thank Steve for that feeling!

Sorry, but that’s not true. Sensible third parties have acknowledged this for years. In a 2008 post at the Mac-centric Tidbits.com, Security Editor Rich Mogull wrote:

It's not that Mac OS X is inherently more secure against viruses than current versions of Windows (although it was clearly more secure than Windows prior to XP SP2); the numerous vulnerabilities reported and patched in recent years are just as exploitable as their Windows equivalents. But most security experts agree that malicious software these days is driven by financial incentives, and it's far more profitable to target the dominant platform. […] At some point, assuming Apple continues to make appealing products, we Mac users will become bigger targets and face a higher level of risk. [emphasis added]

As I’ve documented in a series of recent posts, social engineering has become the dominant technique that malware authors use to spread their poison. If you can convince someone that your hostile program is useful or necessary, they will happily (or fearfully) click through all necessary prompts and enter their administrative credentials where required.

This is true in Windows, where User Account Control has been a default since 2006. It is equally true in OS X.

But, the argument goes, Windows users are victimized by drive-by downloads, and Macs are immune from those!

Sorry, but that’s not true either. Like any modern operating system, OS X contains flaws that can be attacked fairly easily. That is why Apple updates it so regularly. Let's take just one recent example…

In Apple’s security bulletin for the April 22, 2011 release of OS X 10.6.7, I counted 23 separate fixes for vulnerabilities that allow “arbitrary code execution” in the current shipping version of OS X. At least three of those vulnerabilities are new in Snow Leopard and did not exist in previous versions of OS X.

For those who aren’t familiar with security terminology, “arbitrary code execution” means “no user interaction required.” It is the nightmare scenario of online security: The attacker sets up a web page containing hostile code or creates an ordinary looking document, image, or movie file. When you visit that web page or open that document or look at that picture or play that video clip—or even if you just download a file—the attacker’s code runs, potentially giving him complete control over your machine.

No permission dialog boxes pop up, and no password prompts are required.

But don’t just take my word for it. I’ve gone through that April document, line by line, and pulled out the details.

Page 2: 23 flaws, no user interaction required -->

<-- Previous page

Here’s a breakdown of what was in that single April 2011 OS X 10.6.7 update package. The text is taken directly from Apple’s security bulletin:

  • Nine separate flaws (buffer overflows, integer overflows, and memory corruption) in QuickTime, Image RAW, libTIFF, and ImageIO could allow arbitrary execution of code when viewing a maliciously crafted image or movie file.
  • Five buffer overflow and memory corruption issues in font-handling components could allow execution of arbitrary code when viewing or downloading a document containing a maliciously crafted embedded font.
  • Three issues (memory corruption, double free issue, and heap buffer overflow) could result in arbitrary execution of code when visiting a maliciously crafted website.
  • Two memory corruption issues in QuickLook allow arbitrary code execution when downloading a maliciously crafted Excel or Office file. (Note that this flaw is in Apple’s QuickLook viewer, and doesn’t require that the user have Office installed or even open the document using QuickLook.)
  • Multiple vulnerabilities in PHP and FreeType are patched, the most serious of which may lead to arbitrary code execution when running script or processing a font.
  • "A privilege checking issue in the i386_set_ldt system can result in a local user being allowed to execute arbitrary code with system privileges." The bad guys love privilege-escalation exploits, which even non-admins can execute.
  • And the one I found most interesting of all: “URL processing issue in Install Helper may lead to the installation of an agent that contacts an arbitrary server when the user logs in. The dialog resulting from a connection failure may lead the user to believe that the connection was attempted with Apple.” That certainly would make social engineering easier.

Keep in mind that this giant bundle of patches was a single update. Other, equally serious vulnerabilities had been patched in earlier major updates to Snow Leopard. (The 10.6.5 update in November 2010, for example, contained more than 30 patches for issues that involved a risk of arbitrary code execution.) And that doesn’t include the security fixes in new releases of Safari, QuickTime, and commonly used third-party browsers and apps.

Every one of the vulnerabilities in the April update had existed in OS X for a minimum of 18 months before being patched. Every entry on that list was capable of executing hostile code on an unpatched system with little or no user interaction. If an attacker develops a successful exploit of one of those vulnerabilities, your system can be compromised, silently and with deadly effect, if you simply download a document, view a movie or image, or visit a website.

This isn’t just a theoretical issue, either. At this year’s Pwn2Own contest, the first successful attack was against a MacBook running a fully patched copy of OS X:

A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple’s Safari browser to win this year’s Pwn2Own hacker challenge.

[The] winning exploit … bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X.

“The victim visits a web page, he gets owned. No other interaction is needed.”

A few days before the contest, Apple had delivered a massive security update to Safari, fixing “a total of 62 documented vulnerabilities, most serious enough to allow code execution attacks if a user simply surfs to a booby-trapped web site.” It wasn’t enough to prevent this attack from succeeding.

The same thing happened in 2009 and 2010. Charlie Miller summarized his Pwn2Own-winning performance in 2009 as follows: “It took a couple of seconds. They clicked on the link and I took control of the machine.”

Update: Apps can be a vector for this type of attack as well. An Australian researcher, Gordon Maddern, disclosed today that he has found a zero-day vulnerability in the Skype Mac client (not in the Windows or Linux clients) that allows an attacker to get root access to a Mac by sending a text message over Skype. Maddern calls it "extremely wormable and dangerous." A Skype spokesperson confirmed the vulnerability to Dan Goodin of the Register and said a fix will be available next week.

If you think Macs are immune from drive-by attacks or social engineering, you need to think different. A sufficiently motivated attacker who is aware of an unpatched vulnerability can take over any system, including a Mac. But that raises a much more interesting question.

Page 3: Why are things different now? -->

<-- Previous page

It hasn’t happened before, so why are things different now?

The thrust of this argument is simple. If today’s Macs and PCs are equally vulnerable, how come there are so few Mac-oriented Trojans and viruses in the wild? This question is usually accompanied by figures: an insanely high number of Windows viruses contrasted with some very low number of Mac viruses.

That’s a reasonable point. Why is there such a big difference between Mac and Windows malware counts? And why would that balance suddenly change?

For the answer, you have to summon your inner Woodward and Bernstein and follow the money.

When Windows went through its big malware crisis in the early 2000s, viruses and worms were frequently exercises in pure vandalism. Today, they are exercises in pure capitalism. Widespread attacks on Windows machines like the one I documented last month are typically run by gangs of organized criminals in loosely policed countries like those in the former Soviet Bloc.

The guys who run these operations are not master hackers—they are thugs who use point-and-click malware construction kits that they buy from rogue programmers. It’s a thriving business. And so far that software category, like so many legitimate software businesses, has been built on Windows. Its overwhelming market share meant that's where the money was.

In an interview, John Harrison, Symantec's Group Product Manager, Security Technology and Response, called these crimeware organizations "financially motivated." They're like the evil twins of legitimate software companies: "They have developers, QA people, pyramid sales structures, and pay-per-install models. The web attack toolkits might include 20 vulnerabilities, but if you buy the support plan you get new vulnerabilities as they become available."

Gunter Ollmann, vice president of research for security consulting firm Damballa, described the most popular crime kit of last year:

Zeus is an interesting DIY malware construction kit. Over the years it has added to its versatility and developed in to an open platform for third-party tool integration – depending upon the type of fraud or cybercrime the botnet master is most interested in. Along the way, many malware developers have tweaked the Zeus kit and offer specialized (and competing) major versions of the DIY suite (for sale).

Jerome Segura at Pareto Logic offered an excellent behind-the-scenes look at the Spy Eye crime kit last year. Here, for example, is the point-and-click main screen:

Main screen for Spy Eye point-and-click malware generator

Spy Eye point-and-click malware generator

And here’s the console that the bot herder uses to manage his network of compromised PCs. Looks pretty easy to use, doesn't it?

Admin console for kit-generated malware

Admin console for kit-generated malware

Zeus and Spy Eye… Hmmm, where have I heard those names before? Oh yes, just last week:

The first advanced DIY (Do-It-Yourself) crimeware kit aimed at the Mac OS X platform has just been announced on a few closed underground forums. … The webinjects templates are identical to the ones used in Zeus and Spyeye.

Independent security researcher Brian Krebs looked more closely at the business model for these kits and found a fairly sophisticated modular pricing structure, with kit authors charging $2,000 for a Firefox form grabber, another $1,500 for a Backconnect module the buyer can use to make bank transactions through a compromised PC, and so on. How much do you think an OS X compatibility module would go for?

Page 4: Is this the tipping point? -->

<-- Previous page

Seeing the first DIY malware kit for the OS X platform is a big deal. It marks a tipping point, one in which online criminals are embracing the slow decline of the Windows monopoly and the steady rise of alternative platforms.

Interestingly, a prominent security researcher predicted exactly this tipping point in a paper published in March 2008 in IEEE Security and Privacy. [Unfortunately, “When Malware Attacks (Anything but Windows)” is behind a paywall, but you might be able to locate it if you search in the right place.]

In that paper, Adam J. O’Donnell, PhD, presented “a new model based on game theory for predicting if, and when, Mac malware will arise based on a reasonable number of measurable parameters.”

In that three-year-old paper, O’Donnell described the assumptions behind his analysis as well as “factors outside our model that could hasten or postpone the arrival of Mac malware.” At the time, he concluded:

Malware authors will continually test the market conditions and look for the right time to begin exploiting the new platform. We must also be mindful of targeted attacks, as the value of the data contained on an individual system to an attacker might far exceed the value of the machine as a platform for sending spam.

In a keynote address to the MIT Spam Conference in March 2008 (PDF copy here), O’Donnell first makes the familiar comparison I described at the beginning of this section:

  • Windows malware: around 250k samples by the end of 2006, 500k by the end of 2007
  • Macintosh Malware: under 100, including pre-OSX

And so O’Donnell asks the perfectly reasonable question: If not now, when? His answer:

I expect relatively wide-spread, monetized Mac malware when we see around 5-10% of the Internet population using Macs.

Are we there yet? Macs have been wildly successful in the past three years. So successful, in fact, that their share of actual web traffic has nearly doubled during that time. At the end of 2008, a few months after O’Donnell’s paper was published, StatCounter measured OS X usage on the Web at roughly 3.8%. In the first half of 2011, those numbers have risen to 6.5% and show no sign of slowing that steady increase. [source: StatCounter global stats, 2008-2011] Net Market Share shows a similar trend, with OS X usage rising from 3.45% in April 2008 to 5.4% today.

Data provided by > Net Market Share

The other significant trend worth noting is the steady decline of Windows XP. The bad guys love XP, because it’s so much easier to attack than newer Windows versions. As XP’s share among Windows users drops (it’s now hovering just above 50%) the conversion rates for online attacks drop too. That means the bad guys need fresh blood.

A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.

Upcoming versions of crimeware kits will probably be cross-platform, with the capability to build and deliver Windows and OS X packages using as many vulnerabilities and social engineering tricks as possible. On every poisoned web page, visitors get sorted by OS: Windows users this way, OS X users over there. Each group gets its own custom, toxic blend. If all it takes is a tick of a check box, the gangs using these kits can jump into the Mac market literally overnight.

So now the question is when will that day come? This year? Next year?

Apple has shown signs lately that it's trying to prepare for the onset of hostilities. This year, for the first time ever, it has invited outside security experts to look at an upcoming release of OS X.

My prediction is that the bad guys are still “testing market conditions,” and waiting for the right time for their grand opening. I think we’ll see a few more of these tentative probes—beta tests, if you will—before anyone unleashes a truly widespread attack. The trouble is, in this market, Mac users aren’t the customers—they’re the product.

Topics: Software, Apple, Hardware, Malware, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • More factors

    The bad guys have invested in tool chains for creating Windows malware. This creates inertia and may delay the point at which macs are becoming mass-exploited.<br><br>Windows Vista and 7 are significantly harder to exploit (much harder than macs). This may push the <i>exploitable</i> population closer to a point where macs are becoming the juicy target. This will move up the point at which mac will see mass-exploits.

    While Windows XP is harder to secure than the later Windows versions, it is entirely possible to lock down a Windows XP. Enterprises have been doing this successfully for a long time now. If the XP population that is left are all deployed locked-down in enterprises, the "XP share" is not a good index. Many/most of the exploitable XPs are pirated copies which may even have been infected before installation. Remember how our resident Linux advocate/peddler insisted that Windows had open ports even with the firewall on? Only to find out <u>that he used a pirated (and infected) copy downloaded from the internet</u> because he was too cheap tp pay for it (or rather his "friend" was. This always happens to someones "friend").
    • Still, malware for Mac was promised countless times, but the cases are just

      @honeymonster: ... anecdotal to this day; lets see how these "Spy Eye" kits will do.<br><br>Just recently a security tacking firm said they register like 40 000 attacks on PCs comparing to 8 (eight) on Mac.<br><br>So lets ask Edward about malware for Macs when it will be <b>actual reality, rather than theoretical possibility.</b>
      • I guess Ed needed more hits


        on his blog forum or really really needed to hear all of the same old arguments all over again.

        Reprising his role as Chicken Little wasn't really necessary. You can use a Mac sensibly without worry from the barrage of malware that Ed predicts, just like Windows XP which is a lot more vulnerable than OS-X (I'll continue to use the hyphen, tyvm). The first step to sensibility is to not use Safari. The second is not to install or run anything that you don't absolutely know of its origin.

        Most of the new Mac users are refugees from Windows anyway and they know these simple, sensible guidelines already.

        If this great Mac exploitation happens in my lifetime, I'll be the first admit he was right. But I won't hold my breath.

        Thanks, Ed, for beating the dead, rotting carcass of a horse some more.
      • Not anecdotal; it's basic economics

        @denisrs <br><br>Economics of scale. Macs has had more (many times more) vulnerabilities than any version of Windows over at least the past 5 years. Every year. Exploitable vulnerabilities.<br><br>At the same time Apple has had one of the worst patch records out of all; often leaving users hanging while vulnerability information was publicly available for months. Case in point: Several Java vulns.

        The only thing protecting OS X users have been the fact that a more lucrative target was available. Not Apple, not Unix heritage (with measly 12 bits of security), not "magical" but undisclosed OS X security mechanisms. No, macs were always protected by Windows, ironically<br><br>What is going to be interesting is when the bad guys really takes an interest in OS X they will have plenty of vulnerabilities to choose from. For one, OS X is quite simply the most buggy OS of all mainstream desktop OSes.<br><br>But worse, the OS X stack is assembled from a variety of 3rd party and open source components (like libxml) which not only has frequent vulnerabilities but for which Apple cannot control disclosure. This is a systemic problem for OS X which does not exist in Windows. Providers of the libraries and 3rd party components are not going to wait for Apple to get their act together. They are going to patch when they have a patch ready. But when the patch is in the open, simple reverse engineering will reveal the vulnerability. Often the bad guys will not even have to reverse engineer as vulnerability info is often released along with the patch - especially if it is open source.<br><br>What this means is that OS X has had - and will continue to have - a problem where vulnerability information will be available to the bad guys <u>long before Apple patches</u> OS X.<br><br>This is going to be a disaster.
      • RE: Why malware for Macs is on its way

        @jacarter3 ... You obviously didn't bother reading the article or failed to comprehend it, otherwise you would understand that it's not just Safari, it's all browsers and all platforms.

        The ultimate unpatched exploit is the user, and while I've argued for years that humanity is in desperate need of a service pack, it's not gonna happen. People are dumb.
      • RE: Why malware for Macs is on its way

        @denisrs Just 2 days after Ed's earlier post on a Chrome vulnerability, guess what - the same exploit was used to infect my wife's iMac via a Google search on social work academic literature. I think that counts as actual reality. If you haven't installed an AV product on your Mac, I wish you good fortune.
        • RE: Why malware for Macs is on its way

          @donaldvc Just posted this reply to denisrs and it has been reported as spam:

          "Just 2 days after Ed's earlier post on a Chrome vulnerability, guess what - the same exploit was used to infect my wife's iMac via a Google search on social work academic literature. I think that counts as actual reality. If you haven't installed an AV product on your Mac, I wish you good fortune."

          Hmmm... I hope this is not a case of someone trying to conceal an unpalatable opinion. For the record, I am writing this post from my Mac mini.
      • RE: Why malware for Macs is on its way


        Let's say Mac Guy has only one bullet, and PC Guy has the arsenal of the whole state of Texas. It doesn't matter which of them shoots me, I'm dead either way.

        I read Ed's article before there were any comments, and I'm just checking back now in fascination at the number of silly excuses the Mac fans find to dispute him, defying any attempt at logic and totally missing the point in the process.

        You should be gleeful that your chosen platform finally has enough users to be noticed.
      • Again: it is 40000 cases of malware attacks for Windows against 8 for ...

        @DaveN_MVP: ... Macintoshes -- this is actual reality.<br><br>But PC fanatics defy basic facts and reason, so no wonder.<br><br>By the way, I am writing this from Windows 7 PC and I never had Macs; but I am not a PC or Mac fan -- I just know how to keep in mind basic actual reality facts rather than never ending threats of theoretical doom.
      • RE: Why malware for Macs is on its way

        @honeymonster "This is going to be a disaster."

        When? When it was supposed to happen in 2004? 2005? 2006? 2007? 2008? 2009? 2010? Or this year? Or next year? The year after that?

        And where do you guys keep pulling these stats from? Oh right. Out of your ass.
      • On being bulletproof ...

        <i>Let's say Mac Guy has only one bullet, and PC Guy has the arsenal of the whole state of Texas. It doesn't matter which of them shoots me, I'm dead either way.</i>

        A Mac without anti-malware is like walking down the street in a nice neighborhood. You are not personally bulletproof, but there aren't any gun battles in the streets, either.

        A Windows PC with anti-malware is like wearing a bulletproof vest in a war zone. You are protected from a lot of the gunfire, but you are also constantly being shot at from every direction.

        You are much less likely to be shot in the nice neighborhood. This post doesn't do a really convincing job of arguing that the streets of Macville will be overrun soon with gun-wiedling lunatics.
      • RE: Why malware for Macs is on its way


        My sentiments exactly.
      • RE: Why malware for Macs is on its way

        @denisrs I have exactly the same point of view sir, I've been waiting for facts for years now and nothing changes, not even the story "This new windows is safer" :D
      • RE: Why malware for Macs is on its way

        @jacarter3 Denial of the issue will not help. Ed presented some very well researched and thought out arguments in two articles far different from the usual ZDNet propaganda. You and other Mac fanbois are taking this as an attack and it is not. The fact is that the hackers are turning more and more to hack into the Mac OS and the "security by obscurity" you have enjoyed so much over the years is slowly evaporating. You can choose to keep on blasting Ed and others who try to tell you this and fall victim to malware OR you can man up, take what he says seriously, and be proactive about protecting your mac and it's data. In other words one can lead a horse to water but one cannot make that horse drink it.
      • RE: Why malware for Macs is on its way


        I LOVE your analogy about neighborhoods! I'm going to use that. Tell me where to send the royalty checks!
      • RE: Why malware for Macs is on its way

        @denisrs One other factor...complacency (nearing arrogance) on behalf of mac users makes them even more vulnerable...this isnt about mac vs PC it's about legitimate users vs criminals.

        Simple fact is it's more profitable to hit windows than mac because it's so much more widely used, but as mac gains popularity, it will become a target platform. One of the most irresponsible messages apple gave out, not so long ago, was macs are better because they don't have viruses...they dropped that line pretty quickly.

        Either way, complex computing environments will be open to exploits. Best to recognise this and deal with it openly and maturely
      • The Sky is Falling... Very Soon


        Yes, yet another article written to advise us on the near doom of the Mac OS (you may substitute Linux), meanwhile smoke has blown out of many Win OS computers at one time or another.
      • RE: Why malware for Macs is on its way

        @denisrs The biggest danger to the Mac comes from the head in the sand "It can't happen to a Mac" crowd. BTW, I've been a Windows XP user for about 10 years and have NEVER been infected by viruses or malware of any kind. If you are aware of the danger, use proper precautions and software you will have no problem no matter what platform you use.
      • re: re:On being bulletproof ...

        [b]A Mac without anti-malware is like walking down the street in a nice neighborhood. You are not personally bulletproof, but there aren't any gun battles in the streets, either.

        A Windows PC with anti-malware is like wearing a bulletproof vest in a war zone. You are protected from a lot of the gunfire, but you are also constantly being shot at from every direction.

        You are much less likely to be shot in the nice neighborhood. This post doesn't do a really convincing job of arguing that the streets of Macville will be overrun soon with gun-wiedling lunatics. [/b]

        There's only ONE tiny little problem with your example.

        You see, the last I checked, there's only ONE internet. There's no "Macville" and no "PCville". There's just ONE neighborhood we all live in.

        And those snipers, the ones who were primarily aiming at PC users, well, they're now starting to take aim at Mac users as well. Best learn how to duck and cover along with the rest of us.
      • RE: Why malware for Macs is on its way


        Neighborhood, schmeighborhood.

        If you're on the internet and using web browsers, you're in the same neighborhood as everyone else. Take the cute white earbuds out of your head and you might hear the bullets flying around.