Why Windows users should care about malware on Macs

Why Windows users should care about malware on Macs

Summary: Why is a Windows guy writing so much about malware on Macs? Because this problem affects all of us. Apple, Google, and Microsoft should be working together to respond to this problem, but that doesn't appear to be happening.So how effective has Apple's response been so far? Not very

SHARE:

Why is a Windows guy writing so much about malware on Macs? Because it affects me, too.

I have a Mac on my desktop. I use it regularly. I have friends, family members, clients, and professional associates who use Macs. Several of them switched specifically because they believed it would make them safer online. If they call with a problem, I need to be able to help, not just shrug my shoulders and tell them to call Apple.

Over the past few weeks, I have found Mac malware and Windows malware side by side on the exact same compromised web sites, served up by Google search results. The visuals and the payloads are tailored to match the visitor’s computing environment, but the social-engineering tricks are identical and are specifically designed to snare unwitting victims.

Apple, Google, and Microsoft should be working together to respond to this problem, but that doesn't appear to be happening.

So how effective has Apple's response been so far? Not very.

As I noted last week, Apple has begun playing a frustrating game of cat and mouse with the bad guys. They have released a new set of malware definitions for the XProtect feature in OS X 10.6.7 every day since they released Security Update 2011-003 last week. Six days, six updates so far. And each time the criminals behind the Mac Defender family have revised their product within a few hours so that it bypasses those signatures.

I captured two more samples of the latest Mac Defender variant in action on Saturday and Sunday. It’s now called Mac Shield:

Its behavior is essentially the same as before. It pops up fake warnings to scare the victim into paying to "register" the product. And if those warnings aren't effective, it begins opening pages from porn sites every few minutes. I confirmed over the weekend that this behavior still occurs even on a fully patched Mac with the latest XProtect malware detection signatures.

As Apple is learning, signature-based security software is ineffective against this type of attack. As soon as a new update comes out, the malware authors tweak their code and re-release it. The bad guys always have an advantage.

In addition, Apple's code has been giving some Mac users problems. Intego reports that the Security Preferences option isn't working for some users. There are also numerous reports on Apple's discussion groups of the malware removal tool causing problems with CPU usage:

since I installed the latest Apple security update on BOTH of my MacBook Pro and iMac (both running OS X 10.6.7), CPU utlization has been fluctuating with fan-on between 40% and 90% constantly - I have never seen this before. This type of 'upgrade' reminds me so much of the ill-fated Windows security releases and why I switched over to Mac in the first place! I hope this isn't typcial.

Not only that, but Apple has left a significant chunk of its user base out in the cold. According to Net Market Share stats, roughly 30% of all Mac users are using OS X versions 10.5 or 10.4; but Apple’s security update is only available for version 10.6.7.

Update: As a commenter reminds me, Apple has also not recommended changing the default Safari setting that makes this particular implementation so dangerous.  As I wrote last week, the current attack "assumes that the user has visited the SEO-poisoned site using Safari (the default browser in OS X) and that the browser’s default settings are in use. You can block the automatic installation in Safari by clicking File, Preferences, and then clearing the Open “Safe” Files After Downloading check box." And yet Apple's security update 2011-003 does not mention this setting at all.

As a result, new victims are showing up on Apple’s support forums every day looking for help. In a cursory search yesterday, I found more than a dozen fresh reports of infections by the latest Mac Shield variant.

If you look on YouTube, you can find videos I’ve captured that show how these attacks work. The most common response I hear when people see them is: “You’d have to be a complete moron to fall for this.” Sadly, that’s not true. Computers are frightening to a lot of people who most assuredly are not stupid, and the bad guys are very good at creating fake error messages that look like the real thing.

These criminals prey on the weak, the feeble-minded, the ill-informed, and the technically unsophisticated. They are perfectly happy to play a numbers game that appears to be stacked against them.

For the sake of argument, let’s assume that only 1 in 100 people who own PCs or Macs even see one of these poisoned sites over the course of a month. That means 99% of us will never even encounter a fake AV program in the wild.

And then let’s assume that only 1 in 100 of that sliver of the worldwide computing population actually falls for the scam and gives up a credit card number. If you’re being barraged by warnings and porn sites popping up on their displays, and you don't have enough experience to find help, that's an understandable response.

Using that set of assumptions, 99.99% of PC and Mac users will be smart enough to avoid falling for the scam.

The trouble is, there are a billion PCs and nearly 50 million Macs in the world. Even that seemingly tiny success rate of 0.01%—1 in 10,000—means the bad guys will divvy up more than $5 million in revenue over the course of a month. And that doesn’t count whatever they’re able to pilfer if they steal and reuse the credit card numbers they harvest.

Computer crime is a problem that affects all of us, regardless of what platform we use. We are all being targeted by gangs that are depressingly effective. Apple, Google, and Microsoft should be working together to come up with a collective response. That doesn’t appear to be happening.

Related stories

Topics: Apple, Hardware, Malware, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

135 comments
Log in or register to join the discussion
  • Good article Ed!

    The maths of "bad guy success" is interesting. $5 million for a month - of which $250K could be attributable to OS X users.

    Do the signature based defences at least reduce the number of potential infections - thereby making it less worthwhile for the bad guys?
    TheSceptic
    • Yes, they reduce the success rate

      @TheSceptic

      By and large, these signatures don't make much of a dent in the 0.01% figure. Improvements in social engineering (and software engineering) by the bad guys have more of an impact, IMO.
      Ed Bott
      • RE: Why Windows users should care about malware on Macs

        @Ed Bott

        I'm interested in seeing your description of an effective alternative! The current anti-virus approach (which seems to create a lot of false positives) is also problematic IMO.
        TheSceptic
      • RE: Why Windows users should care about malware on Macs

        @Ed Bott
        I think that Apple will handle malware much better than MS. MS has ignored the problem, allowing 3rd party anti-virus solutions which generally suck (i.e. user experience suffers).

        A simple solution Apple could do is to allow installs only from the app store, which are digitally signed. I believe this is the way to solve this...
        prof123
      • RE: Why Windows users should care about malware on Macs

        @prof123 ... that's simply not true at all. Microsoft has updated Windows, Internet Explorer, and even Office repeatedly to improve its ability to prevent infection in the first place, and they have several antimalware products of their own. In fact, just today IE9 protect a user from becoming infected thanks to its immediate blocking of an executable download on a malicious site.

        You're more than welcome to criticize Microsoft all you want, but at least have the decency to be honest.
        GoodThings2Life
  • RE: Why Windows users should care about malware on Macs

    Nice Job Ed, as always.
    rohan.aarons@...
  • RE: Why Windows users should care about malware on Macs

    Now Ed, why couldn't you have written something more like this before? Reasonably level headed, and actually quite helpful.

    See, we can agree.

    Though I'm a little confused, what would you have Microsoft and Apple do? (I think we can agree that 'Open "Safe" files after downloading' is probably a bad idea, or it is if install files are considered "safe". I see what Apple were shooting for, the installer pauses waiting for user action so can't do any harm on its own - but really that is naive of Apple). But what else?

    I see this as primarily Google's problem (always have). I wonder if defecting to Bing might not be a reasonable solution? Does Microsoft's search engine fall for this user agent trickery?
    jeremychappell
    • That will be the subject of my next post

      @jeremychappell

      There actually are things that all three companies (as well as Facebook, Comcast and other players) can do, individually and collectively, that they are not doing today.
      Ed Bott
      • RE: Why Windows users should care about malware on Macs

        @Ed Bott

        You've mentioned that they should act collectively a couple of times, without details. I'm curious though. What kind of things can MS, Google, Apple do together? (Though I recognize these examples may just be "in theory").

        How is this not Google's issue, primarily? Aren't they supposed to keep a list of "unsafe" websites current for browsers, such as Safari, to use?
        snberk341
      • RE: Why Windows users should care about malware on Macs

        @Ed Bott Details? What do you want Microsoft and Apple to do?

        @snberk341 This Trojan gets in front of people by SEO poisoning of Google Image Search, and is selected (whether you get the Windows or Mac one by looking at the user agent, Google's user agent gets something quite different) so Google aren't checking what different user agents get (which is quite easy) and it's their algorithm is being gamed.
        jeremychappell
      • Message has been deleted

        @Ed Bott
        james347
    • RE: Why Windows users should care about malware on Macs

      @jeremychappell

      Really? Just by the title one would get the impression that Window users really haven't been bothered by malware but they should sit up and take notice now because of all the Mac issues.
      rfoto
      • What an odd interpretation

        @rfoto

        I have stared at that headline for 10 minutes, and there is no way I can look at it and come up with the conclusion you do.

        For years, Mac users have looked at Windows malware and say "not my problem." Now, it turns out, it is.

        The worst thing Windows users could do at this point is to say to Mac owners, "That's your problem, we're busy, go away."
        Ed Bott
      • RE: Why Windows users should care about malware on Macs

        @Ed Bott<br><br>We skeptical ones look at this as just an opportunity to get "Mac Malware" in the headline. Windows users should care about Mac malware if it doesn't exist for their platform.

        p.s. for some reason I only have a reply button the original post, not replies....
        rfoto
      • RE: Why Windows users should care about malware on Macs

        @rfoto This attack is aimed at BOTH Mac and Windows users, if the user agent identifies the system as Windows then the page returned is scareware pretending to be a Windows virus alert. So both sets of users are equally targeted by this.
        jeremychappell
    • You tell us.

      @jeremychappell: [i]Though I'm a little confused, what would you have Microsoft and Apple do?[/i]

      The ABMers seemed to have all the answers when it was only Windows being targetted.
      ye
      • RE: Why Windows users should care about malware on Macs

        @ye No, some may have **thought** they did... but that's not the same thing at all. Let's not castigate all users of either platform because of a vocal minority.
        jeremychappell
      • I agree. They thought they knew something but it was evident they did not.

        @jeremychappell: [i]No, some may have **thought** they did... but that's not the same thing at all.[/i]

        It was evident they were clueless.

        [i]Let's not castigate all users of either platform because of a vocal minority.[/i]

        Unless you consider ABMers the entire user base of a platform I did no such thing.
        ye
  • Why is a Windows guy writing so much about malware on Macs

    Hits. Lots and lots of hits.
    msalzberg
    • Because the Macs guys are acting like Apple

      @msalzberg
      and pretending it doesn't exist. It's no different then some small site writing about something that the big news agencies ignor.

      After telling everyone that Macs users are safe from things like this, why would they turn around and write something making them look foolish for saying so?
      Will Pharaoh