Apple malware flourishes in a culture of denial

It looks as though Apple's Mac OS X users have seen their first significant outbreak of malware, with Dr Web researchers claiming that more than 600,000 Macs have been botted by the drive-by Trojan, BackDoor.Flashback.
Written by Jack Schofield, Contributor

It looks as though Apple's Mac OS X users have seen their first significant outbreak of malware, with Dr Web researchers claiming that more than 600,000 Macs have been botted by the drive-by Trojan, BackDoor.Flashback.39. Since Macs make up only a small percentage of the PC market (65 million Macs vs 1.3 billion PCs), this would be roughly equivalent to the Conficker outbreak, according to F-Secure's chief research officer Mikko Hypponen.

Flashback's success has been assisted by the culture of denial that -- with Apple's encouragement -- exists in the Mac market. Most Mac users don't use anti-virus software because they believe that their machines are impervious to malware. This outbreak could make the Apple ecosystem more secure by encouraging more Mac users to defend their systems.

Apple could help. The company spent many millions of dollars on TV advertising that contrasted a hipster-style Mac guy with a more businesslike PC character, and the Mac's freedom from virus infections was a core message. One misleading advertisement may also have damaged the Windows security ecosystem by discouraging users from upgrading from XP to the more secure Windows Vista.

Apple could usefully spend a few millions running some more TV adverts to say: "Sorry, Macs CAN be infected, and we recommend you take precautions." Obviously, Apple will not spend any of its spare $100 billion helping its users in this way.

One of the interesting things about Trojan BackDoor.Flashback.39 is that it encourages a culture of ignorance among the most knowledgeable Mac OS X users. If Flashback finds that its target Mac is running certain geeky programs -- Little Snitch, Packet Peeper, Xcode, some anti-virus software -- it deletes itself. In other words, it tries to avoid infecting those Macs where it is most likely to be discovered, reported and ultimately disassembled.

If all Mac malware does this, then Mac experts will truthfully report that they can see no evidence of malware infections. This will reassure the ignorant majority of Mac users, whose systems can then be infected more easily.

Now, it is far from certain that Dr Web is correct in saying that more than 600,000 Macs have been infected. Dr Web used sinkhole tactics (PDF) to measure the size of the botnet, so the number is believable. What is not so certain is that they are all Macs.

Today, Aleks Gostev (@codelancer), chief security expert at Kaspersky Lab, tweeted that:

Last night we sinkholed one domain of #Flashback. We can officially confirm size of the botnet – more than 500k infected hosts. We are not sure that all 500k #Flashback bots are Mac users. I have some suspicions that probably bot for Windows also presented itw

To which Lucian Constantin (@lconstantin) replied:

Dr Web told me they counted unique IOPlatformUUIDs sent by bots to the C&C. Isn't that a HW ID unique to the Mac OS X platform?

Whatever the case, it remains a fact that a large number of Macs have been infected, and that a very large number are still undefended and (as Pwn2own has shown) easily hacked.

If Apple is not going to do the decent thing, then it still has other things to do.

For a start, Apple can improve its security updates, which lag behind the rest of the industry. In the current instance, which exploited a Java flaw, Apple patched a vulnerability in April that Oracle and others fixed in February. Often, Apple is even further behind.

Apple should also improve its processes so that it writes more secure software, as Microsoft did a decade ago. Again, this would also improve the Windows security ecosystem, since Apple programs -- along with Adobe software and Oracle's Java -- are among the most vulnerable installed on most PCs.

It remains to be seen whether Apple will go through the sort of malware crisis that led Microsoft to develop the SP2 to save Windows XP. After all, Mac OS is still a very small target compared with XP, where malware authors can profitably exploit security holes that Microsoft fixed at least two years ago. (The incidence of Conficker in large organisations, for example, proves that it's not just naive end users who are either too stupid or too incompetent to use some form of Windows Update.)

Let's hope Apple gets the message now, rather than waiting until its brand name is further tarnished in The New York Times.


Editorial standards