Any major Mac virus concerns at present? And vs. PC...

  1. I surfed, multiple times, a wiki where one of their ads (I learned later) was infected with a fake anti-virus redirect where several people reported having to control-alt-delete to stop it from automatically installing on their computer. I surfed this wiki in Firefox with both Adblock Plus and NoScript active, and didn’t see any redirects. Should I be safe?

  2. I’ve been told that there are, at present, no known Mac viruses which would not either make itself known by asking for an admin password before installing or require an active choice by the user to install (such as a recent Trojan where porn surfers were asked to download a codec). True?

  3. Something I’ve wondered for a while: what is the difference between Windows and OSX that allows “auto installation” of viruses just by surfing to an infected site in one and not the other (as far as is known so far)?

  1. Well, Vista has security options that don’t let anything install, even if you want them to, without giving it permission first. XP was a little more trusting. But the main problem Windows has is how big a market share it has (91%), which means that the majority of viruses are specifically tailored for Windows OS systems. It’s not necessarily Windows’ bad security, it’s just that the virus/spyware designers have an easier job focussing on bypassing security on the most popular OS. If Mac was popular, it would have the same problem.

I don’t buy this idea that Macs don’t have viruses because they don’t have market share. 9% of computers is still a huge number. I don’t believe there isn’t someone out there who would love to be the first guy to write a successful OSX Mac virus. And, since most Mac users don’t run antivirus software, it would probably take longer for people to stop the spread or get rid of it.

You’ve just encountered the concept of herd immunity. 9% is indeed a huge number in absolute terms. But in relative terms it means you have 91% herd immunity, so any disease that targets the remaining 9% simply can not spread.

It is simple economics. For the same effort, you can infect 10x computers writing for Windows. Yeah, somebody could, but it would be a poor business decision.

But when Macs ran OS 9 and before, they had less market share and had more viruses thasn they do today. So I don’t think market share is everything. Earlier versions of Windows were more insecure than the current OS X. (I think current versions of Windows have improved… haven’t they?)

That was back in the day when most viruses were just script kiddies showing off. Today, spyware is a multi-million dollar industry with ties to the Russian mob. When what used to be juveniles breaking windows in the schoolhouse becomes big business, then economics determines what the targets are.


Could a virus that attacked only OS X spread if all the Windows machines in the world were turned off? Of course it could. “Herd immunity” doesn’t apply here.

So-called herd immunity did not make Macintosh System 6 and System 7 era viruses incapable of spreading. We didn’t have many and they were mostly laughably nonlethal, but anyone who swapped floppy disks around with their friends to exchange fonts and disk accessories and whatnot, and who was not running John Norstadt’s Disinfectant INIT, was likely to pick up one of the little buggers. EDIT: I see you’ve already answered that. Sort of. You’ve repositioned your argument to “it would not make economic sense to the bad guys to do so”. That’s not the same as “could not spread”. EDIT 2: oops, Blake is not the same person, sorry.

Ive seen OSX machines rooted when people turn on Apache or ssh or some other unixy service. I dont know the exploit details, perhaps it was just a weak password, but it happens and pretty frequently. Same with Linux. Part of the issue here is that running a PC as a server.

Ignoring that we have lots of trojan horses for OSX. Now the OSX defenders will say “but, but thats not a virus.” Yes, but at the same time most windows infections are trojans too. The much feared Storm botnet was created via emailing people things like greetingcard.exe. There was no web exploit or worm or virus. Just a trojan that sent out executables to people stupid enough to run them. Windows does have a couple exploitable holes that conficker and blaster used if the machine wasnt properly firewalled or patched. Its also worth noting that both those exploits hit the net weeks after the patch was released. Anyone doing windows updates wouldnt have even noticed them.

>what is the difference between Windows and OSX that allows “auto installation” of viruses just by surfing to an infected site in one and not the other (as far as is known so far)?

These are pretty rare. Windows isnt full of these and since activex was been locked down with SP2 4 or 5 years ago, its even rarer. A driveby exploit gets patched pretty quickly. Its also worth mentioning that a driveby web exploit in IE generally doesnt work in Firefox or Opera. So this is more an issue of how IE works than how Windows works. Perhaps splitting hairs, but its important to know that switching browsers can help you security-wise.

Considering safari has such a small web footprint, its often not targeted. 9% is pretty crappy when windows is 90%. If I am an aspiring bot owner why would I target a platform that would give me less than 10% of the results. A botnet of 10,000 computers can be fearsome. A botnet of 900 computers is a joke.

Of course the real issue is how XP lets everyone run a local administrator by default. Vista and 7 have addressed this by running everyone as user and escalating users via a prompt like OSX does. The only difference is that OSX asks for a password and the UAC does not.

If OSX had 90% of market share you’d see the same thing. People running anything sent to them via email, not patching, and blackhats targeting the platform. One of OSXs biggest pluses is that the mac machines are too expensive for universities and most families, so aspiring hackers learn PCs and never play with OSX. Thats part of the marketshare argument that is often ignored.

How is 90% vs. 9% the relevant comparison? Most PCs have antivirus software, which I assume stops at least some attacks, while almost no Macs have any form of antivirus software. And while we’re at it, 9% is Mac’s market share, not the proportion of computers in use which are Macs: The latter number is higher because Macs tend to remain in use for longer.

So the real question is, how many Macs without antivirus software are there in the wild, versus how many Windows machines without antivirus software? I’d actually expect those numbers to be pretty close to equal.

I’d disagree. Quite a few people I know don’t use antivirus, or use bad ones. The one and only time I got infected I was running an antivirus. The program looked suspicious, but I thought my A/V software would catch it. It was so hard to remove that I didn’t even think a reformat would fix it, and I moved to Linux.

Anyways, I’d say that the hackers at least think that there aren’t enough Macs connected to other Macs to warrant creating a self-replicating virus. Especially since they’d have to learn a whole new way of doing it. They already know how to exploit Windows.

>Most PCs have antivirus software, which I assume stops at least some attacks

Thats not really true. The last survey I saw had something like 30-40% of computers with AV had expired definitions at least two months of out date. Usually Norton from OEM installers and people unwilling to pay for updates. Toss in about 20% of people who dont even have any installed and youre really looking at around 60% or so who are defenseless against a newish exploit. I dont remember the % of people who dont do windows update, but its at least 20-30%.

On top of that its trivial to pack/encrypt an executable or rewrite an existing virus/trojan so that it has a different hash than the ones in the AV database. So you might have a defense against zolob.a but not zolob.b until the AV vendors catch up, which might be too late. In a case with a rootkit, it would be invisible to the OS. AV apps are better than nothing but they are always fighting yesterday’s battle and consumers dont like to use heuristics because of the false positives so the packed executable methods still works fairly well. The role of AV is really to warn you that youre infected, not to stop you from getting infected. Its just not good at that.

I could write a trojan for any platform. I dont see how you could stop me until my trojan was submitted to the AV vendors and then the clients updated to detect it. That could be a week or several weeks. In the meantime I could control the PCs of anything stupid enough to run greetingcard.exe or All I need is a week.

Is it true, as some say, that the Unix roots of OSX makes it inherently harder to invade? Windows did, after all, originate as a shell on an individual and unnetworked personal machine, whereas Unix did originate as a multiuser system for networking.

To be fair, Unix itself was never inherently secure. In fact, it’s original security model was an electronic version of the Honor Code, and the permissions structure existed merely to keep good users from doing bad things. Although some vendors like SGI took rudimentary steps to enhance security and system auditing with their particular flavor of Unix, it wasn’t until OpenBSD that there was a real initiative to build a Unix-type system (I’m not going to get into a semantic argument as to whether BSD is “Unix”) with robust and transparent security features built in from the ground up. SELinux is another effort in that regard, and it is only relatively recently that Linux has really been compliant with NISPOM Ch 8 requirements, whereas Windows has had the auditing capability since at least XP. The OpenBSD security features and model are now widely used on many *nix systems. The Open Software Foundation adoption and promotion of Pluggable Authentication Modules (PAM), and its adoption by virtually every modern *nix operating system has allowed the implementation of multiple security features that limit the amount of access and exploitation that any application can have. Kerberos was originally implemented for Unix by the MIT Athena system, but was adopted by Windows as the default authentication system from NT onward.

To address the question of the o.p. and follow on responses, OS X is less vulnerable not just (or likely at all) because of the lower market share, but because it is inherently more securable. Even the out of the box implementation makes it very difficult for a lone application to do the kind of severe system alteration that apps with access to a Windows Registry can do, and it takes less than an hour for an inexperienced person with instructions to properly secure OS X to the point that no application can really do any more damage than delete some unprotected data. On the other hand, it was relatively easy to write viruses for NT and XP that could bring the system to a halt. (I don’t know about Vista and Win7, as I haven’t used those systems to any extent.) This is, again, largely because of the adoption of security features and protocols adopted by Darwin/OS X via FreeBSD. OS X just doesn’t allow the kind of exploits that are possible in XP, by design.

As for the market share issue, profit, in the usual sense, really doesn’t enter into it. It isn’t as if someone is trying to capture the market share for viruses, and indeed, I would expect someone who wrote an effective virus for OS X would be widely recognized and publicized within the cracker community for being one of the few to hack OS X effectively. Of course, for professional crackers intent on attacking government and corporate desktop systems (cyberwarfare) it makes sense to crack on Windows, as this is the environment used by the majority of these users. And certainly many denial of service attacks have been made against Unix-ish Internet backbone servers, but these are more overloading attacks rather than exploits of the system, and so aren’t really OS-specific.

I’ve personally locked down secure but accessible-to-the-world Linux systems to the point that no trojan or virus could do any more than erase the home directory of the user it runs as, and nothing but system utilities can run as true root. I don’t think that’s even possible with XP (again, don’t know enough about Vista or Win7 to make the same claim). OS X can be locked down the same way, but for the typical desktop user this just isn’t necessary, as the possible exploits are already pretty tight.


>I don’t think that’s even possible with XP (again, don’t know enough about Vista or Win7 to make the same claim).

Of course it is. Windows has built-in security groups that take care of the tedium . Set your user account to be a user, not an admin. Ta da! No access to other profiles/data, no write abilities to system folders, program folders, system reg keys, etc. Its just like running as a user in a unix system. Instead of su we have runas. Windows had this level of seperation privs long before OSX was a twinkle is Steve Job’s eyes and linux was an idea some finnish student had.

Just because people refuse to use it doesnt mean windows is difficult to secure. With user only rights you can only do damage to your profile, not much else. Older apps may not like this, but if they are well written they can handle running as user. Thanks to Vista and 7, lazy programmers now have to follow the Windows guidelines on writing apps properly and no longer are we seeing stuff like writing to windows/temp or the program directory. Just like in unix youre supposedto write user data to the user profile/home directory.

If youre especially lazy you can run your internet facing apps under a local user account and still be a local admin for everything else. Mark Russonivich explains how below. He’s using his psexec tool instead of runas, but the principle is the same.

RunAs is pretty limited, because what you need is something that can do administrator-level stuff except under your profile. For that reason, on pre-Vista/Win7 systems, I use MakeMeAdmin instead. There is also a SuDo for Windows, but it is a bit more of an intrusive installation involving some kind of service, and I never got it to work anyway.