[ISN] Apple's Big Virus

InfoSec News isn at c4i.org
Sat Apr 23 08:14:38 EDT 2005

Forwarded from: Richard Forno <rforno at infowarrior.org>


By Kelly Martin
21st April 2005 

After your identity has been stolen, your bank accounts compromised,
53 critical patches and 27 reboots later, when will you decide that
you've had enough?

Back in 1984, William Gibson's Neuromancer had an incredibly bleak
view of our future with technology -- from social decay to daily
security breaches based on greed and corruption. This dystopian view
is one that many people forget, because Gibson of course coined the
term cyberspace even before he'd ever used a computer to any great
extent. As a favorite author of mine, he seems to have since
discovered there's some joy to the Internet after all, and you might
even say that he's never looked back.

I've never had a dystopian view of technology, but I do think we're
pulling the general population forward into a realm of the underworld
that they're simply never going to "get." Let's step beyond the
growing privacy issues, the identity theft and so on for a moment.
It's so easy to become accustomed to technology and all its failings,
where viruses, trojans and such have become a fact of life -- for
Microsoft Windows users, at least.  We've come to accept the countless
virus infections, the Trojan that steals passwords, and the loss of an
average user's identity as inevitable and acceptable, and it makes me
wonder if we're taking our users down the right path.

Same old story? Not really. Alternative environments like Apple and
Linux are finally catching on. Unit sales of Apple Computer's OS X
based computers grew by 43% in the past quarter, over the same time
last year -- in business terms, that's incredible growth. Revenue grew
by 70%, and profit grew by an unbelievable 530%, thanks to the little
music revolution they call the iPod and the iTunes Music Store.

What's fueling Apple's growth, besides the infamous iPod halo effect?  
Security. Either it's the perceived security that is thought to be
better in OS X, or it's the documented lack of security in the Windows
world. By that, I mean that you can't assume everyone who owns Genuine
Windows is running XP with Service Pack 2, which has some improved
security features -- because there are a few hundred million people
out there still running Windows 2000, 98, or something else. No, they
don't have automatic updates, and no, they may never understand what a
firewall is. Anyone who works hands-on in the security field has his
own experience spending countless hours removing viruses and spyware,
or becoming adept at formatting and reinstalling (or laying down a new
image), patching, immunizing, and so on. Whether it's in your large
corporate environment or your Uncle Bob's computer at home, it all
takes time.

Here's a simple example of a recent virus incident, and one
organization's lackluster information response. I discovered a nasty
Trojan on a relative's computer. He's a prominent member of the
federal government and uses his computer for online banking, so I
urged him to contact his bank.

The response the customer received from the Royal Bank, the largest
bank in Canada and one of the 10 largest banks in the world, was
interesting.  The representative said that their systems are secure
enough that a Trojan or virus cannot infect them -- but she said
thanks for calling to let them know his home computer had been
infected, that his accounts may have been compromised, and have a nice
day. No discussion about stolen passwords, identity theft, or even the
need to change the his online password. Get some better anti-virus
software, she said. And again, have a nice day. The person on the line
didn't "get it," and I can assure you that my relative didn't really
"get it" either until after a long talk. With confirmation from his
bank, he was now confident that his system, the same one with the
Trojan and the keylogger still on it, was perfectly fine. A virus is
normal; it's a fact of life. It's no big deal, right? Why not just
email me your SSN, your credit card numbers, and date of birth then --
or print it out on paper and post it in the street? The typical user
is now forced to use the computer on every desktop, but must he also
become an MCSE to administer it?

Viruses don't have to be a fact of life. There are no viruses on OS X
-- not a single one. The reason most often touted is Apple's lack of
critical mass, but that argument has been beaten to death. There are
millions of OS X computers out there. It's not that a virus couldn't
be written for it either. Far from it. The soft underbelly of Unix (or
Darwin, an open-source Unix like OS similar to FreeBSD) is just as
vulnerable as the eye-candy applications that run on top of it. Step
back from Apple's three-tiered user privilege system (user, GUI
superuser, and root, which is disabled by default) and understand that
users can still be tricked into clicking on anything -- social
engineering will always work, and there will always be people who

Why, then, are there no viruses for OS X?

Just as Windows users have become accustomed to 140,000 viruses, Apple
users have become accustomed to none. It's a major cultural difference
that admittedly, sometimes causes Apple users to do stupid things --
and get away with them. It's hard to describe the freedom of using a
system with no malware known to have spread. It's liberating.

Beyond critical mass, I would like to believe there's a better reason
for the lack of viruses on OS X, and it's based on the culture of the
Mac -- which is distinctly different from other platforms. Is it wrong
to try a new computer system and actually enjoy the user experience,
for a change?  Can you imagine a world where (today) you can click on
anything and never worry about malicious intent? Can we not continue
this unwritten rule that there can be a platform out there that is
simple, easy-to-use, with Unix (and a cool ports tree) underneath that
has no threat at all from viruses?

Perhaps I'm living in a pipe dream, but that reality is here today.
Linux is also close, but OS X is already there. Perhaps Apple's big
virus is really just the market enthusiasm that translate to new unit
sales, spread like a contagion, that fuels their 70% year-over-year
revenue growth.

I held off writing this column for the better part of a year, because
many SecurityFocus readers have the intellect, talent and ability to
write a virus that could be quite nasty on OS X. There's the general
notion that (shh!), any added exposure to the platform might bring it
out of the limelight. But if a Windows programmer or security
researcher can try a new operating system and enjoy it just enough to
not want to destroy it, then there's hope for us all.

I should have also prefaced this column with the disclaimer that most
SecurityFocus staff use OS X in some way or another, if not at work
then at home, so we're somewhat biased. After covering multi-platform
security news all day long, from WiFi penetration testing to intrusion
detection and honeypots, at the end of the day it's nice to use a
system that's not on everyone's radar for a change. Let's keep it that

Copyright (c) 2005, SecurityFocus logo

Kelly Martin has been working with networks and security for 18 years,
from VAX to XML, and is currently the content editor for Symantec's
independent online magazine, SecurityFocus.

More information about the ISN mailing list