November 20, 2006
Why no Mac viruses?
John Gruber goes off on the latest Windows-centric pundit to declare that the only reason Macs are essentially virus-free is that nobody's interested in them.
Seltzer's summary graph:
Opinion: The verdict is in: OS X is as insecure as anything out there, but somehow nobody—including attackers—cares.
Gruber focuses on the inconsistency that the Mac supports a healthy software market, likely one proportionate in size to the Mac market compared to the Windows market, but the Mac malware market is “nearly zero.”
Gruber misplays his case, however, when he says “Mac OS X’s malware market share hovers near zero (as did the classic Mac OS’s a decade ago).” Both Gruber and Seltzer seem to believe that the Mac has just never supported a virus-producing community. This is dead wrong.
The Mac environment wasn't always virus-free.
Once upon a time, I ran a few public-access labs at my university. These labs suffered several virus outbreaks, most notably catching WDEF before it was discovered in 1989. We also would occasionally see MDEF, nVIR, and Scores. The Mac's market share then was a little higher -- a little under 10 percent, versus 5 or 6 percent today -- but it was still a minority platform, with the great majority of computers running DOS or Windows.
And yet, there were 10 or 20 viruses running loose in the classic Mac OS ecosystem (compared to hundreds for DOS/Windows), and there are none running loose in the OS X ecosystem (compared to hundreds for Windows). Since the hardware was at one point exactly the same for either ecosystem, the difference must be in either the software or the user base.
But the OS X user base is decidedly more capable of creating a virus than the classic Mac OS ecosystem. Plenty of “alphageek” nerd users have made the switch, attracted by Apple's elegant hardware, (figuratively and occasionally literally) transparent interface, and Unix-y base. The only thing about the user base that discourages malware production is that most people who know enough to build a Mac virus can make a nice living as a programmer or administrator, so why foul the nest? Still, the number of users capable of generating theoretical Mac malware must be at least 5 times as large as it was before the release of OS X.
So if it's not the user base, it must be the software. The Unix security model is more secure than the pre-Vista Windows model, and must take the lion's share of the credit for the lack of OS X viruses. There may eventually be Mac OS X viruses, but to claim the reason there are none is that the platform is irrelevant is more than a little bizarre.
TrackBack URL for this entry:
Listed below are links to weblogs that reference Why no Mac viruses?:
perhaps the claim is a little bizarre, but there are a combination of things that make it true.
First, it's not the Unix design, but that the admin user does not, by default have 'root' permissions, and requires authentication for most of the nefarious activities most virii would want. But the potential for a modern, Windows type exploit + virus + social engineering exercise? yeah, it's all there.
The only real fundamental difference is that the Mac doesn't offer the sheer number of exploits at this point that Windows does, and it may never, but the risk is the same, and so is the cure. Education of the users, which may ultimately be the real reason that modern Mac's aren't as vulnerable. Less users set them selves up as root level users as their daily usage accounts, and, as a rule, they know that there are certain things that you just don't do without risk.
Posted by: Andy Satori at Nov 20, 2006 2:16:29 PM
Quoted on the FireBall! w00t! Gratz!
Posted by: Scoo at Nov 20, 2006 2:47:43 PM
I guess by definition any Turing machine offers the possibility of self-replicating code, but clearly some OS designs make it less likely, rather than more (totally independent of OS market share). Sometimes, all that's necessary to keep somebody from breaking into your house is to make it 10 percent harder to break into than your neighbor's house.
Of course, the risk to Mac users is greater than to Windows PCs, because so many Macs run without malware detectors. Because the hardware/software ecosystem is more of a monoculture, any effective virus might spread more quickly.
Given all that, though, I still say the primary reason there are essentially no Mac viruses is the underlying Unix model not making stupid assumptions that compromise security (see, for example, the Tom Yager rundown from August that Gruber linked today).
Vista is supposed to address some of the security problems in Windows, but observers don't seem too impressed at this point (I haven't even messed with it yet):
"If you are on Windows 2000, then of course it's compelling and you may as well go. Those on XP will be trialing and can pick their time to go.
"But are they doing it because of the security features? No. Have I seen security features as part of a business justification? Part of them, yes, but really the business justification (based on Vista's security features) is weak as a whole."
That's from CNET's Is Vista security a selling point?, published today.
Posted by: Frank at Nov 20, 2006 3:50:50 PM
I've talked about this before in other places, but the short version (since I wrote the long version here, but the comment system wiped it out on post, I'm not retyping it) is that self-replicating code is easy, on EVERY platform. dissemination and contamination of foreign systems is the hard part, and is why most modern virii use a mix of social and technical wizardry. If I were targeting a Mac with a malware infection, it would be built on social engineering, with just a dash of technical. You can do plenty of damage in user space without ever brining up an authentication dialog, and yet there appears to a group of Mac users that REALLY want to overlook that.
rm -rf ~/Documents/ embedded in an applescript attachment with a Preview.app icon, with a title like say 'Leopard Screenshots' or 'iPhone Pre-Release Pictures' that also sends itself to every addressbook email addresses and every email address that has ever sent you an email in mail.app, before then wiping your documents (in a harmful approach though I think hiding a zombie emailer that runs when you login is more likely to be what would be wanted). None of this would require any auth, and only a handful of stupid users to start the infection. Leveraging published exploits, even patched ones, would only further the infection since most 'users' aren't good about applying patches.
It just isn't as hard as you want to pretend it is.
Posted by: Andy at Nov 20, 2006 7:59:28 PM
Sorry if you had trouble with TypePad's comments.
I think it would take more than a Mac port of the Melissa macro virus to achieve any significant infection rate on the Mac. I don't open attachments that I'm not expecting, not even from my mother. Also, your "virus" wouldn't spread on my system, as I don't use mail.app.
I don't pretend anything -- I agree that a virus on any platform that can execute software is possible, which of course includes the Mac. Yet presented with the fact that there are no Mac viruses, I reject the claim that Macs don't have viruses because they're lucky, or because nobody is interested in the platform. The classic Mac OS had viruses, and plenty of people are interested enough in the platform to write code for it.
That means the reason must be something different about the Mac user base or the OS. My hypothesis is that it's the software.
Posted by: Frank at Nov 20, 2006 9:31:51 PM
This argument does not entirely hold water. Yes, you are right, there were a dozen or so wild viruses running loose in Mac OS 7 days, and there are none in Mac OS X. But a flaw in the argument is that there were essentially none left around by the late Mac OS 8 days, before Mac OS X.
My belief is that the reason for this is Broken Window Syndrome, in combination with a secret cabal of anti-virus people. I was never a member of this cabal, but I have met a member and he described the workings of it. Basically, when a virus was discovered, the group immediately pounced on it, spitting in to factions, some disassembling it and learning how to counter it, others tracking it back to the source. From memory, the last Mac virus released resulted in the arrest of the author within a week - now that is a deterrent worthy of mention.
Broken Window Syndrome comes in to play because the group managed to keep the number of active, viable viruses to zero. Thus whenever a new one was released, all attention could be focused on the one virus. Compare this to Windows where new viruses are released every day, there is no way to keep up.
Mac OS X inherited this essentially virus free ecosystem, and together with its indisputably better security against viruses and Apple's reasonable continued efforts in maintaining a pristine ecosystem are the prime reasons for the good situation we find ourselves in today, more so than lack of market share or Unix's better security in general.
At least this is my opinion based on my (occasionally faulty) memory.
Posted by: Peter N Lewis at Nov 21, 2006 3:02:09 AM
why don't you ask a security researcher instead of Gruber or Tom Yager?
Posted by: hi at Nov 21, 2006 5:06:08 AM
Thanks for the link to matasano! Adding to my feed reader; I'll ponder his points later this morning.
Posted by: Frank at Nov 21, 2006 7:10:52 AM
You're absolutely right that there was a very muscular antivirus community for the classic Mac OS. When WDEF was discovered, I corresponded with John Norstad, and may have sent him a stuffed example, and a new version of most Mac antivirals was available a few days later.
(Of course, the WDEF virus was one of the simplest ever to remove -- hold down the option key as you insert an infected floppy, and a clean desktop file would be created, overwriting the infection.)
When/if the Mac again hosts an infestation, I expect the Mac community would again respond pretty quickly.
Posted by: Frank at Nov 21, 2006 8:49:59 AM
Something I see mentioned over and over again is this "Considering the lack of malware detection software on the mac".
Now, correct me if I'm wrong but didn't all malware detectors for PC start as reactive packages? Right now they can't do much to prevent new infections and what little they can do happened by seeing patterns in past infections (monitoring specific system files, keeping checksums of others, monitoring the registry, etc.).
Even antivirus programs work this way.
How, then, can we expect Mac users to have any kind of efficient malware monitoring application when we know that it won't be effective until after an outbreak is detected?
I may be missing something essential (and I know tools exist for unix, like snort, that monitor changes in system-critical files) but without existing pathogens no prevention tool can be made (unless we're talking basic things like active firewalls and a myriad of warnings popping up every time the system wants to do something, just in case it's not what the user intended. And we know how well that works with end users).
Posted by: Eduo at Nov 21, 2006 9:09:13 AM
There's also at least one freeware app, ClamXav, which appears to focus on identifying Windows viruses on your Mac (Virtual PC/Parallels partitions) or passing through it (e-mailed macro viruses).
Posted by: Frank at Nov 21, 2006 9:23:38 AM
Frank: Those I know of, I avoided them on purpose. They don't address threats or viruses on the mac but the propagation of them using the mac as an unknowing agent. It's like being immune to cholera but carrying the disease to a country where people isn't.
Those I can understand, in a community of mixed platforms. I think that's just being civil (and having to deal with the disease-ridden neighbours makes it a necessity).
My comment was directed at mac-specific files, malware and infections. If I have Bonzy Buddy in my mac, for whatever reason, I'm an infection vector for PCs but my mac is not, in any possible way, affected by it. In the same way I can open and read most Outlook viruses in mail.app without any consequences.
Posted by: Eduo at Nov 21, 2006 10:15:45 AM
Eduo, I can't find a single page for any of them that runs down the threats they address. Checking the most recent virus definition read-mes, it looks like none of the recent changes add any malware profiles to be on the lookout for; they're typically new applications or data that are excluded from checking or recognized by scanners, or improved internationalization.
Posted by: Frank at Nov 21, 2006 10:35:49 AM
Frank: I know, but for example in the case of antivirus they used to mention (back when it mattered) what technologies they'd use to detect when "anomalous activity" could be going on. That and heuristics supposedly could prevent, to some degree, the attack of newer viruses.
In the same vein spyware programs monitor the registry, startup items and plugins to check for changes and isolated them if needed.
None can detect brand-new problems but they can catch variations of known malware.
We don't even have this, as we don't have a working pool of malware.
I say this in a good way, by the way. I like it that way :)
Posted by: Eduo at Nov 21, 2006 12:32:13 PM