You Can Steal but You Can't Hide
News Commentary. Who says that malware writers can do no right? |
There's a sordid kind of justice about two Trojans affecting Mac systems: People got them from stealing software. The first Trojan appeared last week in pirated copies of iWork `09. A variant is out with pirated Adobe Creative Suite 4.
In the real world, many (I assume most) people have sense to stay away from bad neighborhoods. They know where they don't belong; where it's not safe for them. But there's a real lack of good sense when it comes to bad Internet neighborhoods. There, many (I assume most) Mac users have no sense at all.
Bad Internet neighborhoods have been a major source of Windows viruses for years. Nearly every malware-infected Windows PC that I've serviced got infected some place bad: Porn or gambling sites, video or music shares or software crack distributors. Many torrents are currents for distributing malware.
Mac users have been able to go invisibly into bad neighborhoods. No one there even really acknowledged their presence. Now that's changing. These two related Trojans aren't the only recent Mac malware distributed in bad Nethoods. Another example: Malware posing as video codecs distributed through some porn sites.
The video codecs and Trojans share something in common: How they use end-user behavior to push past Mac OS X security. To date, Mac malware infection generally involves getting end users to grant permission to install something. The installation was direct for the fake video codecs and piggyback for the newer Trojans.
Hacking and malware have long histories of exploiting end-user behavior. The Conficker worm continues to spread among Windows computers. Bad behavior is a major reason. Microsoft released a patch last year. But many computers run unpatched and/or without anti-virus software. They're screwed.
Time is quickly coming when Mac users pay for their bad behavior. Here's why: For years, I've defended Apple against the security vulnerability marketshare myth. The idea: Windows is a bigger malware target because of bigger marketshare than the Mac. If Apple had more marketshare, Macs would be attacked, too.
These new Trojans suggest that Microsoft was right. Of course, Microsoft was right and just as wrong, too. There's more to malware vulnerability than marketshare. There's resilience to attack. Mac OS X has proved hardier than Windows, with rights administration being a major reason. But Mac OS X's hardiness, which Microsoft's marketshare myth ignores, doesn't mean there's nothing to the theory, either. There is a perceptible increase in Mac malware, which suggests that, yes, increased marketshare makes for a bigger target. That said, the malware isn't hitting the Mac mainstream but the fringes, meaning bad Nethoods. It is in these bad neighborhoods that people grant malware installation privileges. They unlock the doors to intruders.
Many (I presume most) Mac users are even more at risk than Windows users. I didn't say Macs, but the users. Long-time Mac users aren't used to being held accountable for their actions:
- They've had free run of the Web, without many consequences.
- Most Mac users could run OS X without anti-virus software.
- Trust is the major check against piracy. Some software developers, such as Adobe, require product activation but most others don't—and certainly not Apple.
By comparison, Windows users' experience is different:
- Even good Internet neighborhoods pose malware risk; infections and their consequences are quite real.
- All Windows users should run anti-virus software, and most new PCs ship with some kind of anti-malware software.
- Microsoft introduced product activation nine years ago, which led to the anti-piracy mechanism's pervasive use; Windows also checks for counterfeit or pirated copies.
Living has been tougher in the Windows world, but many end users are hardier for it. Bad Mac users, I dunno. I agree with Darrell Etherington, who today posted at the Apple Blog:
Really, as it stands, the only people at risk are those trying to pirate software, so it's not really a case of 'Is the OS less secure?', so much as it is one of 'Are Mac users security savvy?'. Pirated software distributed via torrents has always been a high-risk area, but those running a Mac OS have had the luxury of being less guarded about those types of threats because the malicious code they contained was generally written to attack Windows machines.
Times change. Clearly someone sees a market in and opportunity from Mac malware placed in bad Nethoods. As I post, Intego reports at least 20,000 Trojan.iServices.A infections (from pirated iWork `09) and about 5,000 Trojan.iServices.B infections (from pirated Creative Suite 4).
If the Trojans' tale was a morality play, the lesson would be simple: Don't steal. Windows users have long had reality checks—malware infections and other consequences for their bad behavior. Mac users have largely been consequence free—at least in this century. No longer. They will pay if they play in bad Internet neighborhoods.
[Please send your tips or rumors to watchtips at live.com].
Comments (4)
This is welcome realism, but you're still being too kind to the Mac. Security professionals largely bought into the marketshare "theory" years ago. There has been a steady stream of exploitable vulnerabilities that went unexploited and, had they been attacked with competence, Macs would have fallen like leaves in an Autumn wind.
We've assumed for years that once that one big attack comes it will be like smallpox and the indians all over again. A huge population of unprotected system run by users who have no idea what they're facing. It won't be pretty. I don't think this pirated software thing will do it because that only hits people who have no moral sense and I assume most Mac users wouldn't do that.
But there have been vulnerabilities in OS X over the years like the one used by Conficker; exploitable over the wire with no user interaction. The next one won't go unexploited. I think this is the year it actually happens.
Posted by Larry Seltzer | January 26, 2009 8:59 PM
The majority of malware, that doesn't embody an automated crack of a known remote exploit, requires acquiring and executing untrustworthy code from untrustworthy sources. Ever since hearing of such things in the 1980s, I've wondered, "Why did [user foo] decide to run that?" When the immediate excuse is that some software (in its day, MS-Outlook's 3-pane view, and such) ran it without asking the user, I've wondered "Why did [user foo] decide to run software that trusts dodgy software on his/her behalf?" The point being that the decision to do so is not inevitable.
I've long been disappointed that the IT press almost always neglects to mention how a notable piece of malware comes to be executed, which to my mind is the actually interesting bit. There seems to be an implicit attitude of fatalism; that, just because users will do any damnfool thing and often use dangerously defective software, there's no point even in attempting to understand the process of where things went wrong.
In the case of the Mac codecs and trojaned iWork / CS4 bootlegs, you seem to be saying the users made the damnfool decision to not only run untrustworthy code off the Internet, but do so with root authority (via sudo). And, of course, users willing to do dumb things as root are a menace to their systems with or without malware.
I've just looked up the Conficker family: Seems to have been a canned attack against the ludicrously badly designed Microsoft RPC interface in MS-Windows (that apparently did zero input validation). Exposing really awful network daemons to public networks puts me in mind of the old technical support joke. ("Doctor, doctor, it hurts when I do this....")
Rick Moen
rick@linuxmafia.com
Posted by Rick Moen | January 27, 2009 12:43 AM
PEBKAC.
Posted by Neil Anderson | January 27, 2009 11:18 PM
You can avoid malware infection by replacing your Windows operating system with free Ubtuntu Linux Intrepid Ibex
Posted by Charles Norrie | January 29, 2009 7:53 AM