Latest in Doingthemath

Image credit:

Malware, Macs, and crying wolf: Doing the math


Love Apple gear? Like math? TUAW's Doing the Math series examines the numbers and the science that lie behind the hardware.

The contentious subject of Mac security has been back in the news in recent weeks following the emergence of a fake antivirus package called MacDefender (also known as Mac Security and Mac Protector) that managed to steal a number of users' credit card details, and a new piece of "crimeware" called Weyland-Yutani BOT which allows non-technical hackers to easily create password grabbing webpages that specifically target Mac browsers.

This prompted a fresh round of "the Mac is under attack! Malware will drown us all! Exclamation!" blog posts, followed by the usual backlash against them. On the alarmist side, Ed Bott wrote "Coming soon to a Mac near you: serious malware", predicting doom, gloom, and dogs and cats living together.

The case for the defence was eloquently made in an article entitled "Wolf!" by Mac uber-blogger John Gruber where he simply collected assorted "Mac malware is inevitable" quotes from prominent analysts... going back to 2004, and all clearly unfulfilled in the sense of widespread attacks or exploits in the wild. Bott responded with a thoughtful post where he made a more reasoned case that malware for Macs really is inevitable in the long run, regardless of how inaccurate previous predictions have been.

So who's right, and who's wrong? Is it time to run to the hills or are people just sounding the gong of panic unnecessarily? In this post I'm going to try and dive a little deeper into the issues surrounding Mac malware, hypothetical and real, and separate the headlines from the facts.

I'm on the hunt, I'm after you

Why does malware even exist? Broadly, there are a few reasons why someone would choose to attack the security of your computing platform, whatever it may be:

  1. Intellectual curiosity, security research, and bragging rights.
  2. Vandalism -- perhaps casual or highly-targeted cyberwarfare attacks.
  3. Botnets -- using the infected computer for nefarious ends.
  4. Data stealing -- spyware and keyloggers.

Think about how these motivations intersect with the world of Apple products. The intellectual curiosity angle is an excellent reason to hack Macs -- and, indeed, we regularly see annual hacking contest pwn2own highlight previously unknown OS X security flaws (in 2009, 2010, and 2011), with the researchers walking away with big cash prizes for doing so. Indeed, Mac OS X and iOS's reputations as more secure platforms mean greater bragging rights for successful attacks -- so Apple OSes tend to attract attention to hackers who are in it for the challenge (and/or the headlines).

However, these researcher guys are not the people to be worried about. They are mostly "white hats", meaning that when they uncover an exploit they tell Apple about it and then keep quiet until it can fix the problem and issue a security update. The direct threat to users from their work is minimal. They're not out to hurt anyone.

I'm lost in a crowd

The other malware motivations -- vandalism, botnets, and data theft -- are clearly very different. These are hostile attacks and, petty vandalism aside, there's big money to be made from them. Botnets made up of millions of infected PCs can be leased as spam engines pushing out knock-off pharmaceuticals, porn, and intricate stock pump-and-dump schemes. Spyware can automatically capture credit card numbers by the tens of thousands, uploading them to central servers for the creators to collate and sell on to organised crime. If they can get iTunes passwords, they can place fraudulent purchases in the App Store and bank any royalty payments Apple pays out before they're rumbled. There is an entire black market economy behind almost all modern malware activity -- and it's thriving.

The Mac has one big security blanket in this area: market share, or more specifically, the lack of it. Calculating market share is tricky, and depending on how it's done, gives quite different results. For example, research firm Gartner showed Mac sales making up 7.4% of all sales in 1Q09 which had grown to 9.7% by 4Q10. MacRumors has a nice graph of Gartner's estimates between 2006 and mid 2010.

Gartner is only considering sales of new computers, so its figures don't reflect how many computers are actually in use out there; consider that older Macs often enjoy a longer life than older PCs. A different approach to allow for this was taken by Pingdom, which tallied up hit counts, tracking which operating systems visitors to popular web sites were using in February 2011. It suggests that market share in some areas, including the US, Canada, and a number of European nations was between 11.7-17.6%.

So what does that mean for the malware vendors? It's reasonable to assume that if all the computers in the world were Macs, then all the hackers would be after them; if just a handful were, then clearly the hackers aren't going to bother. The critical question is where the line lies between the two extremes. An interesting 2008 article (PDF link, or there's a good summary), by Dr. Adam J. O'Donnell, then working at Cloudmark and now at SourceFire, for IEEE Security & Privacy, used game theory to attempt to answer that question.

O'Donnell asks at what point malware would reach a "tipping point" -- how many Macs do there have to be in the world before malware targeting them would give a better return on investment than malware targeting Windows PCs? With the assumptions that PC virus scanners are 80% effective and that no Mac users use antivirus, the answer was 16%. In other words, if 16% of all the computers in the world were Macs, then the black hat hackers would make more money from attacking Macs than they do by attacking PCs.

Taken with the Pingdom result, and assuming for a moment that you don't want to quibble with the assumptions and mechanisms, this is a disquieting result. It suggests, for the first time in history, Mac malware is becoming economically desirable -- partly due the the Mac's rising market share and partly because better security in the Windows world is changing the balance.

Even if you can pick holes in either Pingdon or O'Donnell's methodologies (and please feel free to do so in the comments), I do think the conclusion O'Donnell arrives at is a common-sense one. As Mac market share increases, the amount of money to be made from writing Mac malware increases with it. Logically, there has to come a point at which the "X" in OS X starts to look like a plump and juicy target.

Stalked in the forest, too close to hide

What about that really powerful meme that Macs are secure by design and don't suffer from the security holes of Windows?

Unix was originally designed as a multi-user operating system, and as such, it's built around the idea that not every user is created equal. System administrators can do everything; normal users can access only their own files and cannot make changes in the base OS; server software like the Apache web server is usually configured to run with as little control as possible. If an attacker finds a security problem in Apache and takes control of it, they can't go on to run amok on the computer. Mac OS X inherited this structure from NeXTStep and the Mach kernel at its heart, and iOS inherited it from Mac OS X.

Windows, famously, didn't have these baked-in concepts. For many years and through many versions of the operating system, every program that ran on Windows ran at the same security level, which means things like viruses could more easily spread from machine to machine. Additionally, many pieces of built-in software like the SMB networking layer used for file sharing weren't built with security in mind, and were broken into time and time again.

However, this view of Windows is rather outdated. In Windows XP and Vista, Microsoft paid a lot more attention to these matters, the most user visible result of which was the much reviled User Access Control. In Windows 7, it's generally accepted that Microsoft's security story is as good as it's ever been, meaning malware authors and criminal enterprises tend to focus on the lower-hanging fruit of the less-well-protected Windows XP (still the world's most popular OS by a wide margin).

Malware gets into your computers in (broadly) one of three ways: it finds a hole in something you're already running, it tricks you into running something new that seems innocuous, or it piggybacks on something legitimate. As Microsoft has improved its base security, most malware on Windows has moved, and is now focussed on fooling the user into installing something they think they want which turns out to also contain the password grabber or botnet client they certainly didn't.

Macs are equally vulnerable to these sorts of techniques. Consider also how often, when installing a piece of software, Mac OS X pops up a dialog asking for your password, and you enter it. That step has some very serious ramifications; the software installer now has much greater access to your operating system and can install anything it wants -- good or bad -- with impunity. And yet most of us don't pause to think about what we're doing, we just enter the password and let it get on with things. Even without that password, there's still plenty of nefarious things that a program can do.

OS X's Unix underpinnings help, but they aren't a magical shield either. Consider the recent problem with Skype, or the large number of security holes in OS X itself that Apple fixed in the April 2011 security update for OS X 10.6.7. Third-party browser plugins and OS components are also notorious for bringing along their own security issues (Java, Flash, etc.).

The best you can hope for is that Apple has done its work well, found most of the holes, and closes the other holes quickly when they are uncovered. Unfortunately, that's not always the case. Gruber has noted that its response is sometimes sluggish, for example taking 75 days to issue a patch for a serious problem with Open SSL in 2009.

Aaaaand I'm hungry like the wolf

So, lots of words later, who's right? Is the year of Mac malware like the year of Linux on the desktop, or is it time to crack each other's heads open and feast on the goo inside? Is continued sarcasm about the Mac malware threat dangerous? Don't forget, many of the security experts warning us to invest in Mac security also work for security firms selling security products. When umbrella salesmen predict rain, it's wise to be skeptical. (And on the gripping hand, journalism that tries to navigate nuance between the poles of hysteria and sarcasm rarely attracts as much attention as more hyperbolic writing, so keep that in mind when evaluating media coverage of the issues I am discussing here.)

I believe it's a little of both, but I'm more on the skeptical than the panic side. Certainly, I don't run any antivirus on my Mac, nor am I about to start doing so (although other TUAW team members do, for various reasons, and there are good free options). On the other hand, I'm sure there are people out there who's naïve belief that their Mac is immune to security threats is so strong that they end up falling for phishing scams delivered via an email they just happen to read in Mail. I think that worldview is perilous.

You have to make up your own mind. At the very least, I'd urge you to be conscious of the issues, and don't blindly download and run programs from sketchy websites. If you feel you'd like to go further, there's a good overview of Mac security options on Lifehacker, and we've covered many security programs on TUAW.

I'm going to give the last word to Graham Hibbert, who said in response to the Wolf! post on Daring Fireball, "The point of the story that I think John [Gruber] missed, is that the last time, there was a wolf, and no one believed the boy."

From around the web

ear iconeye icontext filevr