The Mac OS X Malware Myth Continues

By Carl Howe

Continuing a non-story that will never die, Wired Magazine has an article about the threat of Mac OS X malware, in which I was quoted. I spoke with the author, Ryan Singel, by phone yesterday, and disputed the premise that Apple's (NASDAQ:AAPL) market share grows, it will be subject to the same degree of malware that Windows is. Unfortunately, something got lost in the translation. Here's the quote:

But Carl Howe, an Apple analyst at Blackfriars Communications, disputes the security researchers' theories. He thinks that OS X's Linux heritage makes Apple systems less vulnerable to attack than Windows-based platforms. He argues that even if hacking Macs hasn't been profitable in the past, attackers would have done it anyway if they'd been able -- just for the attention.

"I think the market-share thing has always been a myth," Howe said. "It's a good story to talk about."

What I actually said was Mac OS X's Unix heritage, not Linux. I wrote Ryan about the mistake, and he corrected it. But I just wanted my readers to know I don't have my *nix's mixed up if they saw the earlier version.

But overall, I do stand by my statement that the whole Mac OS X malware story is one of those urban myths that just won't die, just like Craig Shergold, the child with cancer who wanted to get into the Guiness Book of World Records for the most business cards (which, by the way, was true in 1989, but he survived and no longer needs cards). For an ordinary consumer, it's easy to think that since Mac OS X and Microsoft (MSFT) Windows both looks somewhat similar, that they must be similar underneath and exhibit similar vulnerabilities. Therefore, the reasoning goes, the difference in malware must just be due to market share differences.

The only problem is that it isn't true. The two platforms have completely different business philosophies, architectures, and decisions behind them. And those differences matter when it comes to security.

Microsoft Windows evolved from a hardware platform philosophy

See, it's important to remember who Microsoft's biggest customers are. Those big customers aren't consumers; they're hardware vendors. That's why it's nearly impossible to buy a HP or Dell computer without Windows -- HP and Dell are Microsoft's customer, not you. And these hardware vendors are the people who drove Microsoft's growth.

When Microsoft designed Windows for the ability to run on as many hardware platforms as possible, it had to make its system easily extensible. Therefore, Windows needed ways that anyone could plug their software into, be they a motherboard maker, a peripheral manufacturer, or a software designer. That meant easy ways for outside companies to modify Windows to their needs. This doesn't just apply to device drivers, but other OS components like dynamically loadable libraries, graphical drivers, and the like. And with thousands of Windows vendors involved, developers became very creative at adding their software into Windows. And Microsoft, responding to Steve Ballmer's chant of "Developers, developers, developers....", put application programming interfaces (APIs) -- some of them public, some of them not -- so developers could install these add-ons.

And this extensibility didn't stop at hardware devices. When Microsoft found itself falling behind Netscape and its use of Java in Web browsers, it felt it had to allow Web designers to extend its OS as well. So it added a Windows-only extensibility feature called ActiveX, which allowed Web designers to add code to the browser and to the user's desktop environment. I noted publicly that this was a mistake in Web security in 1997. But in its quest for market share and Internet dominance, it didn't really care about security.

Now in 2004, Microsoft recanted on that view, and Bill Gates declared security its top priority with its Trustworthy Computing initiative. But by that point, Microsoft had millions of pieces of driver code and software add-ons that had to be allowed to insert themselves into Windows for its ecosystem to continue functioning. The company was left with two choices: be compatible or be secure. Guess which choice worked best with Microsoft's business model?

Apple chose a secure software foundation and rigid platform control

Mac OS X, on the other hand, never went through this same "we must be all things to all developers" evolution. It based its OS on a tried-and-true platform, the Berkeley Source Distribution [BSD] version of Unix. The APIs into this system are few and well-publicized. BSD's security model is also both open source and well tested, having been used by educational, government, and commercial researchers for about 30 years. Yes, Apple made changes and extensions to the system, but they were done to make Mac OS X run well on Mac hardware, not a million different Frankensteinian combinations of hardware from thousands of different vendors. And in fact, Apple still exercises very tight control of its platform and operating system software by building in security features that prohibit Mac OS X from running on other Intel hardware, even though it quite easily could allow it.

The result: Mac OS X remains a much tougher nut to crack for malware developers. Why? There are actually a lot of reasons, but I'll stick with just my top three. Unlike Windows,

• Mac OS X users don't run with administrator privileges. Until Windows Vista, almost every Windows user had all privileges to install and modify their OS at all times. Mac OS X, on the other hand, always has users run without such privileges. That means you have to type a password to install or change any critical system software. That minimizes the damage that Web- or email-based malware can do. And unlike Windows, there is no compatibility requirement for ActiveX binary code insertion into the user or kernel environment via the Web in Mac OS X.


• Mac OS X has less spaghetti code. Ask any security guru and he or she will tell you: a simpler software model is easier to secure than a complex one. Any Unix has only about 200 entry points into the secure kernel environment. And while there are many libraries in the Mac OS X system, most of those don't have enough privileges to do anything really bad (see bullet point above). For a nice graphical comparison of the relatively low complexity of Linux (not the same as Unix, but similar in security philosophy) compared with the high complexity and threat profile Windows, see these lovely charts.


• Mac OS X mail doesn't automatically run attachments.One of the poorest security decisions that Microsoft made was that back in 2000 or so, it configured its Outlook and Outlook Express mail systems to automatically execute script code on incoming HTML email without any user action required. This was one of the big vectors for virus proliferation earlier this decade. Microsoft has since patched that problem, but it remains a headache for the entire Microsoft ecosystem because unpatched systems still exist. Meanwhile, Apple mail systems have never run attachments or HTML code automatically, so this very common vector for virus transmission just doesn't exist in the Apple world.


• Apple can actively manage and verify its hardware Apple doesn't need to sacrifice security for compatibility with a million different hardware configurations. In fact, as we've seen in its latest Leopard launch, Apple actively prunes the number of hardware configurations it supports. And Apple has demonstrated with its iPhone that it is no stranger to locking down its hardware/software products to guarantee a good user experience. As a result, Apple doesn't have to provide insecure compatibility interfaces for old hardware or software systems -- and therefore can minimize its threat exposure.

Now I'm not saying that Apple has an invulnerable or even a "requires-an-MIT-Ph.D.-to-crack" security system. It doesn't, and smart security guys like Thomas Ptacek have written about Leopard's latest vulnerabilities. There will be security problems, both now, and in the future. But I think it's important to distinguish between having two exploits on the roughly 50 million Mac OS X computers (the latest of which is actually a Trojan Horse, and not a virus) and the roughly 140,000 viruses extant for the hundreds of millions of Microsoft Windows computers worldwide.. Two vulnerabilities don't make an epidemic. And given that Mac OS X is a harder target to penetrate, I don't expect those ratios to change dramatically any time soon.

One final note: I noted above that the vulnerability that is being publicized this week is actually a Trojan Horse, not a virus. What that means is that the user actually has to 1) explicitly download a piece of software, which the author advertises as a QuickTime codec, 2) choose to install that software, and 3) type in their administrator's password before the code becomes active. The fact that this threat requires three explicit user actions to activate and has no other way of spreading itself means it will never infect millions of computers the way worms like Storm or MyDoom do. All that said, if you want information on what and how it works, you can see a pretty good presentation here at the SANS Institute.

Comments

[dorothyedward]

Advanced Malware Analysis

What has become accepted as “reverse engineering training” is really just malware analysis that simply consists of “run-time analysis”. What this means is that you put the malware on a virtual machine and run a packet sniffer (like Wireshark), a registry monitor (like regshot), a file monitor (like filemon) and then a process monitor (like process explorer).
These common “reverse engineering” courses have you run malware and answer the questions:

1. Where is it connecting to?
2. Does it modify the registry?

3. Does it modify the file system?
4. Does it modify any running processes or start any new ones?
You don’t need a class to teach you these things.

The goal of the AMA training class is to provide a methodical hands-on approach to reverse-engineering by covering both behavioral and code analysis aspects of the analytical process.

The course begins by looking into PE headers and how to handle DLL interactions. Then it moves on to the fundamentals of x86 architecture assembly. Next you learn to examine malicious code in order to understand the program’s key components and execution flow. You then learn to identify common malware characteristics by looking at Windows API use patterns, and will examine excerpts from bots, rootkits, key loggers, and downloaders. From there you move on to standard and custom packers and other tools and techniques for bypassing anti-virus, and then on to malware with anti-debugging/anti-an... capabilities. Then the class is concluded with obfuscated browser scripts.

You can purchase this course by clicking here.

Day 1: Basic Forensics

Analyzing a hard drive image
Recovering deleted files
Decrypting encrypted files

Day2: Bypassing Anti-Virus

Using Hex Editors to bypass AV
Using packers to bypass AV
Using debuggers/disassemblers to bypass AV

Day3: Network/Browser Forensics

Advanced pcap analysis
De-obfuscating malicious javascript

Day4: Memory Analysis

Memory analysis
Malicious pdf file analysis
DLL injection

Day5: Reverse Engineering

Binary modification/patching techniques
Anti-Debugging/Anti-An... techniques
Exploit development

Course Instructor
The course instructor is security consultant and trainer Joe McCray. Joe McCray has 10 years of experience in the security industry with a diverse background that includes network and web application penetration testing, incident response, and forensics in the both DoD community and the private sector. Joe is also a frequent trainer/presenter at security conferences such as Black Hat, Def Con, ToorCon, BruCON, LayerOne, TechnoSecurity, and TechnoForensics.

General Course Info

Course dates are October 3rd – 7th. The course will be comprised of 5 days of 50 minute sessions with 5-10 minute breaks, and an hour for lunch.

Pre-requisites:
Students must be familiar with IT Security best practices, and have a good understanding of TCP/IP and common web technologies.

* Basic Windows administration for both servers and workstations

* Basic Linux/*NIX system administration skill

* Basic command-line proficiency on both Windows and *NIX systems

Students should be familiar with the following web technologies and languages:
* HTTP
* HTML
* Javascript
* ASP
* PHP
* SQL

Please follow the link: http://bit.ly/1gCCH67

[SaltWater]

I can't believe my eyes is such bad article! Most MalWare is depended on Software only and not hardware!! Even if the Windows broad hardware compatibility opened software breaches, that does NOT mean Apple is Safer, I use a Mac because I like the simplicity and organization apps have, but thinking Apple is free of Malware is just simply a lie! I am advanced computer user, and while I know and suspicious of some apps, it's impossible to say if the code is 100% secure, and that's more danger in closed OSs as Apple Mac OS X, while Linux, Ubuntu, Fedora etc has the code publicity available, as most of Linux apps, Mac OS X and Windows DO NOT HAVE! Maybe that's why Little Snitch founds lot of apps trying to connect to strange IPs or I have found some trojan horses in my MAC OS X 10.6.7 computer! Windows has plenty of Virus, but Microsoft actually is trying hard to be safer on it, and lots of technologies they are implementing to to so, Windows MalWare defender, Apps signatures etc etc, in the other hand Apple is doing NOTHING, just says their OS is safer and Secure which is a LIE! For an example How can Apple really can talk in security when with FileVault Home Folders encryptions on, the Time Machine can only make an UNENCRYPTED BACKUP to local disks!!!!!!

[garync]

Does one incur Windows level risks by running Windows software via a Windows emulator on a Mac?

[PaulX]

The only problem with using a MAC is that of affordable software availability. A friend of mine tried to use the MAC version of Open Office to no avail. He also found .doc files saved on a MAC at home in Word for MAC could not always be opened on a PC at University - and vice versa.

I am a fan of Linux, because of its relative security compared with Microsoft's products, and its financial benefits over allowing oneself to be locked into the MAC system. But I have to admit it does not work as easily as XP Pro either..

[Neil Anderson]

Have you seen any figures on the numbers of Mac users affected by the trojan OSX.RSPlug.A?

[John2007]

Carl, the Mac community owes you a great debt. Many thanks for all of the efforts to set the record straight.

[the deebs]

I remain to be convinced.

Windows experience suggests that wherever there is a hole it will be exploited (or already has been)

www.pixentral.com/show...

(OS X 10.5 with block all incoming selected through preferences)

[Tom B]

This is MSFT's dilemma as the only publicly traded OS vendor that still uses proprietary cr*p instead of UNIX: If they sit down and take the time to write a modern, 21st century OS, like Steve Jobs did at NeXt and Apple did under his direction these past 6 years (or like SuSe, Ubuntu, or Red Hat), they will break 30 year old legacy DOS junk and they'll start to bleed market share at a faster rate. Heck, it took them 5 years just to change the eye-candy on XP and call it Vista. They AREN'T going to solve Windows' existing security holes that they have accumulated through decades of "spaghetti code".

[beech_35]

It also took 5 years to change the eye candy on Windows 95 (aka ME, W2K) as it took 5+ years to change the eye candy of Windows 3.1 which was essentially eye candy for DOS to begin with.

OS X is the only OS with origins in a multiuser, multitasking, secure OS, while Windows in all its incarnations has been an attempt to retrofit security to an aging interface.

With OS X, Apple completely scrapped its legacy OS and started over with a clean sheet using a BSD Unix core. Windows has no analogous core other than MS-DOS. Without scrapping Windows and starting from scratch, nothing from MSFT will ever be as secure as OS X.

[Tedious]

I don't think MS has to scrap Windows and start from scratch. Apple didn't even start over from scratch. The Carbon API is an OS X port of the "Classic" API that Apple stopped selling over a half decade ago and stopped supporting last week. The Carbon version has also been abandoned in 32-bit land. Expect it's support to end in 2 to 4 years.

I think that MS should take THAT page from Apple's book and start depreciating API sets (like any Direct X before 7 and the entire Win16 API) and port their new APIs to a BSD based filesystem running on a their 64-bit NT kernel.

Backward compatibility all the way back to PC-DOS 1.0 may be what MADE Microsoft, but it will be what kills it if it doesn't start pruning their code base (regardless of how many lazy grey-beard developers it will piss off).

[Swivelgames]

This is true for many products made by Microsoft. In my opinion, Microsoft tries too hard to be "backwards-compatible," even to the point of including a compatibility feature in IE8. Internet Explorer is a good example of Microsoft's problem with backwards compatibility. They're starting to get the picture, but they really need to start doing their best to encourage and enforce the deprecation of out-dated softwares, most notably older versions of Windows, and for us web developers, Internet Explorer.