64 Comments

Summary:

This morning, I got involved in a Macs vs. PCs argument on a listserve I belong to on the topic of viruses and security. There had been an email on the listserve that was spam, and some of the email variations were infected with a virus. […]

This morning, I got involved in a Macs vs. PCs argument on a listserve I belong to on the topic of viruses and security. There had been an email on the listserve that was spam, and some of the email variations were infected with a virus. Someone asked about the email, got told about the virus and was also told by one of the participants in the thread that he hoped that the asker was running a current anti-virus program that has the virus files updated. The asker responded with “No, I’m not running any of that stuff actually. I’m on a Mac ;)” The respondent who had asked about the antivirus program said “I wonder why you’re not. Macs can/have been infected by viruses. They aren’t the same one for the PCs, but there are viruses for the Mac.”

Thus did the argument begin. I pointed out that while there were viruses running around on Mac OS, there aren’t any for Mac OS X (aside from the obligatory mention of MS Office macro viruses). The Mac OS viruses that I’d run across in general were pre-8.5, and couldn’t even run in Classic today. Mac antivirus developers do a great job, and I’m the first one to say “Antivirus? Sure, install that. Cheap insurance against the inevitable.” But actual viruses running around on OS X that can actually do anything, destructive or otherwise? I just haven’t run across any. Spyware’s been a big zero on OS X as well, with the exception of commercial programs like Spector.

So where did this pervasive meme of viruses on the Mac come from? Does it come from “Well, it’s on Windows, so it must be on the Macs too,”? Is it FUD at work? Is it just generalization? Leave your thoughts in the comments.

You’re subscribed! If you like, you can update your settings

  1. Chris Holland Friday, June 24, 2005

    I think that there are two questions worth distinguishing:

    1) are there viruses on Mac OS X
    2) will there be viruses on Mac OS X
    3) if a Mac OS X user gets infected how easy can it spread to other Mac OS X users.

    These questions often get confused and blurred, and throw the debates in all kinds of silly directions.

    The answer to 1) is, for now, as you pointed out, NO.

    More interesting questions are 2) and 3). My take on 2) and 3) is vaguely covered in 2 articles:

    security

    More on ActiveX

    Regardless of what operating system you’re running, there will always be an infinite amount of ways an end-user can compromise the security of their computer, most especially a networked computer.

    A more relevant question I would ask is whether a piece of Anti-Virus software would be the most effective way to protect an end-user computer that runs an operating system with decent-to-good security design. If i’m dumb enough to install and run a piece of software i obtained over Kazaa, no anti-virus software is going to anything more useful than Mac OS X’s already built-in first-download-run warning. How else am i to acquire a virus? email preview? no. clicking attachment? sure, if i get past the warning. Loading a web page? no. Downloading a file from a web page? sure, if i get past the warning.

    AV software is extremely effective at scrubbing malicious ware that has spread itself out in one form or another and that is widely recognizable. Once I get infected on my Mac OS X machine, how many of my friends are likely to also get infected? How many of their friends can they infect without their knowledge? How long will it take until it even gets on an AV firm’s radar so they can publish a patch for it?

    The other thing is, there just aren’t that many Mac users out there, which would make it even less likely for any given virus to spread itself enough to make it onto an AV firm’s radar.

    Anti-Virus makers have had a lucrative business model on the Windows platform because of the numerous design flaws that have for years plagued it, and holes Microsoft has failed to plug, AV firms have been fixing.

    But right now, as far as i’m concerned, I need more flaws in Mac OS X, a million time more Mac users out there, a million time more of them infected with the SAME viruses, to consider a piece of Anti-Virus software, an effective way to protect my Mac from viruses.

    Until all this happens, I’ll be sticking to preventive measures to make sure I don’t get my sorry @ass infected.

  2. Kevin Ballard Friday, June 24, 2005

    I’m going to guess that the reason so many people think there are viruses on the Mac are one of two things: 1) There’s viruses on windows, so of course there’s viruses on the Mac, and 2) wishful thinking (i.e. rationalization for why they shouldn’t switch to the Mac).

    Oh, and I think antivirus software for the Mac is a complete waste of time. It takes up resources (memory and CPU) and does nothing for the present-day Mac user. The only thing that I’ve heard that makes any sense is to scrub Windows viruses so you play nice in a Windows world, but I don’t really understand that one – why would I be spreading any Windows viruses?

  3. I think the main reason people believe there are viruses out there for the Mac is, well, because there are. Every so often security firms and antivirus companies release a press release that says they’ve discovered a Mac virus. The real point is that none has been spread nor has it been detected in the wild. The follow-up to these headlines — that the viruses are merely proof-of-concept or exploits of soon-to-be-closed security holes — is rarely covered by the computing press, much less read by the general public.

  4. Sorry Rich Heend but you are wrong. It is possible that security companies announce various security problems with OS X but they have never once announced a virus. Not once. If you think I’m wrong, please post a link.

    There have been numerous OS X security issues. They generally get patched by Apple in a short period of time. Users mostly leave the automatic software update of OS X turned on so those patches propagate throughout the Mac community in short order.

    And there have been a few reports of malicious trojan horses reported as well. Those trojans are simply applications that naive or ignorant users run without vetting the source of the application. They get them through file sharing networks or off of usenet etc and run them. A famous one was supposed to be a cracked version of Office for OS X that was really a trojan that deleted user files. Another is a trojan is called Opener that installs various Unix rootkit code in your Mac but none of those has any way to propagate without a user running an application.

    You have fallen prey to the exactly what the blog author was asking about. Would you care to elaborate on why you fell for it? It might give us some insight into where this misinformation comes from.

  5. I think it’s just that PC users have a hard time imagining life without viruses.

  6. “If i’m dumb enough to install and run a piece of software i obtained over Kazaa, no anti-virus software is going to anything more useful than Mac OS X’s already built-in first-download-run warning.”

    Wrong.

    First off, anti-virus software can detect these things, essentially giving the user a real warning rather than the generic “This might be bad” warning.

    Which means you’re getting a warning of a real event which the user will respond to. “Huh? I’ve downloaded 100 apps and never seen this warning before. Better not run it…” versus having seen the same message 100 times before.

    Heck, most of us just click through that warning anyway with a “Yeah, yeah, yeah…” It’s like the FBI warning at the start of a movie.

  7. Scott Granneman said it best:

    Linux vs. Windows Viruses
    By Scott Granneman, SecurityFocus
    Posted: 06/10/2003 at 09:55 GMT

    Opinion To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it, writes SecurityFocus columnist Scott Granneman.

    We’ve all heard it many times when a new Microsoft virus comes out. In fact, I’ve heard it a couple of times this week already. Someone on a mailing list or discussion forum complains about the latest in a long line of Microsoft email viruses or worms and recommends others consider Mac OS X or Linux as a somewhat safer computing platform. In response, another person named, oh, let’s call him “Bill,” says, basically, “How ridiculous! The only reason Microsoft software is the target of so many viruses is because it is so widely used! Why, if Linux or Mac OS X was as popular as Windows, there would be just as many viruses written for those platforms!”

    Of course, it’s not just “regular folks” on mailing lists who share this opinion. Businesspeople have expressed similar attitudes … including ones who work for anti-virus companies. Jack Clarke, European product manager at McAfee, said, “So we will be seeing more Linux viruses as the OS becomes more common and popular.”

    Mr. Clarke is wrong.

    Sure, there are Linux viruses. But let’s compare the numbers. According to Dr. Nic Peeling and Dr Julian Satchell’s Analysis of the Impact of Open Source Software (note: the link is to a 135 kb PDF file):

    “There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread – most were confined to the laboratory.”

    So there are far fewer viruses for Mac OS X and Linux. It’s true that those two operating systems do not have monopoly numbers, though in some industries they have substantial numbers of users. But even if Linux becomes the dominant desktop computing platform, and Mac OS X continues its growth in businesses and homes, these Unix-based OS’s will never experience all of the problems we’re seeing now with email-borne viruses and worms in the Microsoft world. Why?

    Why are Linux and Mac OS X safer?

    First, look at the two factors that cause email viruses and worms to propagate: social engineering, and poorly designed software. Social engineering is the art of conning someone into doing something they shouldn’t do, or revealing something that should be kept secret. Virus writers use social engineering to convince people to do stupid things, like open attachments that carry viruses and worms. Poorly designed software makes it easier for social engineering to take place, but such software can also subvert the efforts of a knowledgable, security-minded individual or organization. Together, the two factors can turn a single virus incident into a widespread disaster.

    Let’s look further at social engineering. Windows software is either executable or not, depending on the file extension. So if a file ends with “.exe” or “.scr”, it can be run as a program (yes, of course, if you change a text file’s extension from “.txt” to “.exe”, nothing will happen, because it’s not magically an executable; I’m talking about real executable programs). It’s easy to run executables in the Windows world, and users who get an email with a subject line like “Check out this wicked screensaver!” and an attachment, too often click on it without thinking first, and bang! we’re off to the races and a new worm has taken over their systems.

    Even worse, Microsoft’s email software is able to infect a user’s computer when they do something as innocuous as read an email! Don’t believe me? Take a look at Microsoft Security Bulletins MS99-032 ,MS00-043 ,MS01-015 ,MS01-020 ,MS02-068 , or MS03-023 , for instance. Notice that’s at least one for the last five years. And though Microsoft’s latest versions of Outlook block most executable attachments by default, it’s still possible to override those protections .

    This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user. Instead of just reading an email (… just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can’t just execute attachments, but they will still have to go through the steps. As Martha Stewart would say, this is a good thing. Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world, which should help to alleviate any concerns on the part of newbies.

    Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that’s about it. So the above steps now become the following: read, save, become root, give executable permissions, run. The more steps, the less likely a virus infection becomes, and certainly the less likely a catastrophically spreading virus becomes. And since Linux users are taught from the get-go to never run as root, and since Mac OS X doesn’t even allow users to use the root account unless they first enable the option, it’s obvious the likelihood of email-driven viruses and worms lessens on those platforms.

    Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior. Windows XP, supposed Microsoft’s most secure desktop operating system, automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. The reasons for this decision boggle the mind. With all the lost money and productivity over the last decade caused by countless Microsoft-borne viruses and worms, you’d think the company could have changed its procedures in this area, but no.

    Even if the OS has been set up correctly, with an Administrator account and a non-privileged user account, things are still not copasetic. On a Windows system, programs installed by a non-Administrative user can still add DLLs and other system files that can be run at a level of permission that damages the system itself. Even worse, the collection of files on a Windows system – the operating system, the applications, and the user data – can’t be kept apart from each other. Things are intermingled to a degree that makes it unlikely that they will ever be satisfactorily sorted out in any sensibly secure fashion.

    The final reason why social engineering is easier in the Windows world is also an illustration of the dangers inherent in any monoculture, whether biological or technological. In the same way that genetic diversity in a population of living creatures is desirable because it reduces the likelihood that an illness – like a virus – will utterly wipe out every animal or plant, diversity in computing environments helps to protect the users of those devices.

    Linux runs on many architectures, not just Intel, and there are many versions of Linux, many packaging systems, and many shells. But most obvious to the end user, Linux mail clients and address books are far from standardized. KMail, Mozilla Mail, Evolution, pine, mutt, emacs … the list goes on. It’s simply not like the Windows world, in which Microsoft’s email programs – Outlook and Outlook Express – dominate. In the Windows world, a virus writer knows how the monoculture operates, so he can target his virus, secure in the knowledge that millions of systems have the same vulnerability. A virus targeted to a specific vulnerability in Evolution, on the other hand, might affect some people, but not everyone using Linux. The growth of the Microsoft monoculture in computing is a dangerous thing for users of Microsoft products, but also for all computing users, who suffer the consequences of disasters in that environment, such as wasted network resources, dangers to national security, and lost productivity (note: the link is to a 880 kb PDF file).

    Now that we’ve looked at the social engineering side of things, let’s examine software design for reasons why Linux (and Mac OS X) is better designed than Microsoft when it comes to email security. Microsoft continually links together its software, often not for technical reasons, but instead for marketing or business development reasons (see the previous link for corroboration). For instance, Outlook Express and Outlook both use the consistently-buggy Internet Explorer to view HTML-based emails. As a result, a hole in IE affects OE. Linux email readers don’t indulge in such behavior, with two exceptions: Mozilla Mail uses the Gecko engine that powers Mozilla to view HTML-based email, while KMail relies on the KHTML engine that the Konqueror browser uses. Fortunately, both Mozilla and the KDE Project have excellent records when it comes to security.

    Further, the email programs themselves are designed to act in a more secure manner. The default behavior of the email program I prefer – KMail – is to not load external references in messages, such as pictures and Web bugs, and to not display HTML. When an HTML-based email shows up in my Inbox, I see only the HTML code, and a message appears at the top of the email: “This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.” But even after I activate the HTML, certain dynamic elements that can be introduced in an HTML-based email – like Java, Javascript, plugins and even the “refresh” META tag – do not display, and cannot even be enabled in KMail.

    Finally, if there is an attachment, it does not automatically run … ever. Instead, I have to click it, and when I do, I get a dialog box offering me three options: “Save As …” (the default), “Open With …”, and “Cancel”. If I have mapped a file type to a specific program – for instance, I have associated PDFs with the PS/PDF Viewer, then “Open With …” instead says “Open”, and if I choose “Open”, then the file opens in the PS/PDF Viewer. However, in either case, the dialog box always contains a warning advising the user that attachments can compromise security. This is all good, very good.

    For all these reasons, even if a few individuals got infected with a virus due to extremely foolish behavior, it’s unlikely the virus would spread to other machines. Unlike Sobig.F, which is the fastest spreading virus ever , a Linux-based Virus would fizzle out quickly. Windows is an inviting petri dish for viruses and worms, while Linux is a hostile environment for such nasties.

    Some caveats

    There is one Linux distribution that is ignoring many years of common sense, good design, and an awareness of secure operating environments in favor of a Microsoft-like deprecation of security before the nebulous term “ease of use”: Lindows. By default, Lindows runs the user of the system as root (and it even encourages the user to forgo setting up a root password during installation by labeling it as “optional”!), an unbelievably shortsighted decision that results in a Linux box with the same security as a Windows 9.x machine.

    If you go to the Lindows Web site, they state that it is possible to add other, non-privileged users, but nowhere in the operating system do they advocate adding these other users. Yet they claim their distribution of Linux is secure! In an effort to emulate Microsoft and make things “easy”, they have compromised the security of their users, an unforgivable action. No one in the field of security, or even IT, can recommend Lindows while such a blatant disregard for security is the norm for the OS.

    Yet some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users.

    Security is, as we all know, a process, not a product. So when you use Linux, you’re not using a perfectly safe OS. There is no such thing. But Linux and Mac OS X establish a more secure footing than Microsoft Windows, one that makes it far harder for viruses to take hold in the first place, but if one does take hold, harder to damage the system, but if one succeeds in damaging the system, harder to spread to other machines and repeat the process. When it comes to email-borne viruses and worms, Linux may not be completely immune – after all, nothing is immune to human gullibility and stupidity – but it is much more resistant. To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. I know which one I’ll trust. How about you?

    1. you are cool…!!! i agree as what you said…

      Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that’s about it. So the above steps now become the following: read, save, become root, give executable permissions, run. The more steps, the less likely a virus infection becomes, and certainly the less likely a catastrophically spreading virus becomes. And since Linux users are taught from the get-go to never run as root, and since Mac OS X doesn’t even allow users to use the root account unless they first enable the option, it’s obvious the likelihood of email-driven viruses and worms lessens on those platforms.

      ……………………………………………………….

      how many people who could create a virus file damage all those root files…execution ;)

      SW..Master of science (network system) Mel,Aus

    2. again..i used wron word..between would and could ;)

    3. I wish that extreemist MAC supporters would stop throwing ROCKS (viruses and retoricle comments) at Windows…Windows is a great system and should be revered as one. Only Morons who willingly subject themselves to such infections will Quickly learn how not to become infected… If you keep hiding under mommys skirt you wont know what hit you when you finaly venture out. Someone will figure out how to write a way around the root and smack that ass. If you hadn’t been hiding under mommys skirt you would have learned the warning signs. Most knowledgeable Windows users Know to set up restricted user accounts where as you have to use a password to enable the priviledges to the root to execute. Same steps are employed just in a more user freindly approach. Which I will grant that it is too easlily Ignored thus another infected LEARNS.

    4. Just to clarify that MACS get infected check this
      http://www.securemac.com/

  8. To answer the author, the reason people believe mac users should be running virus protection programs is because everyone knows it is possible that someday an OS X virus may be written. And because to most people the internet represents the incarnation of the “infinite number of monkeys” anything that can happen, will happen.

    And because you can never prove a negative, they will always believe they are just days away from proving all us smug Mac users wrong, they will always stick to their guns.

    I also want to respond to Peter because although he may be technically correct, it is not really worth mentioning. Sure, once a trojan has spread, virus programs can step in an protect you from them but the type of trojan that showed up on OS X would probably never be added as it had no way to propagate its’ self. I could write a thousand variants of a script or application that deleted files if you were stupid enough to run it. Hell, I could write code that wrote code that did this and generate these types of trojans faster than virus checkers could be updated. The reason nobody does is because these are useless trojans. Push them onto the P2P sites and they die because anyone who downloads them and runs them immediately delete them. Thus killing them (no more need for virus definition). For this reason, virus definitions will probably never be written for these because statistically they will help nobody.

    Trojans become interesting when they can take advantage of other bugs and can spread. Nothing like that exists for OS X. So, although it is true that someday, someone may write an OS X virus, it is not accurate to imply that any have ever existed or that anyone would be safer if they ran a virus program on OS X today, which is the heart of the question Peter was trying to answer.

  9. Chris Holland Saturday, June 25, 2005

    Peter, Doug nails the point i was trying to make right on the head: It comes down to how effective an Anti-Virus company can be at updating its definitions, based on a Virus that has successfully spread itself, or has very significant chances to spread itself for it to be worth their time and money spent developing and distributing an update to their definition.

    For the full definition of a Virus to be complete, a malicious program needs to spread itself. Otherwise, it’s just that, a malicious program. Or a trojan. Or a proof-of-concept.

    Again, until things change in the Mac OS X world, I’m really not sure a piece of Anti-Virus software is the most effective way to protect my mac from viruses. Anti-Virus software is typically more “reactive” in nature, and only has a track record of truly being effective when nailing viruses that have already spread.

    I’d rather stick to preventive measures, such as my ISP (earthlink) allowing me to scrub viruses from my email (hey, saves some bandwidth), not running any TCP servers unless i absolutely have to, and staying away from paths of infection.

  10. Chris Holland Saturday, June 25, 2005

    Peter, also by “detect these things”, I assume you’re talking about “suspect behavior” a piece of software may have. Could you provide specific examples of where a piece of Anti-Virus software has successfully detected “suspect behavior” without obnoxiously intruding in a user’s day-to-day activities.

    Since I’m paranoid about security, and because i’m always curious to know what my applications are doing, I’ve for a while run an application called “Little Snitch” which prompts a dialog box before a piece of software initiates any network connection, allowing me to add said piece of software to an “allow list”. It leverages OS X’s built-in firewall. That’s not a piece of Anti-Virus software, this falls under “preventive measures”. While it works well for me as I’m a geek, it does get a bit obnoxious at times, and I often find myself turning it off.

    It is very difficult to accurately algorithmically define “suspect behavior” without at some point risking obstructing an end-user’s productivity. The only time I’ve seen a piece of Anti Virus software actually be effective, is when the software had acted on a known virus that had already had a chance to spread itself.

Comments have been disabled for this post