[This is probably my last article here for 2011. Compliments of the season to you all.]
Inevitably, my attention was drawn last week to an article on Mich Kabay’s Infosec Perception based on an essay by student Jeremy Legendre: Macintosh Malware Erupts. Well, I’m not in the business of understating security risks to Mac users, but eruption seems a little overstated to me, at least if it’s supposed to suggest a major volcanic event rather than a minor cosmetic blemish. In fact, the actual content of the article is far less sensational than the title suggests, pointing out the disparity in numbers between Mac viruses and Windows viruses. (Presumably, Legendre is using the term “virus” in the common non-technical sense, since true viruses, while not extinct, are very much in the minority nowadays, and still virtually non-existent on Apple platforms since OS X.)
Actually, the disparity is far greater than the MacWorld article quoted by Legendre indicates. The number of known malicious binaries is numbered in tens of millions and heading rapidly towards an extra zero. The problem, of course, is that whereas back in the ‘90s, malware could usually be categorized in terms of viruses with a finite number of major variants, categorization is far more difficult when it’s released and updated in the volumes we see today (tens, even hundreds of thousands of unique binary samples daily).
You probably expect overlap between the broadest categories of malware (autorun infectors, for example, include huge numbers of malicious programs that are related only in terms of a single aspect of their infective functionality). However, categorization by family is a much tougher job when we look at numbers like these – not that the AV industry was ever terribly good at standardizing on the naming of malware. Nowadays, the detection names most often used by most companies are both highly generic and highly specific to the company. This isn’t actually a bad thing in terms of communication between companies – it just means that we rely on hash values to tell us whether we’re talking about the same specific binaries – but it doesn’t help the consumer or even the non-specialist security person without tens of millions of samples or even sample hashes to which to refer. Unfortunately, I’ve no easy answers to that: from where I stand, it’s generally more important for the security industry to be able to identify with precision, when it comes to allocating resources. And that leads me to a couple of small issues I have with the article.
Kabay says:
“Jeremy personally reverse-engineered and analyzed Mac Defender to see what the fuss was all about. As it turns out, this piece of malware is very simple and could be easily stopped by Apple with a service package or update. If this simple little program is causing such an increase in AppleCare calls, what is going to happen when more advanced malware comes out?”
However, MacDefender is not a unique example of malicious code in the sense that most traditional viruses and virus variants are. It’s a name given by the criminals to a number of binaries of a similar type (fake security software compiled for the Mac), but there are quite a few similar programs with similar names (in fact, Mac Defender was by no means the first Mac scareware).
It’s true that these are not generally fiendish examples of complex malicious programming. Modern malware writers are mostly committed to the principle of making malware “just good enough” to ensure ROI, rather than wasting time and resources on unnecessary complexity and innovation: in fact, while we shouldn’t underestimate the importance of technical infrastructure in this particular “business”, scareware is a classic example of how far a minimally technical approach can be taken by effective social engineering. (For an even scarier example, consider the hugely successful coldcalling support scams coming out of India nowadays.) Cybercriminals understand the KISS principle very well.
But that’s beside the point. Of course it’s not difficult to detect a single example of such malcode once you have a sample to analyze, and for all its public “Mac malware? What Mac malware?” marketing, Apple is neither indifferent nor purely reactive when it comes to the discovery of Apple-targeting malcode. Its problem is that it hasn’t found a better solution to date to the scareware problem than frequent XProtect updates, an approach that has a lot in common with the much-reviled old-school AV model (find a sample, write a signature, distribute the signature, find a sample, write….) Indeed, I’m not sure there is a better solution than the more modern AV approaches (generics, heuristics, reputation scoring), short of an extreme whitelisting approach like that implemented for iOS. But I’m far from convinced that extreme whitelisting approach is practical for deeply entrenched desktop operating systems. And with all due respect to Apple (and that’s a lot of respect) for what it’s achieved in so many areas, reinvention of the rather creaky anti-virus wheel in order to stave off the idea that Mac AV might be a Good Idea may not have been one of its most inspired initiatives.
*With apologies to the BBC: http://news.bbc.co.uk/1/hi/world/americas/73785.stm