FLAMING RETORT: All this new Mac malware - whose fault is it?

Filed Under: Apple, Featured, Linux, Malware, OS X, Windows

Flaming Retort is back, this time trying to Coole and Explayne Ye Flames we've had from some Mac users (and the discomfiture we know that many others have endured) in the past few days.

In a back-to-front way of making Mac fans feel better, I'll start by making everyone feel slightly worse, taking a small potshot at Windows, OS X and Linux fans alike.

My point here is not to prove that it is somebody's fault, but simply to remind us that perennially finding someone else to blame for our computer security woes is a bad idea.

Let's start with Windows users.

Last year, Sophos bought a job-lot of USB keys from a rail company's annual lost property auction. Two-thirds of them contained malware - all of it for Windows.

Not one file on any of the keys was encrypted, even though many of the files contained personal or business information.

This shouldn't be happening in the 2010s. Any decent anti-virus software would have made mincemeat of the malware infections on the keys we acquired.

And our free encryption tool [download link, Windows only, ungated] makes it easy to secure your files when you're taking them on the road.

Let's move on to OS X, which has been under the pump over the last couple of weeks, as Apple has scrambled to catch up with its Java updates and to deliver some kind of mitigation tool for users who got hit by the Flashback malware as a result.

It's easy to blame someone else. It's Apple's fault for not patching fast enough. It's Oracle's fault for the vulnerability in Java. It's Sophos's fault for making a conspiracy theory to boost sales of its free product. (No, I don't quite get that last complaint, either.)

Many of the Mac users who were hit by Flashback and who didn't have an anti-virus to help them out probably didn't even notice that anything untoward had happened. Mac users aren't much used to so-called drive-by installs.

That's where the crooks exploit a vulnerability so they can bypass the usual "do you want to download/this file comes from the internet/there is still time to save yourself" notifications from your browser, and sneak malware onto your computer without warning or consent.

But Flashback isn't the only malware out there for the Mac. According to SophosLabs, more than three-quarters of last week's malware reports from Sophos Anti-Virus for Mac were for other families of badware, including a lot of year-or-more-old stuff.

This shouldn't be happening in the 2010s. Any decent anti-virus software would have made mincemeat of that malware.

And finally, the Linux crew. Linux desktop users will get off the lightest here, because they haven't been targeted by widespread malware lately. Perhaps that's the inherent superiority of the Linux platform? Or perhaps it's merely fortuitous, because Linux has just a 1% desktop market share? [*]

We'll go back to 2008 to take our first potshot at Linux users and security. Back then, SophosLabs found that a six-year-old Linux virus, Linux/RST-B, was still active and spreading on and from more than 12,000 computers. Worse, those measurements only counted instances of the malware running as root (administrator), so the true total was almost certainly very much larger.

This shouldn't have happened, even back in the 2000s. Any decent anti-virus software would have made mincemeat of this malware.

And there was a malware fiasco, albeit not a widespread one, in the Linux world last year. Malware was discovered on the PC of at least one kernel maintainer, as well as on some of the kernel.org servers themselves. Kernel.org was down for about a month. (Yes, Linux malware. Not only in the wild, but on kernel.org, itself running Linux!)

This shouldn't have happened at all, ever.

What does all this mean?

If you want to get all Flaming Rhetorical about it, you might take a Biblical tone with those who attempt to point security fingers at everyone else, and try an observation like this: "Hee that is without sinne among you, let him first cast a stone." [**]

Security is the responsibility of all of us: technologists, coders, mobile phone users, writers, video watchers, bloggers, Wikipedia readers, bank clerks, bicycle couriers, politicians, policemen and gardeners.

It's not your fault. It's your responsibility.


[*] Don't shout at me! You can say it's more than 1%, if you dearly wish it to be. I'm currently using a simplistic desktop formula: Windows 90%, OS X 9%, Linux 0.9% and everything else 0.1%. Easy to remember and accurate enough by a physicist's yardstick. (One order of magnitude either way, plus or minus one order of magnitude.)

[**] That's the 1611 translation. It fits best, I think you will admit, with both the imagery and the orthography of the Flaming Retort graphic.

, , , , , , , , , , , ,

You might like

37 Responses to FLAMING RETORT: All this new Mac malware - whose fault is it?

  1. Jay · 1270 days ago

    What about BSDs? please include it too.

    • Paul Ducklin · 1270 days ago

      I was going to, but from a desktop perspective the BSDs are (almost certainly) lower than Linux on the prevalence scale. No disrespect in this. Just picked the Big Two desktop OSes and the Next In Line.

      I'll try to take a go at a BSD-based system here, though, just for fun. Here goes.

      "Even OpenBSD has had two holes in the remote install in its history. Two! That's *twice as many holes* as five years ago."

      Only joking. J

      ust remember that malware and intrusions are well-documented on pretty much every system ever made, from VM/CMS, through the UNIXes of Morris's day, toDOS, Mac OS < 10, Windows of all flavours, Solaris, Amiga, Atari, iOS, Android and even, if my memory serves, VMS. We can blame the OS or application vendor all we like - and sometimes they deserve it - but we can't exonerate ourselves always and entirely.

  2. Becks · 1270 days ago

    What about Linux on mobile (aka Android)? There their market share is much larger than 1%

    • Paul Ducklin · 1270 days ago

      I was focusing on desktop OSes, not mobile. And Android isn't really Linux (or wasn't until very recently, when the Android fork rejoined the main source tree).

  3. dav2 · 1270 days ago

    "It's Sophos's fault for making a conspiracy theory to boost sales of its free product. (No, I don't quite get that last complaint, either.)"
    Well, that one is easy - when is Sophos going to pull the plug and start charging people. (I use another well recommended antiviral product.) Moreover I switched to mac after finding Norton became its own virus - being unable to be removed and preventing other things (from Cisco.)

    • Paul Ducklin · 1270 days ago

      Isn't that a sort-of recursive conspiracy theory?

      Surely "starting to charge people for our free product" is something of a contradiction in terms? We could, I suppose, _discontinue_ our free product, and go back to having only a corporate, paid-for version...

      ...but that's not quite the same thing.

      If we did withdraw the free product, that wouldn't leave users any worse off than _not_ choosing our free product now, surely?

      I think I'm hearing that you're implying we might be using the so-called drug-dealer approach ("the first hit's free"), but that's would be a little presumtpuous (on both our parts), wouldn't you say?

      BTW, I haven't bothered to state, "I have heard neither hair not hide of any suggestion that we might even consider a discussion of whether to discontinue the free version." After all, if the conspiracy theory is right, there is no point in denying it; if it is false, no need.

      • Richard · 1270 days ago

        Worse, if the conspiracy theory is false, denying it will make people believe it's true!

        • i wasn't on that grassy knoll in November 1963..

          • Richard · 1269 days ago

            I was completely on the opposite side of the field. I was nowhere near the cottage.

            ...not that it was a cottage -- it was a river. But, then, I wouldn't know, of course, because I wasn't there. But, apparently, some fool cut his head off... or at least killed him in some way... perhaps... took an ear off or something. Yes, yes, in fact, I think he was only wounded! er, or was that somebody else? Yes, I think it was. Why, he wasn't even wounded!

    • Muntyhoven · 1270 days ago

      "It's Sophos's fault for making a conspiracy theory to boost sales of its free product. (No, I don't quite get that last complaint, either.)"

      I don't get it either as none of Sophos (or any other anti-malware package) trapped Flashback so installing any of their software for these cases would have and won't do any good, it was down to Apple to fix (appreciated six week after Microsoft)

      • Well, we detected the vulnerability... so if you were using Sophos products you should have been protected at that point.

        • Muntyhoven · 1269 days ago

          Thanks for your reply Graham, but a bit confused; wasn't Flashback out in the wild for six weeks without anybody detecting it (at which time Apple updated Java for OS X). That's what I meant, no anti-malware product would have helped. (Same with Windows before MS themselves fixed, again, in a shorter period of time).

          • Our anti-virus product has been detecting the Java exploit, which was used to deliver Flashback, for some time before Apple updated Java for Mac OS X.

            • Muntyhoven · 1269 days ago

              Sorry, I thought you only found the vunerabilty roughly six weeks after Flashback had been infesting Macs?

              So a) how long were Macs unprotected even for people using for product and b) how long was the period between Sophos protecting Macs agains Flashback and Apple released their update?

              Sorry if there was any misunderstanding, I'm just interested that's all. Thanks.

            • Muntyhoven · 1269 days ago

              That is the initial update from Apple released on 3 April http://support.apple.com/kb/HT5228

              Wikipedia's not always correct but the first reports of Flashback on the Mac were from the 4th April from Dr Web?

    • Z Sherman · 1232 days ago

      I have a brand new MacBook Pro and Sophos as my one and only anti-virus, its detecting all of these malwares on my laptop, but I have to manually clean them up and I don't know how and neither does Apple when I call them. It seems they are coming in thru Yahoo. I wish Sophos would somehow make it easier to get get rid of a threat once it is detected. So for now I have nine malwares in the Sophos box.

  4. chipbuster · 1270 days ago

    Keep in mind that if Sophos discontinues free support, there are always alternatives available: ClamXav, Avast, Intego, and a few others make free antiviruses for OS X as well. For Linux, you have ClamAV, Avast, AVG, and a couple other free choices as well. Keeping in mind that the Clam family will always be free (yay GPL), and most others probably will be as well, do you really think Sophos could successfully pull of a bait-and-switch like that?

    I think the central point of this piece stands: you should be aware that malware is out there, and you really shouldn't be relying on any one defense to act as a magic anti-malware shield. Updates, antivirus, smart usage. Defense in depth, guys :)

    P.S. Linux has a 50%+ share of the server market waah waah.

    • Paul Ducklin · 1270 days ago

      And, sadly, a non-negligible proportion of those Linux servers are responsible for providing "free and anonymised redirection services" for the cybercrooks.

      Lots of insecure web servers out there helping the bad guys inject IFRAMEs and dodgy JavaScript to sneak unsuspecting users onto Blackhole sites, and that sort of thing.

      Last I checked, more than 90% of the newly-infected web pages we find each day (20,000 or more) are otherwise-innocent servers not owned and operated by the crooks themselves. And, as you say, 50%+ of servers (at least, of web servers) seem to be running Linux.

      You can have the hardest OS in the world, but once you add a LAMP stack, and remote admin consoles, and a bunch of logging tools, and a few plugins, and some code you knitted to speed up logins...things can get really soft really fast :-(

      We're all part of this, for sure...

  5. Kim · 1270 days ago

    Well, I am delighted with Sophos and their free download! It helped get rid of a trojan that appeared on my mac 10 days ago. I pass on all your information you send me to all I know and really appreciate you taking the time to put all this info out. Thanks to all of you at Sophos!

  6. Tim Gowen · 1270 days ago

    Sophos are providing a free Mac product for their own reasons. It doesn't really matter to me. I'd quite like to hear an account of a genuine Mac infection, and apparently there are 600,000 of them. What sort of websites are these users visiting?

    For me the whole "Mac users need to wake up and smell the coffee" attitude is a little annoying. This is what's getting some people uptight, I reckon. It doesn't bother me because as far as I'm concerned Mac users need to install the malware for it to work properly. This is in no way comparable to the position with Windows. And to be honest careful use of Windows - even Windows XP - can keep the risks to pretty much a minimum.

    • Jim · 1267 days ago

      "Mac users need to install the malware for it to work properly"

      It's a driveby infection - simply visiting a website is enough for it to install. And that's why people are getting uptight - it *is* comparable to the position with Windows.

      So yeah, wake up and smell the coffee. Macs really are not immune to malware.

  7. Peter J Taylor · 1270 days ago

    1. Thank you for providing SAV free to Macintosh home users.

    2. I presume Macintosh business users still have to pay.

    3. I can't find your version of the biblical text, beginning with "Hee".

    • Yes, I'm afraid the free anti-virus for Mac users is only for Mac *home* users. Not businesses. Sorry. :)

      But mind you, if you're a business you're hopefully prepared to pay a few groats in order to get tech support etc..

  8. Shean · 1270 days ago

    Having previously bought into the whole Macs don't get viruses ( sorry malware) and then getting hit twice. I googled and searched for protection. Found Sophos was rated as good. Now it runs on everything, and no further problems ( apart from Lion sucking).
    Thank you, and for the newsletter which keeps my paranoia up and my defenses I hope. Wish the we're an iPad/ iPhone app from sophos.

  9. Ted · 1270 days ago

    I just finished listening to Pauldotcom.com Security Weekly episode 283 podcast with Paul Asadoorian, Larry Pesce, and Carlos Peres. Paul and Larry are corporate pentesters, with Paul also being the Tenable Security evangelist and Carlos being the lead researcher of post exploitation for Tenable Security who bring you the Nesus vulnerability scanner.

    These guys were talking over the Mac and the current malware hitting OS X and all three all agree it is time to run AV on a Mac. They were just laughing how all the Mac fanboys discount using AV even after this new large hit on OS X and the obvious future of coming malware that will be coming to OS X.

  10. Rick · 1270 days ago

    We all know BSD is impervious to malware, by design. That's why 9/10 top security researchers swear by it as a preferred platform, it's also great for gaming.

    Too bad a big company like Apple doesn't base their OS on something like BSD, then they too could avoid malware like I do.


    *for those who find sarcasm difficult to identify-- this post is dripping in it.

    • Ted · 1265 days ago


      OS X is based on FreeBSD Kernel and Mach micro Kernel. looks like the Mach Mirco Kernel will be inviting to the rootkit masters in the future.

  11. Bill Caelli · 1269 days ago

    Just remember - in 2000 the USA's NSA released SELinux and the concepts of "Flexible Mandatory Access Control (FMAC)"...and clearly indicated that the obsolete "Discretionary Access Control (DAC)" paradigm for system protection had no real place in the Internet connected world of the early 21st century. The DAC origin in the world of punch cards and mainframes, with strict software development, testing and "setting to work" as a norm just no longer applied.

    Remember "C2 by'92" in the USA and even "B2 by'95" for critical system?

    Essentially ANY critical server system in any enterprise should now be set up around such an FMAC base!

    It isn't happening .... and, maybe it is the problem of education and training ... how many universities teach around such basic and essential security structures? How many university level teachers even know MAC/FMAC concepts or have any background in the area? Any?

    Perhaps Sophos can help us! Just how many reports do we have of any form of malware being successful in such FMAC systems? or is it simply that no-one uses these "hardened" systems anyway?

    • Paul Ducklin · 1268 days ago

      I don't have a scientific (or at least statistically sound) answer. I suspect the latter - FMAC is a security promise more honoured in the breach than the observance.

      FWIW, the subset of Linux/RST-B virus outbreak we measured above probably wouldn't have been contained by any sort of OS-mandated access control, because the malware itself "had root" on those systems, and had been authorised, one way or another, to make outbound network connections and thereby to spread.

      (It's admittedly much more likely that the sort of user who would allow remote root ssh login and have a guessable password - RST-B's main spreading vector - hasn't quite got around to SELinux yet.)

      We regularly see mainstream Linux servers (no names, no pack drill) infected with the Blackhole Exploit Kit.

      See: https://nakedsecurity.sophos.com/2012/03/29/explor...

      This means the crooks have got in, uploaded an entire PHP malware distribution kit, and configured it to go live, on someone else's server. The kit then acts as an infection and dissemination vector for money-making schemes such as scareware installs...

      So. Either FMAC isn't working, or it isn't being used enough. I'd bet on the latter.

  12. Pat · 1268 days ago

    My co-worker constantly replies to any news of new Mac exploits with "it all started with the Intel chip". I'm getting tired of not having any answer other than the growing popularity of the Mac platform and hence a greater "market share" for bad people to exploit.
    Does his comment have any validity?

    • Nigel · 1268 days ago

      "Does his comment have any validity?"

      What difference does it make? Intel Macs are here to stay. Your co-worker can gripe endlessly about how or why "it all started", but all of his complaining won't change the FACT that security is not an issue Mac users can ignore.

      Next time he launches into his whining about "it all started with Intel", ask him this: "What alternative do you propose that will solve the problem?" I'll bet he shuts up quick.

  13. OldNetwork · 1268 days ago

    Pat -

    As far as "it all started with the Intel chip" goes, take it from somebody who has been working with networks since the mid-1980s, viruses started on the Mac. We had a network of 6 Macintoshes integrated with a network of 50 PCs in those days and the _only_ machines that needed anti-virus software were the Macs. At that time, viruses came out of colleges where (you guessed it) they mostly had Macs to work with. We did not need anti-virus for PCs until much, much later in the networking game.

    Over time, Macs were a smaller and smaller percentage of the machines "out there" and eventually virus writers focused their attention on PCs instead. Apple nearly went out of business (blame Scully or anyone else you want, but the reality is that Apple was nearly history) and had such a small market share that virus writers no longer bothered with them.

    Macs are now receiving attention again from the bad guys. Well, welcome to the club.

  14. Ted · 1266 days ago

    Seems there is more going on with Flashback.k

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog