Posted by: David Harley | November 12, 2010

Self-launching versus User-launched Malware



Back in September, “Marks” posted this comment to Mac Virus (on the About page, if you want to read it in the original context).

I would like to know if there is any virus/malware/etc that targets OSX and that (1) does not require a password-authorized installation to do damage and (2) has ever actually harmed a home-based OSX user.   I note that your Malware Descriptions page currently lists just two (count them, two!) examples of OSX malware, and that both require a password-authorized installation.

To which I replied:

@marks: I did count them, and there are three on the malware descriptions page. That isn’t because there aren’t any more, it’s because I haven’t time to work on this right now. Actually, our collection of OS X-targeting malicious binaries at ESET is now well into the thousands, though that means unique binaries, not malware families. Do they all need password-authorized installation? That depends on a number of factors, but in principle, probably. The same should apply to properly-configured NT-derived Windows machines: it certainly applies to my systems of all denominations. Have they ever harmed an OS X home system? Yes. Anything like the number of infected Windows systems? Of course not. Does that mean they don’t matter? No.

His response:

David Harley wrote: “Have they ever harmed an OS X home system? Yes.”

Can you give a citation to a credible source for a SPECIFIC EXAMPLE of a DEFINITE INCIDENT of OSX malware that did not require password authorization and damaged home-based users?

I have been unable to find any such example myself in searching the literature on Mac security.

And the final comment in that thread, from me:

I don’t know what proportion of OS X-specific successful attacks on OS X home users required password authorization. Most or all of them, I imagine. There are attacks that don’t require it, but I don’t know how many have worked “in the wild”. Since most home users of OS X don’t believe they need security software, it’s hard to know what’s out there but unreported, given that we’re talking about very small populations. I suppose it would be mildly interesting as pure research to know the answer to your question. Pragmatically, though, it doesn’t matter much. If a program does or could do harm, it does matter, though, whether or not it requires some form of social engineering in order to trick the victim into running it/giving it permission to run. I know that some Mac enthusiasts feel it somehow doesn’t count if malware is user-launched rather than self-launching, but I’ve never understood why. (He said, trying to be tactful.)

If AV companies didn’t bother with all the user-launched Windows malcode, the Windows malware problem would be statistically very much smaller and I could have the occasional weekend off. That might not be very helpful to all those victims of user-launched malcode, though.

And there it rested, until this unpleasant little misrepresentation caught my eye.

I claim that there are no known cases of a home-based Mac OSX user being harmed by malware that did not require the user to first download and then password-authorize the installation of some software. Two months ago, I challenged security expect [sic] David Harley, author of the blog Mac Virus, to cite such a case, and he was unable to do so […].

Part of my response to that (lightly edited here) in the Bogleheads forum was along these lines:

Avo/Marks is entitled not to accept my assertion that self-launching OS X malware exists and has compromised home machines unless I cite an “acceptable” reference, but that’s not my problem. I am concerned that while AV labs seem to be seeing somewhere around 30-60 new OS X malware samples a week (perhaps ten times that number if you include samples that can affect Mac users but aren’t Mac-specific) the myth persists that malware only matters if it’s self-launching. Actually, very little Windows malware is self-launching. Vulnerabilities that allow infection generally have short lives, but social engineering works with painful consistency.

To be fair, I should probably have included some background there on Autorun malware, which is a Windows-specific problem. In fact, ESET statistics show that a very high proportion of current malware still includes Autorun functionality (that’s been the case for a number of years). However, there’s a vital distinction here between the functionality present and the functionality actually used in a given infection. The proportion of Windows machines that are vulnerable to Autorun exploitation is, while still too high, steadily decreasing as Microsoft has made it relatively easily to turn if off as a default. (It’s disabled by default in Windows 7 of course.) Apple, to its credit, learned a lesson from the Autostart epidemic of several years ago, and hasn’t included equivalent functionality.

Stuxnet (and its shortlived copycats such as Win32/Chymine) prove (though not in an OS X context) that 0-days still count: the (now patched) .LNK exploit, though it isn’t directly related to Autorun exploits, is/was somewhat similar in its impact, and certainly contributed to its spread.

However, I have no patience with the myth that only self-launching malware counts. Personally, I’m far more concerned about the potential damage to Mac users from threats that rely on tricking the user into allowing malware to install (or other malicious payloads that may not depend on installing malcode), than I am about the relatively rare cases of significant vulnerabilities in the system. The recent release of a very heavy update as flagged by Old Mac notwithstanding… (See Now that’s what I call a Big Mac.) As long as significant vulnerabilities are patched in a timely fashion, their impact should be relatively short-term and fairly light, in most cases.

David Harley CITP FBCS CISSP
Mac Virus Administrator
Not speaking for ESET in this blog

Advertisements

Responses

  1. Hello,
    I’m aware of macs used as servers that have been infected by hackers exploiting flows in Apple software components such as File Sharing or home Web Sharing.

    There’s a lot of servers used by hackers where you can download mac os x malware: backdoors, RAT, C&C tools…

    Each time, the users were alarmed by the activity of their servers, distributing spam emails or sending DOS packets to hosts.

    You can search google for proofs.

  2. I respectfully disagree that I misrepresented what you said. First of all, immediately after the sentence that you quote, I gave the original link to your full remarks; that link is in fact what the […] stands for in your quote above. (Talk about misrepresentation!)

    More importantly, you still have not given an answer to my question: can you site a specific incident of self-launched OSX malware that harmed a known (or reliably estimated) number of home-based Mac users? Perhaps I should have said that you were “unable or unwilling” to give such a citation, rather than just “unable”. But there is no question that, to date, you still have not provided any details about any such incident.

    You are, of course, entitled to your opinion that no real distinction should be made between self-launched and user-installed malware. As a relatively unsophisticated user, however, it makes a huge difference to me. I *know* that when I’m being asked to install something, I should be extra careful, and as sure as possible that it’s something I want to do. It’s a “red flag” to me that I should review how I got to that point. What worries me is “drive-by” malware that I could pick up by (for example) just visiting a web site. I know that there are “proof-of-concept” exploits that have been created by security professionals. But as far as I have been able to discover, there are no reliable reports of any such exploits harming home-based Mac users.

    Steve Joblard: I’ve run google searches. I can’t find anything. Please give an actual citation to a reliable source.

  3. @marks, I was going to take exception with your accusation that I’d misrepresented you, until I realized that I hadn’t actually linked your Bogleheads post. I apologise for that: it wasn’t my intention to exclude that link.

    That said, the misrepresentation on your part isn’t about your including my link (and I appreciate the fact that you did): it’s in suggesting that because I haven’t given you a documented instance, there is no such instance. I can’t give you the kind of documentation you’re demanding because I don’t have damage data that make the distinction. (The telemetry data I have for named malware indicate prevalence rather than confirmed infection or damage.)

    I don’t believe that the distinction doesn’t matter. I do take exception with any contention that user-launched malware doesn’t matter because it’s less common (which it is) and easy to spot. You may well be too bright to be taken in by social engineering. Others aren’t, and they aren’t all Windows users.

    I will admit that I’m not always interested in the difference between OS X-specific, Windows-specific, and cross-platform infection and damage. That’s because in the world I live in, “it doesn’t matter because it can’t damage _my_ system” doesn’t cut it.

  4. David, thanks for publishing my comment, and for the reply.

    Please note that I never said that the lack of a documented instance of harmful OSX malware (that did not require password authorization) meant that there were NO such instances. I do believe it means that the number of such instances must be extremely small, certainly under ten thousand, and probably much much less. (I base this on the relatively large amount of press coverage of the ~10,000 machine Mac botnet created by password-authorizated installations of infected iWork software pirated off torrents; I assume anything unknown must have a significantly smaller number of infections.) This should be compared with, to pick just one example, the Conficker infection, which F Secure says has hit almost nine million Windows machines. Using a very modest estimate of 3% market share for OSX worldwide, a comparable infection for OSX would be at least 250,000 machines. Yet absolutely nothing like this has ever occurred.

    So, I will continue to not run third-party AV software on my Mac, and to recommend to other users that they don’t need it if they’re careful about password authorizations. (This situation may change, of course.) And I will continue to direct people to your posts here for support for my claim that there are, to date, no DOCUMENTED cases of malware harming home-based OSX users who did not password-authorize its installation.

    And for this claim, I can now also cite Graham Cluley of Sophos, who is also unable to give any specific instances: http://tinyurl.com/34bgc4h

    If you disagree with my estimate that this means that the actual number must be well under 10,000, please post your reasoning.

    • @Marks, your reasoning is flawed. It’s sometimes possible to estimate the size of a botnet fairly accurately, depending on a number of factors such as topology for that particular moment. But accurate figures for zombie recruitment over a botnet’s lifetime are another matter, and in any case your extrapolation from botnet size to infection from self-launching malware across the entire Mac home user population makes no sense: there’s no direct relationship because the telemetry is quite different. A significant proportion is based on reports from users or automatically from their AV, and that’s a pretty small segment of the home user population. Unless you’re saying that an infection only matters if the user knows about it. An interesting philosophical argument, but not one I hold to.

      I don’t know how many machines are out there and infected by self-launching malware, and neither do you. Of course it’s small compared to the number of infected machines running Windows: no reputable researcher ever said otherwise. But neither I nor the company I work for will extrapolate spurious statistics from unsound data, and I’m disappointed that you seem willing to. Furthermore, even if your figure of 10,000 did turn out to have some semblance of reality, I do not care to be associated with someone who thinks that infected machines only matter if their volume exceeds some arbitrary figure.

      I can’t stop you citing my blogs, however spuriously. But I hope you won’t give the impression that I support your position in future.

  5. I have noticed lately that Sophos update consistently now downloads the entire 72MB of the database rather than simply the individual smaller update files. Is this new or a problem they didn’t see? I live away out in the country with slooow ISP thus it becomes a problem for me in that I get FAPed and slow to a crawl.

    • I’m afraid Sophos isn’t the company I work for, and I don’t have the product installed on a test machine currently, so I can’t give you an immediate answer. However, I know some people there, and I’ll ask around.

      • A friend of mine at Sophos is checking into this. I’ll post something here when I have something to report.

    • @Mikie: query answered in the blog at https://macviruscom.wordpress.com/2011/01/05/sophos-support-query/, as I thought it would be useful to other readers using the Sophos product. Hope it helps: if not, at least it gives you a pointer to a resource that may well be helpful.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: