Franklin Veaux (tacit) wrote,
Franklin Veaux

  • Mood:

Warning! Caution! Danger! MAJOR geek posting about computer viruses!

Computer viruses. If you're running a Windows computer, the odds are slightly more than 9 in 10 that your machine, right now, is infected with at least one virus. If you're not behind a firewall and you're on broadband, odds are good that when you leave your computer at night, spammers take control of your computer and use it to send spam, and Russian mafia roots around in it at will.

Microsoft would have us believe that there is nothing wrong with Windows, that there are many Windows viruses and zero Mac viruses because more people use Windows than Macs and virus writers go for the most popular platform, and that there are just as many known Mac security flaws as Windows security flaws.

This argument breaks down for a number of reasons. it's commercially useful to Microsoft, of course; if people actually knew how badly and terminally insecure Windows really is, fewer people would use it, so it is very important to Microsoft's bottom line that people accept the standard "nothing wrong here, it's just because Windows is so popular" myth.

For starters, the number of "Windows computers" targeted by a particular virus is not necessarily higher than the number of Macs. People make the mistake of thinking all "Windows computers" are all running the same operating system--an operating system called Microsoft Windows.

People say "Windows computers" as though all "Windows computers" are running the same operating system. In fact, this is not true. With desktop operating systems which are called "Windows," you can easily make an argument that you are actually talking about five, or maybe six, distinct and radically differerent operating systems, unrelated to each other in many fundamental architectural ways, and for all intents and purposes completely different environments that have little in common save for the fact they are all called "Windows."

So let's say we have a virus or worm that specifically targets, for example, Windows XP pre-Service Pack 2, but does not infect NT, or Windows 95/98/Me, or Windows 2003 Server. Now, the number of such vulnerable computers is *smaller* than the number of Macs out there...

...but people still target it anyway.

Some Windows viruses are highly specific; they target only certain versions of Windows, and indeeed sometimes target only certain versions and certain service packs of Windows with certain configurations, or even with certain third-party software installed. In such cases, the number of targeted computers may be far, far, far smaller than the number of Macs.

It really muddies the water to talk about "Windows computers" as if all "Windows computers" were running the same operating system.

Still, there's no question that even if you look at specific flavors of Windows--say, Windows 2000, or all the various patch levels of Windows XP, there are more computers running those operating systems than there are Macs. So this is why there are more Windows viruses, right? Virus writers want the most bang for their buck, so they only write for the most popular platform, right?

Virus writers go wherever the vulnerabilities are. For example, let's look at the "Witty" worm, aka "Blackworm," "Black ice," or "Whizzer." The Witty worm is a very sophisticated, complex worm designed to exploit a security flaw in one particular version of one particular third-party software firewall--an old version of the Blackice firewall program.

The total number of users of the flawed version of Blackice was quite small. How small? Smaller than the number of iMacs Apple ships in a month. Yet a virus writer found the security hole and wrote a virus to exploit it.

Virus writers exploit holes wherever they are found. The total worldwide install base of Macs is easily big enough to be an appealing target, and in fact many groups of skilled, dedicated, intelligent malware writers (such as Macintosh Underground, the group responsible for the Mac "Opener" Trojan) has been exerting considerable effort for years to write an OS X virus.

The Mac's small market share is not the reason there are no OS X viruses. The real reason is simple, fundamental architectural decisions in OS X which make writing such a virus extraordinarily different. Decisions such as running the Web browser in user space with user-level permissions, for example.

And it should be noted tht not all security flaws are created equal. Counting the number of security flaws in a program or operating system will not tell you anything about how secure it is. If you count the number of known security flaws documented by Microsoft and Apple each year, the numbers are roughly the same. Does this mean OS X is as insecure as Windows? No, and here's why.

Some security flaws, the most serious ones, are "remote arbitrary code execution" flaws. These are flaws which let another person, or a program, on a different part of the network run any program on a vulnerable computer without sitting down in front of it. Many Windows security flaws allow remote arbitrary code execution; what this means is that a person or a program anywhere on the Internet can cause a targeted computer to do anything he chooses, including installing software or making system changes.

Other flaws are "local," meaning that you can only exploit the flaws if you can sit down in front of the computer and type on the keyboard. For obvious reasons, local security vulnerabilities are not as serious as remote vulnerabilities; if a person bent on harm can actually sit down in front of your computer, you have problems other than viruses to worry about.

Many flaws are "denial of service" flaws, meaning that they can be used to stop a program from running (but can not be used to take over the computer), or "privilege escalation" flaws, meaning a person can look at files or run commands that he or she isn't supposed to be able to run, assuming he or she already has access to the computer and already has a username and password on the computer for a limited account.

So let's say we have two operating systems, A and B. Operating system A has ten known security flaws. Operating system B has eleven known flaws. So that means A is more secure than B, right?

Well, what if all ten flaws in A are remote arbitrary code execution flaws, and all eleven flaws in operating system B are flaws which allow a local attacker to stop a Web server on that computer from running if he or she can guess a user password, sit down in front of the computer, and start typing? Which one is more secure then?

What's most interesting is not in counting the flaws, but reading what they do. For example, let's look at Windows vulnerability MS03-039, "Buffer Overrun in RPCSS Service." This flaw allows one computer to send a signal to another computer which will cause the second computer to come over control of the first, allowing a user or program on the first to load any software (such as viruses) onto the second.

Now, let's look at OS X security vulnerability CAN-2003-009, "Malicious DHCP Response can Grant Root Access." This is a flaw whereby if a person has physical access to your network and can run a DHCP server on it, he can program his malicious DHCP server so that if you have set up certain network LDAP parameters in a certain way on your computer, he can cause your computer to fetch user authentication information from the computer he has set up on your network, and then once you reboot your computer, he can log into your computer as root.

Both of these vulnerabilities were rated "critical" by Microsoft and Apple respectively, yet one lends itself to an easy exploit that can be used (and has been used) to create a self-spreading virus, and the other does not.

Still, it is not impossible that one day, a clever programmer will find a flaw in OS X which actually does permit an easy remote arbitrary code execution exploit, and the first OS X virus will be born. So even though the current total number of OS X viruses is exactly, precisely zero, it's still a good idea to run a program like Norton Antivirus on your Mac as a protection against that day, right?

Right now, there are no viruses that can affect or infect Mac OS X. None. Zip. Zero. Nada. Not a single one.

That means, right now, if you buy an antivirus program, you are paying real money to protect against an imaginary threat that does not even exist.

Yet people still do it anyway. This shatters, conclusively, the myth that viruses are written by antivirus vendors; antivirus vendors can make tons of money even in environments where no viruses exist. I have heard three reasons people give for spending money to protect against non-existant threats. I'll address each of those three reasons in turn.

REASON #1: It's better to be safe than sorry.

This reason assumes that having an antivirus program makes you safer, and there is no down side to having an antivirus program. This is not true. It does not make you safer (I'll explain why when i talk about Reason #2). What's worse, it actually makes your computer experience worse.

How? Well, even good, reliable, trouble-free anti-virus software such as ClamAV still slows down your computer. Bad antivirus software such as Norton Antivirus is a disaster. Norton Antivirus has been implicated in many, many serious problems on Mac OS X systems, some of which can destroy data or make the computer completely unusable, including:

- Random freezes and kernel panics
- A bug which can consume all of the space on your hard drive.
- An extremely serious bug which can destroy your ability to authenticate with a password. This means you cannot install software, you cannot run Apple Software Update, and you cannot modify the system. I have yet to find any solution other than a complete reinstall of OS X for this problem.

Even the newest version of Norton, Norton AV 10, has many serious documented bugs, including:

- A data-corruption bug which causes it to destroy files when you use the Save command from Adobe products such as Photoshop and InDesign. The file seems to save OK, but it is corrupted by Norton as it is saved. You will not know the file is corrupted until you go to try to use it later.

- A system-level bug which can destroy your ability to use Classic. If you install Classic after you install Norton, or you reinstall Classic, the next time Classic goes to start up, it will hang or crash on the "Updating system resources" dialog. You will need to remove Norton AV, reinstall Classic, launch Classic, allow it to update any system resources, and then reinstall Norton.

There are other problems with Norton (including Norton 10) as well; this is not an exhaustive list. the point is, "it's better to be safe than sorry" only works if the things you do to be "safe" don't hurt you. Since the purpose of AV software is to protect you from things that might disrupt your computer, if the AV software disrupts your computer, the AV software is in a very literal sense worse than the virus threat. Especially since there are...err, no viruses.

REASON #2: Sooner or later, somebody will come out with a virus. When this happens, people who already have AV software will be better off.

FACT: virus software does not work by magic. It works by comparing every file on your hard drive to a list of known viruses. When a new virus comes out, it is not in the AV list of known viruses. The AV software is utterly powerless to stop it.

Now, some AV software uses "heuristics"--it tries to find unknown new viruses by compring the behavior of running computer programs to the behavior of known viruses or to known security exploits. Because there are no known computer viruses and no known "in the wild" security exploits for OS X, OS X antivirus software can not use heuristics to look for unknown viruses.

People rarely understand how rapidly viruses spread. A typical PC worm or virus spreads worldwide, on average, about 7 hours after it is released. Fast viruses can infect every single vulnerable computer everywhere on the Internet, worldwide, in 45 minutes or less. What that means is that when a new virus comes out, if it ever does, the people with antivirus software will have exactly, precisely the same level of protection as those with no antivirus software: none. Not even the tiniest bit. None at all; zip. Viruses spread far, far faster than AV companies can release updates.

REASON #3: Having antivirus software installed on your Mac stops you from spreading PC viruses to other Windows users.

A Mac can spread a PC virus to a Windows user. There are two ways this can happen. The first way is via an email attachment; if a Mac user receives an infected file in an email, and then clicks the Forward button and forwards it on to a friend, then that friend might become infected.

The second way a Mac can spread a Windows virus is in a client/server or LAN environment. If a Mac is acting as a file server on a LAN that has Windows users, a Windows user can copy an infected file onto the Mac file server, and then another Windows user can copy the infected file off. I'll talk about each of those two scenarios in depth:

First, the email vector. Spreading a virus by email can not happen automatically. The only way for it to happen is if the Mac user receives the infected email attachment and then clicks the Forward button and intentionally forwards it to a Windows user. (There may be times when it appears a Mac user has spread a virus without hitting "forward"--let's say a Windows user receives an infected email from a Mac user's address, like "" In this case, the From address is fake. The virus came from an infected Windows computer, and sent itself out with the fake "From:" address of ";" if the person who receives it does not know how email viruses work and does not know that the From address is faked by viruses, then the person who receives it may go to the poor Mac user with fists shaking and say "You sent me a virus!"--when in fact that is not what happened, and the Mac user had nothing to do with it at all.)

The easiest and most low-impact way to stop a Mac from spreading Windows email viruses does not rely on software; it relies on common sense. Do not forward messages with attachments to other people. No matter who you think they are from and what you think is in them. If you do not know, personally, what the file is, or you did not create it, don't forward it. Even if it has the Microsoft logo and official looking text saying "This is a Windows security update." Even if it just looks like a harmless joke. Even if it promises hot pictures of Britney Spears naked in unbelievable oral XXX action. Do not forward emails with attachments to other people. If you are on a Mac, on a Windows machine, on a Sun, it doesn't matter...Do not forward emails with attachments to other people.

It should be noted, also, that AV software can not scan an attachment while the file is still on your ISP's mail server. The attachment can only be scanned if it is downloaded to your computer--either by you or by the AV software. So having AV software does not prevent you from forwarding viruses to Windows users; it only prevents you from forwarding viruses if you have downloaded the attachment yourself first.

Now, in a client-server situation, the problem is a bit different. If a Windows machine in a LAN environment has placed a Windows virus onto a Mac server, antivirus software on the Mac will not solve the problem. Yes, it might find the virus--but at this point, the LAN is already infected. There is already at least one Windows computer on the LAN which is infected with a virus, and removing the virus from the Mac will not change that. The problem cannot be solved until the source of the infection is removed.

But will the AV software on the Mac server help slow down the infection? No. By the time a computer on a LAN has been compromised, you can expect with any worm and almost any virus that all vulnerable PCs on that LAN will be compromised as well within minutes. Viruses do not wait for human beings to copy files to a server in order to spread; if they did, they would spread slowly and be easy to stop. A virus on a PC is going to spread by many vectors--TCP/IP or UDP (and the presence of a firewall will not stop the virus once it is already in the LAN), or automatically via peer-to-peer Windows SMB shares, or via Windows PnP, DCOM, or RPC vulnerabilities, or...well, you get the idea. The important thing to remember is this: The server will not be a significant infection vector; by the time the virus has infected a computer on the LAN, you have bigger problems to worry about--like, for example, your entire LAN has probably already been compromised. The only way--the ONLY way--to deal with this is to identify, isolate, and repair every single infected PC, then patch the vulnerability, update the PC AV software, or both. Once this is done, any remaining copies on the Mac server can be dealt with manually (PC AV software can scan and disinfect a shared Mac volume), but at that point it's irrelevant anyway--any virus still on the Mac software cannot infect a PC once the PC vulnerabilities are fixed, and before the vulnerabilities are fixed the Mac server isn't likely to be a relevant infection vector.

Of course, all of this would not matter if the Mac AV software were zero-opportunity-cost; that is, if the Mac AV software did not cost you anything in terms of time, reliability, system performance, or money. But this is not the case. For questionable (read: no) protection, you are exchanging, at best, a loss of system performance, and, at worst, disruptions in the system, system stability, and data loss.

Not a good deal.

The equation will change if a Mac OS X virus ever does appear. Once such a virus exists, and AV signatures which identify the virus exist, then you will probably be well-advised to use an antivirus program that isn't unstable and destructive. ClamAV and similar programs are a good bet; Norton, not so good.

But until that day comes, the AV software you install on your Mac is a whole lot of steaming nothing. What's worse, it can do more harm than good, not only because of bugs and system instability but also because it may give you a false and undeserved illusion of security. A person with a false sense of security, who erroneously believes himself to be protected, is less likely to pay attention to security than a person without this false sense of security.

Whew. Wasn't that fun?
Tags: computer viruses

  • “She only hit me once:” Why I stayed as long as I did

    As I write this, it’s been three years and sixteen days since I escaped my relationship with Eve Rickert, the woman I thought I would be…

  • Opening up

    My hands are shaking as I write this. I still have nightmares, multiple times a week. I’ve struggled to get these words out of my head…

  • Breaking my silence

    "If you are being abused, there is a very high chance that you will be accused of being abusive or of otherwise causing the abuse. That’s because…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.

  • “She only hit me once:” Why I stayed as long as I did

    As I write this, it’s been three years and sixteen days since I escaped my relationship with Eve Rickert, the woman I thought I would be…

  • Opening up

    My hands are shaking as I write this. I still have nightmares, multiple times a week. I’ve struggled to get these words out of my head…

  • Breaking my silence

    "If you are being abused, there is a very high chance that you will be accused of being abusive or of otherwise causing the abuse. That’s because…