?

Log in

No account? Create an account

Previous Entry | Next Entry

Computer viruses. If you're running a Windows computer, the odds are slightly more than 9 in 10 that your machine, right now, is infected with at least one virus. If you're not behind a firewall and you're on broadband, odds are good that when you leave your computer at night, spammers take control of your computer and use it to send spam, and Russian mafia roots around in it at will.

Microsoft would have us believe that there is nothing wrong with Windows, that there are many Windows viruses and zero Mac viruses because more people use Windows than Macs and virus writers go for the most popular platform, and that there are just as many known Mac security flaws as Windows security flaws.

This argument breaks down for a number of reasons. it's commercially useful to Microsoft, of course; if people actually knew how badly and terminally insecure Windows really is, fewer people would use it, so it is very important to Microsoft's bottom line that people accept the standard "nothing wrong here, it's just because Windows is so popular" myth.

For starters, the number of "Windows computers" targeted by a particular virus is not necessarily higher than the number of Macs. People make the mistake of thinking all "Windows computers" are all running the same operating system--an operating system called Microsoft Windows.



People say "Windows computers" as though all "Windows computers" are running the same operating system. In fact, this is not true. With desktop operating systems which are called "Windows," you can easily make an argument that you are actually talking about five, or maybe six, distinct and radically differerent operating systems, unrelated to each other in many fundamental architectural ways, and for all intents and purposes completely different environments that have little in common save for the fact they are all called "Windows."

So let's say we have a virus or worm that specifically targets, for example, Windows XP pre-Service Pack 2, but does not infect NT, or Windows 95/98/Me, or Windows 2003 Server. Now, the number of such vulnerable computers is *smaller* than the number of Macs out there...

...but people still target it anyway.

Some Windows viruses are highly specific; they target only certain versions of Windows, and indeeed sometimes target only certain versions and certain service packs of Windows with certain configurations, or even with certain third-party software installed. In such cases, the number of targeted computers may be far, far, far smaller than the number of Macs.

It really muddies the water to talk about "Windows computers" as if all "Windows computers" were running the same operating system.



Still, there's no question that even if you look at specific flavors of Windows--say, Windows 2000, or all the various patch levels of Windows XP, there are more computers running those operating systems than there are Macs. So this is why there are more Windows viruses, right? Virus writers want the most bang for their buck, so they only write for the most popular platform, right?



Virus writers go wherever the vulnerabilities are. For example, let's look at the "Witty" worm, aka "Blackworm," "Black ice," or "Whizzer." The Witty worm is a very sophisticated, complex worm designed to exploit a security flaw in one particular version of one particular third-party software firewall--an old version of the Blackice firewall program.

The total number of users of the flawed version of Blackice was quite small. How small? Smaller than the number of iMacs Apple ships in a month. Yet a virus writer found the security hole and wrote a virus to exploit it.

Virus writers exploit holes wherever they are found. The total worldwide install base of Macs is easily big enough to be an appealing target, and in fact many groups of skilled, dedicated, intelligent malware writers (such as Macintosh Underground, the group responsible for the Mac "Opener" Trojan) has been exerting considerable effort for years to write an OS X virus.

The Mac's small market share is not the reason there are no OS X viruses. The real reason is simple, fundamental architectural decisions in OS X which make writing such a virus extraordinarily different. Decisions such as running the Web browser in user space with user-level permissions, for example.

And it should be noted tht not all security flaws are created equal. Counting the number of security flaws in a program or operating system will not tell you anything about how secure it is. If you count the number of known security flaws documented by Microsoft and Apple each year, the numbers are roughly the same. Does this mean OS X is as insecure as Windows? No, and here's why.

Some security flaws, the most serious ones, are "remote arbitrary code execution" flaws. These are flaws which let another person, or a program, on a different part of the network run any program on a vulnerable computer without sitting down in front of it. Many Windows security flaws allow remote arbitrary code execution; what this means is that a person or a program anywhere on the Internet can cause a targeted computer to do anything he chooses, including installing software or making system changes.

Other flaws are "local," meaning that you can only exploit the flaws if you can sit down in front of the computer and type on the keyboard. For obvious reasons, local security vulnerabilities are not as serious as remote vulnerabilities; if a person bent on harm can actually sit down in front of your computer, you have problems other than viruses to worry about.

Many flaws are "denial of service" flaws, meaning that they can be used to stop a program from running (but can not be used to take over the computer), or "privilege escalation" flaws, meaning a person can look at files or run commands that he or she isn't supposed to be able to run, assuming he or she already has access to the computer and already has a username and password on the computer for a limited account.

So let's say we have two operating systems, A and B. Operating system A has ten known security flaws. Operating system B has eleven known flaws. So that means A is more secure than B, right?

Well, what if all ten flaws in A are remote arbitrary code execution flaws, and all eleven flaws in operating system B are flaws which allow a local attacker to stop a Web server on that computer from running if he or she can guess a user password, sit down in front of the computer, and start typing? Which one is more secure then?

What's most interesting is not in counting the flaws, but reading what they do. For example, let's look at Windows vulnerability MS03-039, "Buffer Overrun in RPCSS Service." This flaw allows one computer to send a signal to another computer which will cause the second computer to come over control of the first, allowing a user or program on the first to load any software (such as viruses) onto the second.

Now, let's look at OS X security vulnerability CAN-2003-009, "Malicious DHCP Response can Grant Root Access." This is a flaw whereby if a person has physical access to your network and can run a DHCP server on it, he can program his malicious DHCP server so that if you have set up certain network LDAP parameters in a certain way on your computer, he can cause your computer to fetch user authentication information from the computer he has set up on your network, and then once you reboot your computer, he can log into your computer as root.

Both of these vulnerabilities were rated "critical" by Microsoft and Apple respectively, yet one lends itself to an easy exploit that can be used (and has been used) to create a self-spreading virus, and the other does not.



Still, it is not impossible that one day, a clever programmer will find a flaw in OS X which actually does permit an easy remote arbitrary code execution exploit, and the first OS X virus will be born. So even though the current total number of OS X viruses is exactly, precisely zero, it's still a good idea to run a program like Norton Antivirus on your Mac as a protection against that day, right?



Right now, there are no viruses that can affect or infect Mac OS X. None. Zip. Zero. Nada. Not a single one.

That means, right now, if you buy an antivirus program, you are paying real money to protect against an imaginary threat that does not even exist.

Yet people still do it anyway. This shatters, conclusively, the myth that viruses are written by antivirus vendors; antivirus vendors can make tons of money even in environments where no viruses exist. I have heard three reasons people give for spending money to protect against non-existant threats. I'll address each of those three reasons in turn.

REASON #1: It's better to be safe than sorry.

This reason assumes that having an antivirus program makes you safer, and there is no down side to having an antivirus program. This is not true. It does not make you safer (I'll explain why when i talk about Reason #2). What's worse, it actually makes your computer experience worse.

How? Well, even good, reliable, trouble-free anti-virus software such as ClamAV still slows down your computer. Bad antivirus software such as Norton Antivirus is a disaster. Norton Antivirus has been implicated in many, many serious problems on Mac OS X systems, some of which can destroy data or make the computer completely unusable, including:

- Random freezes and kernel panics
- A bug which can consume all of the space on your hard drive.
- An extremely serious bug which can destroy your ability to authenticate with a password. This means you cannot install software, you cannot run Apple Software Update, and you cannot modify the system. I have yet to find any solution other than a complete reinstall of OS X for this problem.

Even the newest version of Norton, Norton AV 10, has many serious documented bugs, including:

- A data-corruption bug which causes it to destroy files when you use the Save command from Adobe products such as Photoshop and InDesign. The file seems to save OK, but it is corrupted by Norton as it is saved. You will not know the file is corrupted until you go to try to use it later.

- A system-level bug which can destroy your ability to use Classic. If you install Classic after you install Norton, or you reinstall Classic, the next time Classic goes to start up, it will hang or crash on the "Updating system resources" dialog. You will need to remove Norton AV, reinstall Classic, launch Classic, allow it to update any system resources, and then reinstall Norton.

There are other problems with Norton (including Norton 10) as well; this is not an exhaustive list. the point is, "it's better to be safe than sorry" only works if the things you do to be "safe" don't hurt you. Since the purpose of AV software is to protect you from things that might disrupt your computer, if the AV software disrupts your computer, the AV software is in a very literal sense worse than the virus threat. Especially since there are...err, no viruses.

REASON #2: Sooner or later, somebody will come out with a virus. When this happens, people who already have AV software will be better off.

FACT: virus software does not work by magic. It works by comparing every file on your hard drive to a list of known viruses. When a new virus comes out, it is not in the AV list of known viruses. The AV software is utterly powerless to stop it.

Now, some AV software uses "heuristics"--it tries to find unknown new viruses by compring the behavior of running computer programs to the behavior of known viruses or to known security exploits. Because there are no known computer viruses and no known "in the wild" security exploits for OS X, OS X antivirus software can not use heuristics to look for unknown viruses.

People rarely understand how rapidly viruses spread. A typical PC worm or virus spreads worldwide, on average, about 7 hours after it is released. Fast viruses can infect every single vulnerable computer everywhere on the Internet, worldwide, in 45 minutes or less. What that means is that when a new virus comes out, if it ever does, the people with antivirus software will have exactly, precisely the same level of protection as those with no antivirus software: none. Not even the tiniest bit. None at all; zip. Viruses spread far, far faster than AV companies can release updates.

REASON #3: Having antivirus software installed on your Mac stops you from spreading PC viruses to other Windows users.

A Mac can spread a PC virus to a Windows user. There are two ways this can happen. The first way is via an email attachment; if a Mac user receives an infected file in an email, and then clicks the Forward button and forwards it on to a friend, then that friend might become infected.

The second way a Mac can spread a Windows virus is in a client/server or LAN environment. If a Mac is acting as a file server on a LAN that has Windows users, a Windows user can copy an infected file onto the Mac file server, and then another Windows user can copy the infected file off. I'll talk about each of those two scenarios in depth:

First, the email vector. Spreading a virus by email can not happen automatically. The only way for it to happen is if the Mac user receives the infected email attachment and then clicks the Forward button and intentionally forwards it to a Windows user. (There may be times when it appears a Mac user has spread a virus without hitting "forward"--let's say a Windows user receives an infected email from a Mac user's address, like "somebody@mac.com." In this case, the From address is fake. The virus came from an infected Windows computer, and sent itself out with the fake "From:" address of "somebody@mac.com;" if the person who receives it does not know how email viruses work and does not know that the From address is faked by viruses, then the person who receives it may go to the poor Mac user with fists shaking and say "You sent me a virus!"--when in fact that is not what happened, and the Mac user had nothing to do with it at all.)

The easiest and most low-impact way to stop a Mac from spreading Windows email viruses does not rely on software; it relies on common sense. Do not forward messages with attachments to other people. No matter who you think they are from and what you think is in them. If you do not know, personally, what the file is, or you did not create it, don't forward it. Even if it has the Microsoft logo and official looking text saying "This is a Windows security update." Even if it just looks like a harmless joke. Even if it promises hot pictures of Britney Spears naked in unbelievable oral XXX action. Do not forward emails with attachments to other people. If you are on a Mac, on a Windows machine, on a Sun, it doesn't matter...Do not forward emails with attachments to other people.

It should be noted, also, that AV software can not scan an attachment while the file is still on your ISP's mail server. The attachment can only be scanned if it is downloaded to your computer--either by you or by the AV software. So having AV software does not prevent you from forwarding viruses to Windows users; it only prevents you from forwarding viruses if you have downloaded the attachment yourself first.

Now, in a client-server situation, the problem is a bit different. If a Windows machine in a LAN environment has placed a Windows virus onto a Mac server, antivirus software on the Mac will not solve the problem. Yes, it might find the virus--but at this point, the LAN is already infected. There is already at least one Windows computer on the LAN which is infected with a virus, and removing the virus from the Mac will not change that. The problem cannot be solved until the source of the infection is removed.

But will the AV software on the Mac server help slow down the infection? No. By the time a computer on a LAN has been compromised, you can expect with any worm and almost any virus that all vulnerable PCs on that LAN will be compromised as well within minutes. Viruses do not wait for human beings to copy files to a server in order to spread; if they did, they would spread slowly and be easy to stop. A virus on a PC is going to spread by many vectors--TCP/IP or UDP (and the presence of a firewall will not stop the virus once it is already in the LAN), or automatically via peer-to-peer Windows SMB shares, or via Windows PnP, DCOM, or RPC vulnerabilities, or...well, you get the idea. The important thing to remember is this: The server will not be a significant infection vector; by the time the virus has infected a computer on the LAN, you have bigger problems to worry about--like, for example, your entire LAN has probably already been compromised. The only way--the ONLY way--to deal with this is to identify, isolate, and repair every single infected PC, then patch the vulnerability, update the PC AV software, or both. Once this is done, any remaining copies on the Mac server can be dealt with manually (PC AV software can scan and disinfect a shared Mac volume), but at that point it's irrelevant anyway--any virus still on the Mac software cannot infect a PC once the PC vulnerabilities are fixed, and before the vulnerabilities are fixed the Mac server isn't likely to be a relevant infection vector.

Of course, all of this would not matter if the Mac AV software were zero-opportunity-cost; that is, if the Mac AV software did not cost you anything in terms of time, reliability, system performance, or money. But this is not the case. For questionable (read: no) protection, you are exchanging, at best, a loss of system performance, and, at worst, disruptions in the system, system stability, and data loss.

Not a good deal.

The equation will change if a Mac OS X virus ever does appear. Once such a virus exists, and AV signatures which identify the virus exist, then you will probably be well-advised to use an antivirus program that isn't unstable and destructive. ClamAV and similar programs are a good bet; Norton, not so good.

But until that day comes, the AV software you install on your Mac is a whole lot of steaming nothing. What's worse, it can do more harm than good, not only because of bugs and system instability but also because it may give you a false and undeserved illusion of security. A person with a false sense of security, who erroneously believes himself to be protected, is less likely to pay attention to security than a person without this false sense of security.



Whew. Wasn't that fun?


Comments

( 15 comments — Leave a comment )
saluqi
Jan. 1st, 2006 08:38 pm (UTC)

I don't know about fun, but it was interesting. I'm going to go and hug my Mac now.

jenx
Jan. 1st, 2006 09:50 pm (UTC)
I've got a Mac, which I adore - and it's got Norton on it. How do I get Norton *off* of it?
tacit
Jan. 1st, 2006 10:02 pm (UTC)
That's a tricky problem.

There's an uninstaller on the CD. It doesn't work.

There's an updated uninstaller on Symantec's Web site. It doesn't work either.

Symantec has posted manual uninstall instructions on their Web site, which uses a Unix command-line program to remove the files...not very graceful, but it works.
jenx
Jan. 1st, 2006 10:10 pm (UTC)
I think I'll be trying that soon. It's still a nice feeling to be a Mac owner. :D
physicsduck
Jan. 1st, 2006 10:59 pm (UTC)
Ahhhhhh.....this is only one of a thousand reasons why I use Gentoo ;)

They don't even MAKE an antivirus suite for Gentoo.

Yeah, it's like that.


Linux, the choice of the GNU generation.
wolfger
Jan. 2nd, 2006 10:45 am (UTC)
Uh... Unless by "they" you mean "Norton", you are not correct. Gentoo has multiple AV products. ClamAV and F-Prot are two that I know of.
That being said, I've never heard of any crdible threat to a properly maintained Gentoo box. The Portage programmers do an excellent job of keeping on top of security flaws. Seeing as how I grab updates on a (roughly) daily basis, my chances of actually getting a viral infection on Gentoo are roughly nil.

Gentoo also is excellent about informing users of security issues, not just for the system itself, but for any piece of third-party software they maintain in Portage. I subscribe to the feed for Gentoo Security. It's nice to run an OS where they *want* to inform users of security flaws!
icedrake
Jan. 1st, 2006 11:36 pm (UTC)
I have a few issues with your otherwise excellent writeup. I shall detail them below.

First, the argument that already owning an anti-virus program in advance does nothing to protect you against a new infection. I imagine, and I simply don't know enough to be sure, that there are common, detectable elements between the various viruses, regardless of platform. A heurisic analysis utilizing a Windows virus database might not have a very good chance of detecting an OSX virus, but it would have a better than zero chance, nonetheless. But let's assume that an OSX machine does become infected. At this point, you as the owner have a number of solutions.

The foolproof one is to wipe the machine clean and start from scratch. This is hardly an ideal approach, since most people are loath to lose their precious data which they, for the most part, haven't dutifully backed up on a daily basis. Another option is to take the computer into a certified shop, and have the techs go at it. This is costly, and requires you to suffer the inconvenience of travel, of losing your computer for x business days, and adds the risk of complete strangers poking through your data. While I realize that the virus *already* compromises your machine's data security, the psychological effect of handing your machine over to someone who you know will poke around it is not to be dismissed lightly.

Finally, we get to the do-it-yourself approach, whether via manual removal, or an antivirus. Assuming that your AV provider is on the ball and releases an update fairly quickly (and until someone does, the certified Apple techs would be pretty useless, anyway), you then can go and download the update. Unless you don't own the software, which means you must buy it first. Now, suppose the virus in question is of the keylogger variety? Suddenly, the whole prospect of using a credit card to buy that AV app becomes far more dangerous than any instability the app may have caused.
All this is aside from the self-inoculating network idea, because I don't know enough about the concept of file inoculation.

Next, I must disagree with your statement that "if people actually knew how badly and terminally insecure Windows really is, fewer people would use it[...]"

This may have been true, if there vas a viable alternative out there. We can dismiss linux immediately -- there is no distro in existence that is easy enough to use -- and administer -- out of the box for it to compete with either Windows or MacOS.

That leaves only one thing out there -- MacOS. Unfortunately, the questions a new user asks aren't "is this system safe to use?" or "is this platform going to give me more reliability?"

The first and foremost question is, "will I be able to transfer files between school/work and home?" And the answer for a Mac/Win pairing is much less of a guaranteed "yes" than it is for a Win/Win pair.

Top this off with an approximate 20% cost difference for machines targetting the same market segment, and you have most people choosing Wintel products over Apple.

This covers the new users, who are the least likely to know what a virus is, or whether there are viruses for MacOS, or what an *OS* is, when it comes down to it. But then there are the ones who already own a computer, which more likely than not came preloaded with an OEM of some Windows flavour. And the harsh reality is, they can't switch. Even if we assume that all their files can be converted to equivalent formats for the Mac, there is no way to replace Windows without a significant capital outlay.

Whether we like it or not, the current Windows users are pretty much locked into staying Windows users until Apple completes the switch to ix86 architecture. Then, all bets are off.
tacit
Jan. 1st, 2006 11:47 pm (UTC)
"Finally, we get to the do-it-yourself approach, whether via manual removal, or an antivirus. Assuming that your AV provider is on the ball and releases an update fairly quickly (and until someone does, the certified Apple techs would be pretty useless, anyway), you then can go and download the update. Unless you don't own the software, which means you must buy it first."

With the current crop of Windows viruses and worms, neither solution will work.

Every major Windows virus and worm will, when it infects a computer, search for and disable any of the big antivirus programs. Some viruses are quite sneaky, and corrupt entires in the antivirus definition files; others simply delete or damage parts of the AV software altogether. All prevent antivirus software from being loaded onto an infected machine.

What this means in practice is that the virus must be removed from the machine before the AV software can be updated and installed--by booting from a CD or other device and running known-good AV software, by using an online AV program such as Trend Micro's Housecall service, or by manual removal. But you cannot trust any AV software installed on the hard drive of a known-compromosed computer, regardless of whether it does keystroke logging or not.
icedrake
Jan. 1st, 2006 11:56 pm (UTC)
The current crop of Windows viruses and worms *attempt* to disable antivirus software, true. I'm guessing that the major ones become major because they do so better than others. But the majority of antivirus apps out there either protect themselves against it, or at the very least, check against file changes. I would hope that properly written AV software (Norton isn't) with a resident component would protect itself against such an obvious attack.

But all of this is neither here nor there -- I don't deny that Windows as a platform is far more vulnerable than Mac or Linux or pretty much anything else out there. I simply don't see an alternative that people will gladly use.

(Thank you for the Trend Micro link -- I was aware of Symantec's Security Response and F-Secure's remote scan, but not this one. One more won't hurt!)
hot_turkey
Jan. 2nd, 2006 03:38 am (UTC)
The fact is that there have been a number of vulnerabilities in various versions of Unix, and there is nothing special about OS X, relative to other versions of Unix. There have been some very nasty security breaches in Linux, one of which basically paralyzed the entire Debian distribution Web site for a time -- it was weeks before they got everything cleaned out and working again.

Windows Anything is a mess, riddled with infuriating concurrency bugs, but I don't know that it's particularly an architectural issue. Charles Simonyi, who for years oversaw all software development at Microsoft, did a Ph.D dissertation on a model of development that relied on a "chief programmer" to do high-level design, with an army of trained monkeys to do the gruntwork. I used to work with him, back when he was at Xerox, and he always hired people who seemed reasonably smart, but who were *very* young and inexperienced. Give a bunch of trained monkeys stock options, and guess what you get? There's no substitute for hiring programmers who actually know what they're doing. I think Simonyi's ego is as good a candidate for the root cause of Windows XXX's crappiness as anything.
peristaltor
Jan. 2nd, 2006 07:48 am (UTC)
Fun? Sure. Whatever.

Years ago, while learning to scuba dive, I trained with a couple of guys from Microsoft who worked in a department of which I have never heard. Their job was to update software for the entire company.

That's right. Once in a while at the 'Soft, one would come into one's personal space, log onto one's PC, and note that, though your personal files are intact -- hopefully -- your personal version of Excel or Word had "updated" overnight. These guys worked for a department known internally as "the viruses."

Even I, basically a know-litle grunt with hairy knuckles, thought that for Bill's OS to even allow such an unwarrented transformation to individual machines on such a vast scale was to not simply overlook intrusion, but to welcome it with a bleeding red carpet.

Your post settles it. Your post confirms my way-earlier suspicion. When it's time to finally stop dealing with the hangs and lockups, the crashes and blue screens of death, I will be getting that Mac Mini. Hopefully I can network the two machines, maybe with a simple USB, so I can run my silly old games without shelling out major clams for the Mac versions.

Time to suck up the cost differential and vote with my wallet. I'm sick of Windows and everything it has come to represent.
dotmacdude
Jan. 2nd, 2006 08:35 pm (UTC)
Hurray and welcome to the official world of the switchers.
sthira_sukha
Jan. 2nd, 2006 03:54 pm (UTC)
Great entry, very informative--I just added it to my memories. Thanks for posting this, and happy new year!
dotmacdude
Jan. 2nd, 2006 08:45 pm (UTC)
Well thought out and well reasoned. I always love seeing rational posts about the state of the "Virus World" so to speak.

I do think that there is one interesting point you omitted. By the very virtue of running a Mac on a broadband connection it is subject to the same attacks that foil windows. The majority of these are Windows specific exploits which of course are meaningless, but a couple are attempts at exploiting flaws in a service that BOTH Windows and Mac run. Not necessary the same source/binaries, but the same service/protcol.

So Mac's actually are attacked the same amount as Windows machines in sum, and even in speciifc they are atacked at some fraction of the same rate as Windows machines.

Yet, they have not succumbed yet.

Just an interesting tidbit. For grins I would also point out that I run a Mac at home outside my firewall as my home server and despite thousands (YES thousands) of "attempts" per day it just keeps humming along. (And no it really is running alot of services not just "existing")
jonnymoon
Jan. 5th, 2006 05:34 pm (UTC)
So let me get this straight...you can't run remote code on a Mac?
( 15 comments — Leave a comment )