Wil Shipley: Max OS X Viruses

by jesse in


or-shut-up.html">Mac OS X Viruses: Put Up or Shut Up (part 1) Thank you Wil - I might have disagreed about you're comment about Unit/Functional Testing, but damned if I don't agree with you about the "Mac Virus" thing. I'm sick and tired of explaining to people why Macs in general are more difficult to penetrate, and overall almost impossible to infect in a similar fashion to Windows Machines. Why do you think you only see root-kits on Linux? The inherent OS structure won't allow you to do anything to the system as a whole without full root access - which, like OS/X - requires password authentication. I could rant on - but I won't. Yes - it is possible to write Malware for a Mac - all you need to do is make a piece of software that users will click to download, and install. Hell, if you're feeling squirrely, you could even make it force the OS/X "this application needs to run a program to install" sudo authentication dialog to really get access.

Once the user finds the software, the user has to download the software. Then that user has to install the software, and then authenticate that software. This is not a virus! A virus uses flaws within the OS, on a basic kernel level or other system-level flaw to gain otherwise inaccessible access within the OS to create damage. For instance, clicking on a website within Internet explorer that has a malicious ActiveX control, that because everything on a windows box (normally) effectively runs as Administrator, gains access to your system registry and then plays the banjo with your system as a whole.

Currently, there are 0 "viruses" meeting this criteria for OS/X. There aren't any on the horizon. Yes - there are pieces of Malware - I could write one right now that would harvest user data from a given OS/X host. I would not be able to access things like Keychain (for passwords, etc) without prompting the user, but social engineering (manipulating users to do something they might not otherwise "want" to do) has never been terribly difficult. Malware is a risk on every single computing platform in the wild! Heck, I could compile a custom version of Apache that does very bad things, and distribute it for unix systems.

That last statement is a bit of an argument for Open-Source, not that anyone has time to sit there and read thousands of lines of code - but given that projects like Mozilla can have their distribution "infected" with a virus - the argument stands. (Ironically enough, the virus that infected the mozilla dist was aimed at - you guessed it - windows!

The biggest risk Mac users face at the end of the day is being a "portal" to viruses from other users. For instance, I have Mail.app running right now - my mom could send me an infected file/email from Outlook, and I could in turn pass it onto another user without realizing it - the virus did not affect/infect me - but it might infect a person down the chain. This is an argument for server-side virus/email filtering. Again - the same thing happens with Linux/Unix clients.

There was an issue at a previous company where we had a 1.5 TB linux fileserver open on the network. The server was running NFS and SMB, and everyone in development and QA used this as a dumping ground. After two severe virus infections (attacking windows) in .doc files and Windows executables we had to start scanning the shares for infections on a nightly basis. Although we had AV tools installed on all of our workstations, AV tools sometimes don't play well in a testing environment, so our test hosts kept getting infected. Joy! Another case of "you ain't infecting the host, just the consumer".

On one hand, I'm happy about Wil's bounty offer for 500$ for the first person to make a real virus for OS/X - on the other hand, I'm bothered by the fact it might one day come to pass, even if I truly believe that OS/X inherent design won't allow it.