Saturday, October 21, 2006

OS X Malware

Just to be up front about it: Yes, this entry was created in the spirit of stabbing OS X zealots in the eye with a lit cigarette. Why? It drives me absolutely insane when people who clearly have no concept of how these things work insist that Macs can't get malware, don't have vulnerabilities, or have some magic security model. Yes, I realize trying to educate someone like that is masochistic. However, I wanted to have a more convenient place to point to when some clueless Mac fanboy says "show me even one virus for OS X!!".

I don't care to claim that the problem of malware on OS X has in any way reached significant levels. Nor am I trying to say that it is immanent. I do mean to say that is it not non-existent, and that it is certainly not impossible that it could happen.

So I'm going to try to maintain a list. I'm doing "malware" here, not exploits nor vulnerabilities. For my purposes, that includes viruses, trojan horses, worms, rootkits and spyware. I'm also going to limit this list to malware designed for OS X. There is a long list of macro/Office based stuff, things for OS 9 and below, and so on. Yes, I realize that some of it still probably works fine on OS X under the right circumstances.

Malware:
"Opener"
01Apr2004~22Oct2004
Rootkit
http://www.macintouch.com/opener.html

"osxrk"?
08Sep2004
Rootkit
http://freaky.staticusers.net/ugboard/viewtopic.php?t=13891

"Togroot"?
http://www.oreillynet.com/cs/user/view/cs_msg/72381

"WeaponX"
~05Nov2004
http://packetstorm.security-guide.de/filedesc/wX.tar.html

(Sony Rootkit)
~11Nov2005
Rootkit
http://www.tuaw.com/2005/11/11/sonys-drm-now-for-macs-too/

"Leap-A"
16Feb2006
Trojan/Worm
http://www.macrumors.com/pages/2006/02/20060216005401.shtml
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99

"Inqtana.A"
22Feb2006
Worm
http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0534.html
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"Inqtana.B"
22Feb2006
Worm
http://www.symantec.com/security_response/writeup.jsp?docid=2006-031413-1704-99
http://www.sophos.com/security/analyses/osxinqtanab.html
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"Inqtana.C"
22Feb2006
Worm
http://www.f-secure.com/v-descs/inqtana_c.shtml
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"OSX.Macarena"
02Nov2006
Virus
http://blogs.securiteam.com/index.php/archives/714
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-110217-1331-99&tabid=1
Source: http://vx.netlux.org/src_view.php?file=machoman.zip

Not malware:
http://apple.slashdot.org/article.pl?sid=06/09/16/182207
But I put it here for reference. This is to address the people who want to claim that malware would have to ask for your admin password. Not that there is any requirement that malware be root, of course. In the OS X security model, any admin user can write to everything in /Applications.

InqTana.D
http://www.digitalmunition.com/hacklu.html
According to the author, .D is no longer a worm, but is an autorooter. Unless I have time to look at it later and change my mind, it does not appear to meet my definition of malware.

12 comments:

Gene said...

I only have one problem with your "OS X Malware" post - your label: "OS X Sucks."

Do you think Mac Zealots who think OS X is flawless suck or OS X itself actually sucks? If the later, please explain. If the former - no explanation need.

Maybe it's both. Just curious.

Ryan Russell said...

OS X Sucks.

I was wondering when someone would ask about that. I'm going for a theme, here. It certainly won't be obvious with only three posts in it so far.

It's half joke/half not. About a year or so ago, the screen cracked on my Windows XP Sony Vaio. I already had an iBook G4 at work that I was using for testing my company's product, so I switched (pun intended) to that.

Point being that I've been using the iBook as my daily email and web surfing machine for about a year. The standard I judge OS X against is that of a 20-year DOS and Windows veteran. As time goes on, I will fill in other OS X sucks entries along those lines. I don't intend all of them to be picking on OS X security issues necessarily. I'll be just as happy to complain about the randomly-downloaded videos I can't play on it...

So, it should end up being part security analysis, part whining, part lazyweb.

Why am I picking on OS X only/mostly? Because I get PAID to pick on Windows, in the Windows Secrets newsletter I write for.

Gene said...

You have me beat. I'm an 18-year DOS and Windows veteran and once-owner of Royal Computers in Houston, Tx during the early 90's when independent system builders could truly compete and make a living.

I started using OS X when I bought a PowerMac in May 2005. Then I bought my wife a MacBook this year to get her off of my computer.

I guess our needs and expectations of a computer factor in, as we both see OS X differently. My opinion is not that Apple's perfect, just better. I'll be interested to see which randomly-downloaded videos you can't play - I haven't found any. Flip4Mac solved the few I couldn't view.

I'll be checking back. I'm always interested in seeing both sides of the coin. Besides, being neither myself, the argument between Mac-Zealots and Anti-Macs (usually Apple-Contrarians) has always interested me.

Anonymous said...

the virus source code is available by a simple search:


Infecting Mach-O Files

Judge by yourself.

Ryan Russell said...

Anonymous: Yes, thanks. I've update the list with links for the Inqtana series, as well as the OSX.Macarena source. I was given links to both by Kevin Finistere, author of the InqTanas.

I hadn't realized before that the "Macarena" code was a 29A release.

Anonymous said...

I have a hard time believing that anyone who knows computing really thinks that Macs or any other platform is impervious to malware, don't have vulnerabilities or have a magic security model. The people who feel Macs are impervious are not technically initiated and only use their Mac to check emails and read sports news on ESPN.com. They are certainly not reading this blog or any other tech related page.

I'm not sure why all the effort goes into trying to correct the unreachable. You can try to educate them, but they're not going to get it. 95% of the Mac user base just don't care about security and just want to sync up their iPods.

Let these people be blissful and wallow in their ignorance.

Anonymous said...

Good point, though it is unfortunate. You might as well start a "Cigarettes Suck" entry and direct smokers to it -- it would have about the same effect (again, unfortunately).

Most Mac and PC users are dumb enough to plug their computers straight into their DSL / cable modems with even an intervening NAT, and they click on every attachment they receive. And they still believe they are safe, because they paid McAfee or Symantec "protection money."

Ryan Russell said...

Anonymouses:

No, they won't learn, I know that. I guess that I keep banging my head against it makes me a security education zealot.

PC users will do risky things on an individual basis, not believing it will happen to them, even though they know this kind of thing happens all the time. I think that's a different brand of denial, though.

I've gotten into discussions with Mac users that literally believe that viruses aren't possible on the Mac. Gah.

Anonymous said...

"I've gotten into discussions with Mac users that literally believe that viruses aren't possible on the Mac."

Really? Are there really Mac users out there who literally believe that viruses aren't possible on the mac? In my 20 years of using Macs, PCs, Unix boxes, and IBM mainframes, I have never once met the "Mac Zealot" so often caricatured by the blogs and/or the press -- and I know a fair number of Mac users. Not only that, I've asked around, and nobody I've ever asked has ever met this mythical Mac Zealot either.

I put the question to the other post submitters, as well: Have you ever actually met or had a conversation with any human who actually believes that Macs are totally immune to viruses? ("Knowing someone who knows someone that is a Mac Zealot" doesn't count. I'm asking for actual interaction that YOU, personally, have had.)

Ryan Russell said...

I think it's fair to accuse me here of exaggerating slightly, but only slightly. I've run into the worst crowd on Digg. I guess they archive comments after a while, but see if this cached version works:
http://209.85.173.104/search?q=cache:ILklJcYfZncJ:digg.com/tech_news/Mac_attacks_rare_but_rising/all+mac+ryanlrussell+site:digg.com&hl=en&ct=clnk&cd=2&gl=us

And to be fair, I can't tell for sure that they really believe that nor that they really use Macs, but they are sure trying hard to convince me.

Anonymous said...

Actually, my head DBA told a client that he most certainly didn't need a virus scanner because he was using a Mac.

Our client required anyone connecting on their VPN to show a screen shot showing a running virus scanner with an up to date pattern.

So my guy flips out and tells the client he doesn't have to do that, because he's running a Mac.

So you know what he does? He sends a screen shot from another older PC, then still goes ahead and connects with the Mac.

I also read a ZDNet article somewhere, that had a quote from Apple tech support that said "Macs don't need Virus Scanners" but I can't located the URL.

When the first widespread worm comes out, it's going to cut through Macs like wildfire. All it's going to take is someone to realize that the most common banking software has account codes cached ...

== John ==

AnotherGuy said...

Last month I was looking for a new laptop to use at work and school. I talked to a few friends of mine about my buying a Dell XPS. They are mac users, and for about an hour they argued with me about how amazing Macs are and how bad Windows computers are.

Several times I mentioned how macs were beginning to get viruses and malware, and all they could say was "What, that's one time for the millions of times Windows users get them"

Just sent them an email too about how this type of stuff is growing already.

I ended up buying a mac anyway, not because of virus protection, but because ironicallymy Dell XPS crashed (twice) and I decided rather than continuing to return it I needed to just get a computer that would work decently for taking notes at school and doing some web development.

So far the Macbook hasn't crashed and that makes me satisfied enough. (Planning on installing BootCamp one day though to play with Ubuntu and Windows 7)