Delicious Monster
Mac OS X Viruses: Put Up or Shut Up (part 1)
All, right, I'm sick of people reporting that Mac OS X is 'mostly' virus-free. It is, as far has been proven, ENTIRELY virus-free. Macs are not magical, and one day there will be virus that infects them. However, I don't think it's happened yet, and I think it's time we, the Mac community, started saying, "No, we don't have any viruses."Seriously, if a reporter asked you, "Hey, do you have herpes?" and you replied, "Nope, I've been tested, no herpes, never," and then they wrote an article with the headline, "Bob Smith: Mostly Herpes-Free," you would, no doubt, flip (assuming your name was Bob Smith). You'd probably sue, even. But we put up with this crap every day, mainly because it's nigh-impossible to prove the negative. We'd need to inspect every hard drive of every Mac owner in the world. So we settle with "mostly virus-free" even though, compared to Windows, we're Mother Theresa and they're Pamela Anderson.
Let me be clear: not having had a virus is NOT the same as being immune to viruses. I think part of the reason almost nobody has been willing to stand up on this crusade has been that we get shouted down with cries of, "Well, no OS is perfect; Mac OS X will get its virus!" And I have no doubt we will. But Windows gets a virus every freaking week, and we've never had ONE. I think that's also relevant. Much more so than "Well, someday you won't be so perfect!" (Again, imagine you're about to share a fork with someone who you find out has rabies, scabies, rashes, a cold, the flu, lice, and scurvy, and that person says, "Well, everybody is susceptible to the same diseases." Yes, true, however, you'd still probably prefer to share with someone healthy at this moment.)
I'll admit, this crusade didn't start with me. It started on MacSlash where the news editor has TIRELESSLY pointed out every time some journalist or company implies that we're infectious.
And, I'll admit, others have come up with the idea of offering a bounty for Mac OS X viruses before, but I think those plans failed due to the way the challenge was structured. I don't want to incite someone to create the first Mac OS X virus.
So, here's my plan. I'm not putting it into effect yet, but I'm soliciting comments, and if nobody can prove it's a bone-headed idea, I'll go ahead with it.
I'm going to offer a bounty of $500 to the first person who can prove that a Mac running Mac OS X (version 10.0 or greater, and patched to the latest security level available at the time from Apple) was accidentally and detrimentally infected with a virus that exploited a flaw in the base Mac OS X installation (not, say, Microsoft Word) before September 20, 2005. The definition of "virus" will for this contest will be either a virus or worm as described by the wikipedia. The challenge ends at 23:59:00, October 16, 2005 (which happens to also be my birthday, and by the way I have a thing for nice shirts).
I will only offer this bounty once, and as you can see, the deadline for the viruses to have done their dirty work is in the past. So, if you're planning to write a new virus just to win the challenge, well... that won't work unless you also make a time machine. (Which, frankly, I'd be willing to fund for $500.) This is a research project, not a programming project: find one of us who has been infected at some time, and tell the world about it.
And, if you can't, then we should declare ourselves "virus-free," and write letters-to-the-editor anytime someone compares us with Christina Aguilera. Because we don't roll that way.
Labels: mac community
187 Comments:
All you need as a non-disclosed remote root vulnerability to create a worm. It's even easier to create a virus as you can exploit local privilege escalation for file-based infection. The malware portion of the code is pretty straight-forward from OS to OS. What I think you're really going to offer a bounty for is the disclosure of a vulnerability that Apple is unaware of. Many people would question this side-channel as unethical full-disclosure wrapped nicely with a malware ribbon on top.
September 26, 2005 5:21 PM
Quickly changes the definition on Wikipedia to be "a program that runs on your computer.".. Clicks build.
Walah! A virus, by the definition of Wikipedia, done!
September 26, 2005 5:24 PM
I think the point is that Wil's not offering $$ for a vulnerability. He wants to see proof that a vulnerability was exploited (to-date, not in the future) with a virus.
September 26, 2005 5:25 PM
Mac virus alert - users' details at risk
A rarity, it has some Apple buffs worried
By Munir Kotadia
Published: Monday 25 October 2004
A new script-based virus that spies on Apple Mac users was discovered over the weekend. The malware, which has been dubbed ‘Opener’ by Mac user-groups, disables Mac OS X’s built-in firewall, steals personal information and can destroy data.
Security experts say these traits are common among the thousands of viruses targeting Microsoft’s ubiquitous Windows operating system but are virtually unheard of amongst the Apple Macintosh community.
Paul Ducklin, Sophos’ head of technology in the Asia Pacific, said the virus, which Sophos calls Renepo, is designed to infect any Mac OS X drives connected to the infected system and it leaves affected computers vulnerable to further hacker attack.
Ducklin said Opener disables Mac OS X's built in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive and downloads a password cracker called JohnTheRipper.
According to Ducklin, Opener tries to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer.
Most worryingly, according to Ducklin, this could be the start of a spate of viruses that uses Mac OS X’s scripting features against its users.
"The existence of Unix shells - such as Bash for which this virus is written - and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables you can write your malware in script and if you really wanted to you could probably write a portable virus that would run on many flavours of Unix [and Mac]," said Ducklin.
Chris Waldrip, president of the US-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch website.
According to Waldrip, who admits the virus has him "a bit spooked", Opener seems to have started out with a "legitimate purpose" but has now been developed into a replicating piece of malware.
"I'm not sure how this could be guarded against," he said.
Mikko Hyppönen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 1980s.
"Things have been really quiet on Macintosh-front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hyppönen.
Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had updated their signatures over the weekend. A spokesperson for the company said the relevant signature files had been available since Friday evening.
Munir Kotadia writes for ZDNet Australia.
September 26, 2005 5:27 PM
Mark, seriously: READ THE LARGE PRINT.
The virus has to have EXISTED, and INFECTED a computer maliciously, BEFORE SIX DAYS AGO. Thus, it can't be something someone just whipped up, and it can't be a conceptual "way to write a virus."
YOU HAVE TO PROVE THAT SOMEONE ACTUALLY SUFFERED FROM A REAL, LIVE VIRUS THAT ALREADY EXISTED! NOT PROVE THAT VIRUSES CAN BE WRITTEN! WE ALL KNOW THIS!
THE WHOLE POST WAS ABOUT THIS! FOR CRYING OUT LOUD, DON'T ADD TO THE THE DAMN COMMENTS UNLESS YOU ARE GOING TO EVEN READ THE FREAKING POST!
There have been many, many vulnerabilities documented in Mac OS X. This is NOT NEWS. CERN has a ton of them. It's a damn Open Source system -- the vulnerabilities are right there for you to read about! My point is, these have never been exploited in a live virus, released in the wild, that harmed people.
September 26, 2005 5:32 PM
I'm sure you can also have a lot of fun with MethodSwizzling here. Don't forget about Malicious Bundles On Mac OS X (currently down, google cached here: http://tinyurl.com/7d4r3)
If anyone wants the attachments I can probably dig them up. All that's left is finding an infection vector.
September 26, 2005 5:33 PM
Sorry Wil, the glory of RSS is skim-reading, which is also the bane of RSS. I retract my arguments.
September 26, 2005 5:36 PM
Opener: From the article on MacInTouch: "It does not look like something that can be maliciously installed, since the shell script can't be installed by just any user on a machine." You have to have installed it yourself. It was malware, but not a virus. Notably, the article quotes a guy at a virus-protection firm (Paul Ducklin ) saying how worried he is about this possible virus, which nobody is listed as having suffered from.
September 26, 2005 5:41 PM
does social engineering count?
outside of that, this issue is confused. MS has a really bad history with viruses etc, only partially caused by thier popularity. theres also alot of legacy and bad design in windows which doesnt exist on osx.
apple got to see the mistakes and start over. patching os x is thus easier for apple than the complex maze that ms has to deal with (which is why they tend to have patches that break things, where such is rare in the unixes)
there is one glaring "flaw" in the os x model. a user can install an app (in /Apps) and write over it, meaning malicious code can too. not just an admin user, a normal user. some apps only run if you have write access to the bundle, which sucks but i dont think thats apples fault.
anyway, i dont think most users would make themselves an admin account just to install apps.
a password less fast user switch (a la linux/bsd) would make it easier (and hopefully more likely) that users do this (without having short passwords)
in then end users do need to be educated but to a point, the system is still more complex than it needs to be, which is why more education than there should need to be is nessescary. (the only alternative is a managed system, but even the best intentioned can and will make mistakes too)
the mac needs the least amount of education for a system thats still managed by the user (except maybe linspire, havent tried it)
September 26, 2005 5:48 PM
What about Word Macro Viruses? Don't tell me MS fixed those? Surely among the millions of Word viruses, there must be one that works on OS X?
September 26, 2005 6:02 PM
RSS: I should warn you not to drop out of school or cut off your knees, as well.
Word Macros: Yah, I think I mentioned that in the text of my article, actually.
September 26, 2005 6:09 PM
Wil, while I think it's potentially an interesting challenge you're putting up, I also think that your initial point is flawed.
As you say, 'as far [as?] has been proven' Mac OS X has been virus free. But this case, which involves millions of distinct computers and possibly a similarly large numbers of possible vulnerabilities, is very different from the example you give with herpes where there is a single body, a single well-defined illness and apparently a test giving a clear result with no herpes for Bob Smith.
Of course reading about Mac OS X being 'mostly virus free' is absurd but that probably has more to do with the highly skilled tech writers you are reading than with Mac OS. They may just want to cover their asses and don't dare to say 'virus free' when they can't prove it. But instead of saying there are 'no known viruses so far' they go for the 'mostly virus free' line which sounds stupid.
Personally, I think it's a bad idea to write about Mac OS X being 'virus free' because it may give people a false feeling of security and make them careless because regardless of what you're actually saying they'll read it as 'immune to viruses' anyway.
So in a way I hope that you succeed with your search for a virus because that'll render these discussions obsolete.
(I also don't understand why you want to exclude Word viruses. From a user's point of view of the damage that can be done it's fairly irrelevant by which environment the virus is executed. If a Word virus can steal or destroy my data and spread itself to my friends and colleagues, it's just as bad as a virus that hooks itself right into the OS).
September 26, 2005 6:11 PM
I re-read the article... "was accidentally and detrimentally infected" -- is clicking OK on a dialog an accident like tripping over your feet and falling down. Stupid maybe, but surely not on-purpose.
I lack the understanding of discounting trojan horses when depending on the definition you read (yea, wil, wikipedia, i know, it's covered in "use of the word virus", which you can sum as a press-ism, because after all that's what you're focused on no?) I know a grip of press that consider most of malware a virus -- does it matter? Yeah if you're trying to convince press and not geeks. To the non-tech it looks like you're reaching when you have to over explain a definition to make such a declaration of such magnitude.
All this code is derived work, the only difference is what the infection vector is. If you're going to address this point in a contest maybe "must have an auto-infection vector" or words that answer the related comments. Nevertheless ssp is right about how press will construe it, people are a large weakness and if you can get them to open something up and it auto-infects from there, this is just as relevant when declaring an OS non-viral. I think it's safe to say some OS's are more viral then others due to the implementation of privilege layering.
It's also hard to prove this with log and timestamp doctoring... prove that your submission was valid that is. I suppose someone might spend some time in vi for $500. At the end of the day how are you going to put constraints on the contest masking the spoofs?
At the end of the contest run, (assuming noone proves it) does this mean it's not there? I'm sure there's a host of nefarious types that would love a bold statement like that flipped in the favor of blackhats. Press will be press, but does this mean the technical crowd has to make unscientifically sound arguments to beseat the mis-information?
Not trying to sound discouraging nor am I offended by your attacks (i've worked with deraadt, i've seen worse), but I'm trying to grasp the exercise with an open mind and the credibility of sinking to the level of press and making bold statements to balnce the scale.
September 26, 2005 6:53 PM
yea your not that smart obviously macs do get viruses and btw MAC OS X is more bugged out the then windows and its also has some serious security flaws.
also MACs are slow
i have a 1.5ghz 512mb celeron laptop it plays games faster and better then that G4 2ghz 512mb ram.
TCX.Worm.JBS was a virus on a MAC so...where are u looking at your info MAC only areas damn
dont comment on my type just read what i said
September 26, 2005 7:01 PM
here is a link to my above comment
http://beta.news.com.com/Apple+plugs+critical+holes+in+OS+X/2100-1002_3-5879187.html
September 26, 2005 7:03 PM
You guys are blowing my mind. Did ANYONE read the article?
He's asking if anyone has ever seen a real, live virus infect a human body. He's not asking if anyone has ever seen a "virus in the lab". He's not asking if someone has ever written a paper for a medical journal describing a theoretical infection vector. He's not asking if anyone has ever had a vaccination or booster shot. He's not asking if anyone has ever been hit with a hammer or fallen down a set of stairs.
We're not taking about root kits or theoretical exploits. He's asking of anyone ever caught some wierd ass virus and got sick or died. And the answer is NO. Period.
No virus. Ever. Simple.
Repeat after me. NO VIRUS. Got it?
If you can prove the contrary, he's offering $500. But that's like trying to prove that the sun didn't come up one day (without resorting to a trick at the polls, or some silly argument like "I couldn't see the sun because of the ashes/clouds in the air"). He's not saying that the sun will never blow up or fade away (it will), he's just saying that it hasn't yet.
But hell, if you're not going to read the article, you're probably not going to read this post. :)
PS, WTF is TCX.Worm.JBS? Google pulls up nothing ...
September 26, 2005 7:30 PM
And here's what mentioned RIGHT IN THE FREAKING ARTICLE YOU POSTED:
Symantec and the French Security Incident Response Team both said the vulnerabilities are serious and that the need to patch them is urgent. However, no exploits for them have been reported, Symantec noted in an alert sent to members of its DeepSight service Frida
Let me repeat that for you. NO EXPLOITS REPORTED.
All operating systems have vulnerabilities. You've proved nothing except that Apple patches better than Microsoft. You might also want to read about the actual vulnerabilities themselves.
September 26, 2005 7:33 PM
It's not very responsible to advocate virus writing. It's comparable to writing viruses yourself.
September 26, 2005 7:35 PM
isn't this "test" to see if it has happened yet? does that really mean that an exploit can't be found and aboused by malware writers. all this tests proves is that no one has exploited any vunerablity yet. i can prove no one has been to mars does that mean no one will ever get there?
if you want a OS that can't have any malware you can write an OS that doesn't do anything and that you can't interact with it. as soon as you add people to a computer anything can and will happen. virii by definition are spread because of action of the user so if you are allowed to run things you always have a chance to screw things up.
September 26, 2005 7:53 PM
It's not responsible to post comments without reading the article either!
What's entertaining is reading the article and then reading the idiotic comments!
September 26, 2005 8:04 PM
Don't you think the rules to this are a bit strict?
It can't be with any program that doesn't come with the os - yet if the os lets the program with a virus run it's a flaw with the os as well no (a stretch admittedly - but you're trying to claim "osx is virus free" but leaving out the "if you dont use any programs on it" part...
second fault: only viruses from the past? well super duper, but if someone writes a virus today you'll no longer be able to claim osx is virus free so again your contest doesn't really relate to the claim youre trying to prove
and lastly (and most inept), you're saying the virus has to work even after the system being fully patched - but then you say it has to be a virus in the past... well if there was a virus in the past dont you think it would have been patched and therefore not work anymore? again a double standard... alright maybe you could claim just the patches available at the time of the infection (a little more sane) - but then i doubt youre looking at windows and only counting viruses that haven't been patched...
September 26, 2005 8:17 PM
HEY BUDDY, GUESS WHAT, MAC MARKETSHARE IN THE COMPUTER INDUSTRY IS A MISERABLE 2-3% AND PROBABLY THEIR IS STILL SUBSTANTIAL AMOUNT OF MACS THAT ARE STILL ON OS9.
WHO MAKES VIRUSES? WHY DO THEY MAKE VIRUSES? FIND THE ANSWER, AND YOU WILL UNDERSTAND WHY THERE ARE NO OSX VIRUSES.
NO ONE GIVES A SHIT ABOUT OSX. HAVE YOU SEEN ANY BEOS VIRUSES? NO, DOES THAT MEAN THE OS WAS SECURE? NO
WINDOWS HAS THE MOST VIRUSES BECAUSE 90% OF THE MARKET USES IT. ESPECIALLY THE BUSINESS SECTOR. BUSINESS!!!!! NOT SOME LITTLE GRAPHICS DESIGNER THAT IS TRYING TO IMPRESS HIS FRIENDS CAUSE HE GOT A MAC.
NOW TELL ME, IS IT WORTH MAKING A VIRUS FOR A OS THAT THE ENTIRE WORLD MAJORITY DOESN'T EVEN USE? DUMB ASS.
September 26, 2005 8:18 PM
Sounds like a good idea for a bounty! I'm tired of arguing with clueless Windows users who think all computers, including Macs, get viruses.
Paul
September 26, 2005 8:24 PM
Just install Virtual PC & Windows XP.
You have installed a big virus....
September 26, 2005 8:34 PM
I'd like to offer my support to Wil and his quest. The challenge is very well structured and the only people to have issues with it either cannot comprehend simple concepts or cannot swith off caps lock. In reality these people probably don't have alot to contribute, so the remainder of us can get on with the challenge with the guidlines that have been clearly set out by Wil.
Thanks for the challenge Wil.
September 26, 2005 9:01 PM
My Mac got a infected by a worm once. But it was an old 8100/110 running MkLinux. I deliberately left it running a known-insecure FTP daemon to see how long it would take to get cracked, it only took 18 hours.
But this was back around 1996, before OS X was even in beta. Does that count? I haven't had a virus since that time.
September 26, 2005 9:12 PM
ManicDVLN says a bunch of stuff about marketshare. But the important sentence is just: "FIND THE ANSWER, AND YOU WILL UNDERSTAND WHY THERE ARE NO OSX VIRUSES."
So there are no viruses. Does it really matter why? Does it really matter whether OS X is theoretically more secure against malware when the reality is that There Are No Viruses.
That's the whole point. There Are No Viruses.
September 26, 2005 9:23 PM
I'll make an analogy about this stupid rant.
Canada has not encountered any islamic terrorism. Does that mean Canada is secure from terrorism? Does it mean Canada is more secure than USA to fight against terrorism? No, why? Because no terrorist feels that Canada is important enough to engage in a terrorist act in accordance to their malicious pursuits.
When OSX get's 90% of the computer marketshare, then we'll see how "secure" OSX is. Don't even bother responding me that exploits and security issues are not virus related. In the end, what's the debate here? Trying to prove that OSX is more secure than other OSes. That's the intention of your stupid mac fanatism. An OS that you can reset administrator password with the freakin installation CD.
No OS is secure, if there is the will there is a way. It's simply based on time and effort. This is same stupidn debate in browsers. IE is least secure because most people use it. Now that firefox has become has stole a significant amount of marketshare, firefox security issues started to mount.
September 26, 2005 9:41 PM
10000000+ Kudos to you man, I totally agree. And guess what! My birthday is the 16th too!! :D Sounds like a good plan. i saw this story on digg and someone did not state the story correctly, they are saying you are offering a bounty for someone to WRITE a virus. Good idea though!
September 26, 2005 9:42 PM
Wow this post has really pulled in some real winners.
The "most used" diatribe about Macs and viruses is ridiculous. Apache is far more popular HTTP server than IIS yet IIS has the lionshare of documented exploits. Popularity doesn't make Windows or IE insecure, bad decisions do.
IE was designed to use the Windows system-level scripting host to handle JavaScript and VBScript in web pages. This gives web page scripts local access to someone's computer through ActiveX/VB controls. This might have made sense to someone that thought it was cool to allow web pages to embed ActiveX objects but it has proved to be an enormous security risk. That has nothing to do with IE being popular, it was a bad idea that couldn't be undone because too many vendors had taken advantage of that functionality in their software. Ever wonder why companies providing web apps only support IE on Windows? It's usually because they use a sick combination of ActiveX and VBScript for their front end.
This is one of many exploits Windows has that simply do not exist on Linux, MacOS X, or any other operating systems. They're exploits that can't really exist on these other platforms to boot. Firefox and Safari don't give JavaScript access to anything outside of the web browser. A rogue JavaScript can't open someone's CD tray or download and execute a trojan or virus. This isn't to say Linux or OSX is invulnerable to malicious software, it is just that you're not going to browse to a website and end up with a keylogger installed.
Wil I think your challenge is a really good one. You've stirred up a nest of idiots but I don't think that detracts from the goal of your challenge. I too get tired of seeing "mostly virus free" in stories about Macs. I think we ought to hold journalists a little more accountable, especially when they're writing stories about Macs and security.
September 26, 2005 10:21 PM
This isn't 1995 anymore.
It just ain't hip to be a 1337 hax0r virus dood no more.
All the people smart enough to exploit crazy UNIX level shiznat are busy making 200k a year to bother messing with it.
Most of the 'viruses' on the PC are just crazy ways of stealing your money. That's why they target the easy and prolific prey. It's just too easy.
The return on investment in time and effort just isn't worth it. They have a sustainable business model, why rock the boat?
Then there's the script kiddies that download some random script off the 'net, change some of the code & send it to all of their idiot friends.
The only people who actually have a clue have no incentive to create viruses.
It's all about the Benjamin's baby.
September 26, 2005 11:07 PM
Giant robot: No but a rogue JavaScript can result in cookie theft, that's why some hate JavaScript. There are countless (probably the most abused BUGTRAQ reporting) examples of Cross-Site Scripting (XSS) vulnerabilities. In general, Web App technologies are probably not the best segway from the nasties of ActiveX.
September 26, 2005 11:14 PM
thomas Aylott: The world does not solely consist of fat pimple faced teens bored with an assembly book, or 12 year olds churning out copycat worms... nor does it consist of a corporate world of IPOers fat and happy and retired from the former. There are undisclosed individuals that test the waters on a routine basis (both organized crime and intelligence organizations alike). Only the network noisy ankle-biters make news.
September 26, 2005 11:21 PM
When even the poorest wannabe-viruses for OSX that actually are no viruses get enormous public attention and are cited everywhere, then the "Mac-Marketshare-is-too-small" argument is flawed. There is almost no way to get as much public exposure out of writing one of the hundreds of Windows viruses compared to writing the first real OSX virus. There has to be some other reason that it hasn't happened yet.
September 26, 2005 11:52 PM
as ManicDVLN proves he is not a mac user nor a fan, what the point here is whether or not u like OSX. It is did u, can u, find a virus?? Huh can you? Yeah all us hardcore mac users know that we are a 4-6% owner share no one is going to take the time to hammer out a virus. You make fun of FIREFOX for getting flaws once their user market share gets up there but how long did it take for them to issue a patch compared to Windows, I can't wait of OSX86 and see what happens then we will really see how it all goes down.
September 27, 2005 12:39 AM
Gernot:
I strongly agree with this logic.
How many OSX Server boxes run in the enterprise compared to MS Windows, Solaris and other flavors of *nix. There have been worms for both Linux and Solaris (Lion and 7350worm (which was not very public but exploited a solaris/sparc dtspcd vuln)). The Lion worm obviously took advantage of DNS issues, but there is no technical barrier between these same classes of malware from using OSX as a target with a different vuln. In fact there are no W^X, gcc-propolice, (insert stack and heap protection here) technologies. Many of these worms ride on disclosed but unpatched vulnerabilities (whether legacy os release or software updates hasn't fired off yet or enabled). People with undisclosed vulns and proof of concept test code are either working with Apple (hopefully) or are holding onto it with the intent of using it for their own reasons (nefarious). Over the better part of decade doing day job pentesting I've come across ZERO OSX targets. This does not bode well for interest levels of bothering with mass infection code when I can roll considerably less code to exploit a release build OSX box from information gleaned from exploring bugs in OSX seed notes, or Friday's bug of the day posts where people air their Radar reports. Certainly is less telling then version control commit logs identifying attack vectors from reverse engineering patches to infect the masses.
Market share does have a lot to do with it when it comes to writing this code for leak-and-shock value. If your end result is to watch systems fall down (as most are) -- the more the better. In fact part of the "fun" is watching it spread and many have poorly coded PRNGs for picking nettuples to infect. What good is it if you can't spread it because the OSX install base looks like an archipelagoes?
My belief stands that an OSX virus is definitely plausible (technically arguments are sound, it's just another bsd-derived unix-like os under the hood right?) Worms for Linux and Solaris -- to say no OSX would certainly need to be proven, because it doesn't measure up with any common sense. You're not proving an os is virus-safe, you're proving the target is not interesting. Mac OS X doesn't have security countermeasures for these types of infection vectors. Encrypted swap might look cool because it masks your passphrases, but it also does a great job in protecting malware with custom loaders to stay memory resident from being forensically examined.
September 27, 2005 12:52 AM
In response to ManicDVLN and a few others. Various departments in the FBI and CIA have openly admitted to using OS/X machines. So think about who is part of that 4% market share, does it make a more interesting target yet?
September 27, 2005 5:16 AM
Wow, I never could have imagined there were so many retarded people in this world... then I read the comments.
Instead of a $500 prize... how about hooking some of the people that have commented here a copy of Hooked on Phonics?
September 27, 2005 6:09 AM
*yawn*
September 27, 2005 6:49 AM
I'm suprised there hasn't been a script kiddie so pissed off at a Mac fanatic that they haven't at least tried to make a virus for the Mac. However, that would require a $500 investment to get a Mac Mini and then learn about a totally new OS.
Maybe this will be easier for people when the Mac goes Intel and their is a crack for cats to install OS X on their Dell's.
I use a Powerbook as my main machine, but I also have a Dell Latitude as well. I can honestly I never had a virus issue on Win Xp, but I'm a geek and don't run EXE attachments like my mother-in-law (don't get me started on that tangent). My point is that I don't use Apple products because they are virus free. I use them for literally 1,000 other reasons. Virus-free is just another bullet point into a list of why Mac fans are fanatical.
September 27, 2005 7:02 AM
"The "most used" diatribe about Macs and viruses is ridiculous. Apache is far more popular HTTP server than IIS yet IIS has the lionshare of documented exploits."
Actually, not true. According to Secunia, IIS 6 had two security advisories between 2003-2005, while Apache 2 had 25 and Apache 1.3 had 15.
September 27, 2005 7:03 AM
"I'll make an analogy about this stupid rant."
OMG. We've got Steve Ballmer posting here now. RTFA (read the f***ing article). Islamic Terrorism in Canada has nothing to do with the matter. And "security by obscurity" myths about OS X, so beloved by Windows shills, would be beside the point even if they were true. The point of the article was that there are no viruses on OS X. The article was not a rant and it was not stupid. It was a challenge to point to what is frequently referred to but never known to exist.
As the man said: put up or shut up.
September 27, 2005 7:07 AM
You people need to realize that OSX Tiger is based on Unix, *nix systems have been proven by far to have the best security in ANY OS. I have a windows PC, a mac and a linux box, guess what, my windows PC is down right now and the compatibility in my windows PC is CRAP! The fact is any OS built ontop of a *nix system will leave any windows system in the dust.
How else do you explain why hotmail and msn were running off of unix servers for so many years? Because they knew their own server are terrible! And as far as writing a virus for the OSX? Sure its possible, but if your good with unix you can keep it out, or at worst, it'll just infect that specific user's directory, leaving the system files uninfected. Too bad bill gates uses is customers as beta clients as well, there are STILL massive security updates arriving for XP and now he wants to release vista?
September 27, 2005 7:09 AM
There's a widespread fallacy that the only motivation for writing exploits is widespread infection, notoriety, etc.
That may have been true in the past, but a lot of the bad actors on the modern scene are in it for the money. To them, a vulnerable system is a tool, and even if they find a vector to get control of 'only' a percent of computers connected to the Internet, that's still very interesting because it gives them the potential to own thousands of systems.
Most of the script-kiddie types who go looking for vulnerable systems *don't even know what OS the system they're connecting to is running*.
The 'Mac is safe because of its 3% market share' argument doesn't hold water.
Someone earlier noted that folks like the CIA use Mac OS X machines. I would note that having spoken to those users, they are under no illusion that Mac OS X is free of malware or threats, only that it is better defended. And in the end, that's good enough.
Wil, I think you're barking up the wrong tree. Mac OS X is mostly virus free, but it's not perfectly secure. That said, I strongly prefer it to Windows when it comes to security.
September 27, 2005 7:14 AM
Until MAC's have a decent part of the computing marketshare, this will prove nothing. It's the law of large numbers. This has really no scientific basis whatsoever.
September 27, 2005 7:46 AM
Wil,
Does it need to be enabled by default in the base system, or can it be something like smbd or apache that is enabled by a checkbox that any user can check?
Chris
September 27, 2005 8:04 AM
Wil, good job on this bounty.
There were Mac viruses in Apple's history, long before OSX. For that matter, there were Mac viruses back when Apple owned a far smaller portion of the marketshare, even when developer resources were more scarce. Things are an order of magnitude better today.
The fact that OSX is on more systems today, and that the basic skills needed to write a virus are taught in schools, shows that there is more at work here than mere obscurity.
Wil will keep his money. No Mac viruses exist, at this time, for the Mac. None have existed for OSX thus far. And as usual, the PC lovers will claim that the whole contest was rigged.
September 27, 2005 8:05 AM
I think you need to be a little more aware of your effect on the computing world Wil. Your challenge has been misinterpreted and posted on digg.com.
Write a virus for OSX and earn $500
submitted by mdweezer 14 hours 55 minutes ago (via http://wilshipley.com/blog/200...)
Wil Shipley, independent Apple software developer, has offered a $500 bounty for anyone who can exploit a base OSX install with the latest security patches. It's time to put up or shut up.
Im afraid that we are now going to get some real viruses appear for os X as your misinterpreted challenge circulates.
Think before you post!
September 27, 2005 8:19 AM
ok....
the simple fact is he is trying 2 prove that No CURRENT virus is capable of infecting a Fully patched OSX machine and NOT claiming that is future virus proof.
so this is a reserch into the current state of current OSX patch vunrerableity.
September 27, 2005 8:25 AM
It really doesn't matter if this has been misinterpreted or not. I seriously doubt anyone will be able to create a true 'Virus' for the Mac, and if they could, it would be far better done in public than in private.
Keep in mind that virus authoring was all the rage back at the MacHack conferences of the early 90's. But it was done in a closed environment, and led to the immediate creation of some of the first anti-virus software. Back in those days, Apple didn't aggressively hunt down exploits and patch them. They're doing a pretty good job of that now.
A virus that comes as a result of this contest will be a very short lived virus. So even if one does appear, which I seriously doubt, its impact will likely be minimal.
September 27, 2005 8:39 AM
Campbell tried this earlier and got slammed for his "contest". Now this "don't step outside the circle" approach proves very interesting.
Maybe some anti-obfuscation can be laid down for clarification of the "rules"; Macs are not Mac OS X. And which version of Mac OS X is the contest corraling around? I assume Mac OS X Tiger and not earlier versions. And I am also assuming that folks are keeping up-to-date with the security updates from Apple to avoid exploits. Which caveats are being used in this "contest"? And why eliminate app-based vulnerabilities and exploits?
Whether diseases are air-borne or transmitted from physical contact or through food or drink, they still get into the body and there are few antibodies needed with a Mac that uses the most recent version of Mac OS X and Security Updates. Wait, the Security Updates innoculate Mac OS X anbd ARE the anti-bodies!
Can Macs get malware? Yes. Virtual PC 7 opens up the Mac to all the Windows malware. Can that be curtailed? Yes, if we go out and use the beta version of Microsoft's latest anti-malware app code-named Atlanta. That too will probably get sunk as another "lost-city" for XP Pro and Vista users (or as the MCSEs call them "Lusers").
Can Macs get macro viruses with Microsoft apps? Yes, but the macro function can be turned off.
Are there Trojans that can exploit Macs? Yes, but Appple sent out Security updates for Mac OS X Tiger and earlier versions of the Mac OS X.
Are there Worms that can exploit Macs? Not outside the Lab.
Are there keyloggers for the Mac? Yes, but Allume's apps work to flag about 11 of those.
Yesterday I cleaned out two more Email malware that landed on my iMac G5 and ClamXav quarantined them. (I also use Virex.) One was a trojan attempt and the other was a virus attemt that got through Mail.app and attached itself to outgoing Email. Both "Infect" non-Mac systems and I constantly get .zip files from other Emailers that are Email-born illnesses - and "affect only Windows machines".
I run VPC7 with XP Pro on my Mac. I play Russian Roullette every time I turn VPC7 on. I'm constantly hounded and SPAMmed by Microsoft to buy anti-malware protection for my version of XP Pro.
I can "tell" when my system has something weird going on because my Router will fail to communicate and I have to reconfigure it after shutting down for a while. I go back to my Mac and run the anti-malware software and discover that some Email malware attachment is "live" and I have to kill it. But it "doesn't infect Mac OS X Tiger".
Am I impacted anyway? Yes.
Is my machine a Zombie? No.
Has my system been compromised and "owned"? As far as I know, no. I review lots of "early release" and Beta software and my system goes down sometimes and I "get" to do a clean install about once a year(between Mac OS X upgrades).
Is there spyware for the Mac? Yes. We reviewed a commercial package (Spector) in macCompanion a while ago.
Nuff for now...
September 27, 2005 8:39 AM
I have said this before to my friends, the day a true, damaging, OS X virus or worm comes into existence, it will be all over CNN, C|Net and SlashDot's web pages. It will be a media frenzy because it'll be such a monumental moment. Windows gets new viruses and worms DAILY, not just every week.
I know I won't be getting the $500 from Wil. Not a single person I know running Mac OS X has ever been affected by a virus or worm.
September 27, 2005 8:46 AM
Wil,
Technically, since it replicates itself to network shares and thereby doing so, other systems, Opener is a really weak worm, that takes advantage of the rather large security hole for /Library/StartupItems that existed prior to Tiger.
However, if you note, the traditional virus (i.e. infects the system first without any action on the part of the user) is going away. ALmost every viral outbreak on the WIndows side, (with a handful of exceptions) are all started by Macro Virii. User gets a file, user runs a file, user's machine is infected. The "reach out an anonymously touch someone with no action whatsoever on their part" virus has always been a rarity. It's just too easy to get the user to do your work for you.
I'm kind of on the fence about the whole bounty thing, since, as it already has, tends to degenerate into a semantics argument, and while generating a lot of noise, doesn't do much for signal.
john
September 27, 2005 8:46 AM
OK, so after all of that nonsense above, here's the real problem:
Writers are saying nearly virus free because they are trained to think that absolute statements are lawsuit bait. Write all the letters you want, if legal tells them to hedge, they will hedge and you spent time trying to prove a negative and not achieving your real goal.
September 27, 2005 8:56 AM
I found a virus on my NASA Mac laptop 2 years ago. It's called Microsoft Office. I've tried to destroy it but it keeps reproducing itself and causing all kinds of weird things to happen on my Mac. Any advice?
September 27, 2005 9:13 AM
The moment I see somebody portraying “Mac” as an acronym is the moment I stop reading their post; from there, I can logically conclude they have no fucking clue what they're talking about.
September 27, 2005 9:13 AM
The main reason why Mac OS X has not ever got a virus, is because nobody can be fucked to write a virus, for something that takes up 1% of the market, or whatever it is.
You will see root kits on Linux more so, because its Open Source...Mac OS X might be based on Unix, but as far as im aware, you cant just go to there site and say "Hey, wheres your source code" and make a root kit.
The only thing I can see Mac getting a virus, is a root kit, and if you were root kitted, you would be hard pushed to tell. So, you might not know that you actually have a virus, or a trojan horse, because its buried into your system, so that you cant actually see it.
If I were an evil guy, i would want to write a virus for Windows, where you get 95% of the market share, instead of like the other 5% of the market....
The only reason why Windows beat the shit out of mac to the computer market, was because every time you wanted to upgrade, you didnt have to buy an entire system. You could just buy the disk.
Also, Windows is a shit lot easier to use than Mac! That is why, you Mac-ers (nothing against you, or the Mac in anyway) Got your ass kicked!
You WILL get a virus, when your market share goes up....and when someone makes that one little discovery which unlocks a load of methods into which virus makers can write a virus, then...You will be pissed off.
September 27, 2005 9:28 AM
Mac Virus doesn't list any viruses for Mac OS X. Enough Said.
September 27, 2005 9:32 AM
"Also, Windows is a shit lot easier to use than Mac! That is why, you Mac-ers (nothing against you, or the Mac in anyway) Got your ass kicked!"
This, ladies and gentlemen, single handedly points out the general ignorance of the Windows community. Thank you, and good night!
September 27, 2005 9:37 AM
Anonymous said...
"Until MAC's have a decent part of the computing marketshare, this will prove nothing. It's the law of large numbers. This has really no scientific basis whatsoever."
Maybe you should read all the posts before writing this, here's a quote that answers this:
Gernot said...
When even the poorest wannabe-viruses for OSX that actually are no viruses get enormous public attention and are cited everywhere, then the "Mac-Marketshare-is-too-small" argument is flawed. There is almost no way to get as much public exposure out of writing one of the hundreds of Windows viruses compared to writing the first real OSX virus. There has to be some other reason that it hasn't happened yet.
September 27, 2005 9:39 AM
there is one glaring "flaw" in the os x model. a user can install an app (in /Apps) and write over it, meaning malicious code can too. not just an admin user, a normal user. some apps only run if you have write access to the bundle, which sucks but i dont think thats apples fault.
/Applications is owned by root. Unless you have an admin priviledge, you can't install or modify an app in /Applications. Unless you are running your everyday tasks as an admin (IMHO, that's pretty stupid), you won't have problems with this. Another way to create a vulnerability is to install an app in a user directory then use sudo mv [file] /Applications, thus placing a normal-user-owned files in root-owned directory. However, any Unix user who knows how to use sudo should be smart enough to do "sudo chown -r [directory]" to change the owner.
Regarding bundles requiring writing access, that's not really an OS X's problem. There are plenty of places an app can write support files: ~/Library or ~/Library/Preferences or ~/Library/Application Support. This is not an exercise to find out vulnerability based on users' ignorance nor developers' idiocy. If a bundle requires writing access and there is no way to inform the developer of this stupidity, simply install the app in a user directory.
Any vulnerability can exist if an admin is stupid enough to install malwares/very badly written apps or screw up security settings. That's why this is about a virus that exists and exploits the vulnerability of OS X and its default applications. You can't use your admin priviledge and install Microsoft Virus 5.3 or Microsoft SecurityHoles 3.2 in /Applications and claim an OS X virus or a virus exploiting Microsoft SecutiryHoles is found.
September 27, 2005 10:04 AM
I found this. There are some flaws, but I think it is the best were gonna find.
This was a normal email worm written in applescript. There were a few reported infections. This happened in 2001, so OS X may or may not have been the culprit.
http://securityresponse.symantec.com/avcenter/venc/data/mac.simpsons@mm.html
There is also this virus below, but I cannot confirm any infection definitely.
http://securityresponse.symantec.com/avcenter/venc/data/sh.renepo.b.html
If someone finds this infection by google or something after reading my comment, I want half ;)
September 27, 2005 10:05 AM
No I found it. Here is a man who was infected by opener.
http://www.macintouch.com/opener02.html
Send me an email @ myobie 'at' gmail `dot` com and let me know if I made it or not.
September 27, 2005 10:08 AM
The Mac OS X Virus is in the same category with Flying Cars, Time Machines, and Cloning a Dinosaur. It's nothing but a lot of talk about what is theoretically possible clouding the issue that NONE OF THESE THINGS EXIST TODAY.
Smug comments of "how easy it would be to do" followed up by a lot of inaction.
September 27, 2005 10:13 AM
i have a 1.5ghz 512mb celeron laptop it plays games faster and better then that G4 2ghz 512mb ram.
Haha. What a troll! First of all, it's Mac (short for Macintosh) not MAC (Machine Address Code). Any computer literate knows this.
Second of all, if you've got a 2GHz G4 Mac, I'd like to see it. Here are the top speed of G4 PPC in Apple's hardware
eMac: 1.42GHz PowerPC G4
iBook:1.42GHz PowerPC G4
Mac mini: 1.42GHz PowerPC G4
Powerbook: 1.67GHz PowerPC G4
Note that the fastest G4 is 1.67GHz. The rest of the hardware (iMac, PowerMac, Xserve) use G5 chip.
Third of all, your link refers to vulnerabilities that can potentially be used to create malwares, not exploits of the said vulnerabilities. Big difference. And they are already patched.
Lastly, what the hell is TCX.Worm.JBS? Google returned not a single link. Some virus, eh?
September 27, 2005 10:31 AM
Mark is the only person who'se made any me