The Mac Sucks!

Glyn Moody posted “The Huge Hidden Cost of Microsoft Software” on June 30, 2009, on Computeworld UK’s web site, and a similar article on Slashdot. In the post, Moody discusses how various UK government organizations had to spend a great deal of money cleaning up the Conficker worm. Moody explains how this is a “hidden cost” of running Microsoft software in your environment, much as Microsoft and others have tried to claim there are “hidden costs” in running free open source software and Macs.

There are certain of Moody’s points I agree with. More malware exists for Windows than for Mac OS X and Linux combined. That’s just a fact. If the PCs in your organization become infected with malware like the Conficker worm, it can be extremely time-consuming and costly to clean up the mess. Again, it’s a fact. If you ran Linux or Mac OS X throughout your organization instead of Windows, a Windows worm like Conficker would be stopped dead because it can’t infect those operating systems. Fact. But the conclusion that this is a “hidden cost of using Windows” may be true to some degree, it’s not quite on target. Allow me to explain.

I work in a company with approximately 2,000 Windows PCs, maybe 50 Macs, a small number of Sun Solaris workstations, and a data center including Linux, Windows, Solaris, and mainframe operating systems. In an environment like this, with so many Windows desktops, you might be thinking I’ve had to clean up some massive infections.

Ironically, in my 20+ year career, the biggest malware mess I ever had to clean up didn’t affect Windows at all, and it wasn’t at the shop where I work now. The culprit was a little Classic Mac OS virus code-named “WDEF“. Infection via WDEF was very Mac-like. It “just worked”. If an infected disk was inserted into a Mac, it instantly infected the Mac’s hard drive. You didn’t have to run any programs or do anything. If you inserted a clean disk into an infected Mac, that disk became infected. The WDEF virus managed to find its way onto every Mac in our company and on to most of the floppy disks. I was able to trace it back to a disk a single employee (yeah, it was me) brought into the office from home. I can’t tell you how many hours I spent cleaning up that mess (we had only a dozen Macs but literally hundreds of floppies to scan). I only found it because I was showing a co-worker how Macs didn’t really need antivirus software by running a scan with a free tool called Disinfectant. It was very humbling to see it detect WDEF, in addition to being painfully ironic.

It was also a valuable lesson. Over the 10+ years I was a Mac user, I had downloaded lots of free Mac software. When I ripped the shrinkwrap off my first antivirus package (bought after the WDEF incident), I was shocked to see how many viruses had already infected my supposedly “superior” system. During my time as a Classic Mac OS user, I saw more viruses than I’ve seen since… even though I’ve primarily been a Windows user, and still download lots of free programs. Mine may not be the typical experience, but it’s a true story.

Moody’s stories and mine share a common theme – and it’s obviously not Microsoft software. Take proper security precautions, no matter what computer you’re using, or you will pay a price eventually. I’m willing to bet if you investigate any of those very expensive cleanup deals mentioned in Moody’s article you’ll find that certain basic security precautions were ignored that would have cost FAR less than the cleanup effort for Conficker eventually did. Maybe they merely needed a cheap hardware firewall to keep the worm from getting in, or a cheap antivirus package to detect and clean it, or just to deny administrator access to their employees. As far as I’m concerned, Microsoft may share some of the blame but the bulk of it lies with the organizations themselves. I can say that with confidence because our 2,000-machine Windows environment didn’t see a single Conficker infection. Not one. (And no, I wouldn’t be so bold or stupid as to say that we “never will”… only that we’ve made all reasonable precautions to prevent such an occurrence. That’s about as much as you can ever really say about your security.)

While Mac users have been relatively free of malware, viruses have existed for OS X, Mac malware has made it into the wild, and it has resulted in the creation of a Mac-only botnet. I’ll bet if you could find the owners of the Macs whose systems are part of that botnet, they’d tell you they don’t need antivirus software because they’ve got a Mac, and Macs are immune to that stuff…

Linux has been relatively immune as well, but it too has seen Trojans, viruses, and other malware. The threat to Linux is nothing compared to the situation on Windows, but that doesn’t mean there is “no” threat.

If you go through life with the assumption that your platform of choice is totally secure, completely immune to malware, and impervious to hackers, the odds are good that you’re going to find yourself very sadly mistaken one day… just like I did when I ran that disinfecting program on my Mac those many years ago. Good security is a “hidden cost” of owning a computer, no matter whose logo is on the box or whose is displayed when you start it up.

Malware (malicious software) is nothing new. Viruses, worms, Trojans, adware, and spyware have existed for decades. While Windows users are generally on the lookout for potential malware infections, this has been generally unheard-of in Macintosh and Linux circles. In fact, the relative lack of malware for the Macintosh platform has led many Mac fans to believe that Mac OS X is impervious to malware. This is, of course, a mistaken assumption.

As security expert Charlie Miller proved recently, it’s possible to break into a Mac remotely by directing users to a specially-crafted web page that exploits vulnerabilities in Mac OS X and Safari. Miller used an undisclosed weakness in Safari and OS X to take control of (and win) a MacBook at the CanSecWest conference. In other interviews, Miller has been quoted as saying that it’s relatively easy to break OS X and Safari. It should be noted that Miller has managed to break into and win a MacBook two years in a row at the conference.

Recently, a group of security researchers identified an all-Macintosh botnet. A botnet is a collection of computers that is (usually) built by compromising the security of those systems and installing software that gives the creator remote control of those systems. The botnet operator (who generally does not own any of the systems involved) can use the machines in the botnet to send spam email, conduct “denial of service” attacks against web sites, or perform other malicious or illegal activity… all without the knowledge or consent of the PC owner.

Some time ago, it was learned that malware had been slipped inside of pirated copies of Apple iLife ‘09 placed on popular torrent sites. It was later found in some other pirated software. Users who downloaded and installed this pirated software unknowingly also installed botnet software onto their Macs. It’s now known that the botnet software installed onto these machines is being used to conduct denial of service attacks, making this the first Mac-only botnet found “in the wild” by researchers.

It’s important to note, if for no other reason than to stem off a flood of hate mail, several things. This particular botnet software only affected a machine if its owner installed a pirated copy of software infected with the malware. So, in a sense, these users took a risk installing the pirated software and are now (probably unknowingly) paying the price. It should also be noted that, as currently designed, this botnet doesn’t attempt to spread to other uninfected machines. That makes it different from a virus or worm.

What’s significant about this is that it shows Mac users are just as vulnerable to “social engineering” attacks as users of any other computing platform. Users in this case thought they were getting a free copy of a commercial software product, and they did, but they also installed the malware right along with it and didn’t realize it. Would antivirus software have protected these users from the infection? Perhaps. Perhaps not. It depends on whether their antivirus tool is aware of this particular malware.

If you’ve downloaded any pirated software for your Mac recently, you might want to learn more about this software and find out if you’ve been compromised.

PC Magazine published a very thought-provoking article by Neil J. Rubenking entitled “OpenDNS: ‘Conficker’ Barely Scratched U.S.” in which we learn that the much-publicized Conficker worm didn’t hit very many personal computers in the United States. The free OpenDNS service which handles domain name service (DNS) lookups for its customers was in a unique position to monitor and track the number of machines infected by the worm based on their DNS activity.

As Rubenking reports, “Around five percent of all OpenDNS customers evidenced infection by the Conficker worm. Despite the fact that roughly half of OpenDNS’s users are in the United States, the vast majority of infections came from elsewhere. Under 5 percent of infected systems came from the U.S.; it’s not even in the top five of countries affected by the worm, which are: Vietnam (13 percent), Brazil (12 percent), Philippines (11 percent), Indonesia (10 percent), and Algeria (7 percent).”

Elsewhere, it’s been speculated that the areas hardest hit by the Conficker worm are nations where Microsoft Windows is widely pirated. Since pirated copies of Windows have a much harder time getting security patches and updates from Microsoft, they are much more vulnerable to malware like the Conficker worm. In countries like the United States, where Windows isn’t pirated as widely, infection rates are much lower.

Within the Mac fanbase, a widely held perception is that Windows PCs “constantly” get viruses, worms, and other malware. Apple likes to perpetuate this myth in its advertising (remember the commercial where “poor PC” is sneezing and falling over because of a virus infection?). The reality for most Windows users, especially those here in the United States, is that we’re fairly well protected against malware. Am I suggesting PC users in the U.S. never see a virus infection? Of course not. What I am suggesting is that the prevailing image in the Mac community of Windows users suffering from “constant” malware infection is exaggerated, at least in the U.S. and other areas where pirated software is less widely used. (Pirated software, even for the Mac, is often used to sneak malware onto the systems of unsuspecting users.)

According to an OSNews article, Intego discovered a new Trojan circulating in copies of Apple’s iWork ‘09 found on BitTorrent networks.  It’s also been found in Adobe PhotoShop CS4.  According to the article, “When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password… The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.”

According to the article, at least 20,000 Mac users have downloaded the infected software.  If you’ve recently pirated iWork 09 or Adobe PhotoShop CS4 for you Mac, you might want to give some thought as to whether you are unknowingly running an infected Mac… and asking yourself if the “free” software is worth the risk you’re taking.

On its web site, Apple recently encouraged Mac users to install and use antivirus software for OS X, citing that the use of multiple packages would make it harder for malware writers to effectively attack the platform.  On this site, I’ve always encouraged Mac users to use at least a basic antivirus tool, in spite of the lack of any really widespread malware attacks on OS X.