Mac iWork Virus/Trojan FUD

A curious falsehood has surrounded Mac computers over the last decade, as they have resurged onto the market.  People believe that Macs are immune to the malware, viruses, and worms that have wrought havoc on PCs.  (correction there are far fewer viruses for mac then pc1)

In reality, OS X is not much more or less secure than Windows Vista — rather it is Apple’s small market share that has protected it.  (correction linux has a smaller market share then apple yet has far more viruses2) Since Mac attacks would have to be custom-made, there just hasn’t been much interest among Black Hats to attack them.  Kevin Haley, a director of security response at Symantec, states, “The bad guys generally go toward the biggest target, what will get them the biggest bang for their buck.”( never trust symantic on anything virus related as they often feed the FUD it is how they sell software)

However, with surging market share and pop icon status, the Macs are suddenly finding themselves under attack.  On the heels of Apple’s announcement that customers should get an antivirus program, Apple has been attacked by what [some] are some calling OS X’s first official trojan virus. (this is not a Trojan virus it is a Trojan, this requires the user to enter their user name and password) The trojan, dubbed “iBotnet”, has snuck its way into several thousand Macs.  The virus is written specifically for Mac computers and does not affect Windows machines.

The new virus infects users’ computers via pirated copies of Mac software iWork, which have been floating around P2P networks.  It was first reported in January, and unlike other viruses, like the Conficker worm, is relatively harmless due to the small number of infected machines (precluding effective denial of service attacks) and user role in infection.

States Paul Henry, a forensics and security analyst at Lumension Security in Arizona, “We all knew it was going to happen.  It was just a matter of time, and, personally, I think we’re going to see a lot more of it.”

While the new virus is the first to only target Macs, it’s not the first botnet to consist of some Mac machines.  Jose Nazario, a senior security researcher with Arbor Networks, states, “This isn’t the first botnet that’s been built using Mac computers.  This is an interesting one in that it’s a little more flexible and includes some new features. … It’s getting a lot of press mostly because it’s Mac and people are talking about how Macs are immune to malware — and, sure enough, they’re not.”

In a statement, Apple responds, “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.”( mac is actually pretty slow to patch4)

Macs today account for approximately 7.4 percent of consumer computers in the U.S., according to Gartner, a leading market research firm.  While, according to Gartner, these users on average are more affluent than PC owners, the unproven nature of Mac virus software (owing to their low market share in the 90s) has made Mac viruses still unexplored territory.  However, that looks to be changing, and given Apple’s slow rate of patching, it could be in trouble in the near future, particularly with the prospect of Apple-specific worms hitting in the near future.


2: It’s not the market-share that determines the number of viruses, because there’s more OSX out there than Linux or BSD. The Ramen worm is one widespread Linux virus.

it definitely does have something to do with it, due to the fact that Windows is has surpassed 1 MILLION** viruses, worms and other malware (of course the horrific state of security on the Win9x line helped here, which was also why MacOS 9 had a fair number of viruses for it)

However where this theory fall apart is that there are far more worms, viruses, and malware in existence for Linux/BSD than for OSX. Actually in fact, there has been more malware for specifically RedHat Linux than for OSX.

Either way, US market-share isn’t the deciding factor. It could be that it’s the market-share of Macs in Russia, China, and other nations where virus development is prevalent that is a deciding factor.

A good guess would be the fact that there are no cheap Macs has far more to do with it. When you pay that much for a machine, you’re probably not writing viruses on it.

3: The Trojan in question does not replicate. It is not a virus. It is also not a Worm which is a virus that replicates across a network (generally IP based). Worms use a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program.

4: Several security research firms have criticized Apple for leaving critical and serious vulnerabilities unpatched for long periods of time. If you search DailyTech you should find some articles about patching, which include info on research which indicates that OS X is being patched far slower than Windows Vista.


2 thoughts on “Mac iWork Virus/Trojan FUD

  1. Linux may have a smaller market share than the mac (the current os is linux based btw), but the way linux is used makes it much more valuable to the virus writer than the mac. Mac is still primarily an enthusiasts machine used by home users, students, creative types and some educational institutions. Linux is used in much more high profile applications including government and corporate desktops and as a server OS countless data centers (I bet this blog is hosted on a lamp server) It is simple economics -the potential payoff for a malware writer is much higher for a linux worm than it is for the mac despite the market share numbers

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s