It’s not as though anyone has shown much interest in the technical aspects, such as the interesting use of the Authorization Services APIs to trick the victim into authorizing installation. Just one of the ways in which a combination of social engineering and a technical wrinkle could be used to subvert the supposed invulnerability of OS X. But I suppose you need to read the Virus Bulletin article to get into that in any depth.
In fact, if you ignore the "yes it matters"/"no it doesn’t matter" feuding between a couple of vendors, people only seem to be
interested in the fact that it could happen at all. As Randy has already pointed out, "The only remarkable or surprising thing about the Mac botnet is that anyone was surprised at all."
And, yes, it does matter. It may not have been much of a botnet, but it is one more step towards a a potential reality where Mac users start to feel the sort of pain they felt during the 1990s, when there were significant threats to pre-OS X operating systems out in the real world.
Adam O’Donnell wrote an article last year in which he hypothesised, that "the Mac platform won’t become appealing to attackers until it makes up 1/6th of the market for client systems." I’m not totally convinced by this invocation of game theory as justification for an arbitrary figure - perhaps because it reminds me of the way the academics in "Numb3rs" drag it in at frequent intervals as a plot device - but he does
acknowledge elsewhere in the article that this prediction is liable to modification by other variables. He certainly makes a strong case for the "economicmotivation" argument. It makes perfect sense in the current threat landscape that as more people use Macs, the more
economically viable it becomes for malware authors to target them for malware-associated attacks.
In a thread elsewhere today, it occurred to me that there’s a curious paradox at work here. Looking back over nearly 20 years of
involvement with Mac malware, I notice that Mac users were targeted more by virus writers before OS X, although the number of Mac viruses seen at that time was a tiny fraction of the quantity of PC viruses known at that time. (Leaving macro viruses, which were to an extent platform-independent, out of the equation.)
Yet many of them appeared at a time when Macs were a very niche product and priced accordingly (I’m thinking long before the first iMac), and home Macs were probably much rarer than now (perhaps less so in the US, where Apple pricing tended to be a little more generous).
I don’t think that’s an anomaly, though: at that point, malware was almost exclusively hobbyist virus-writing, so economic motivation or Return On Investment wasn’t really the issue. Of course, there are other factors:
- Perhaps Mac users really are brighter than the rest of us, and therefore less susceptible to social engineering. Well, as a Mac user
myself, I suppose I should say the rest of you… However, I’ve never found that argument very convincing: in fact, I’d say (and have, many times) that many Mac users are more susceptible to social engineering, due to having bought into the "there isn’t, never was, and never could be Mac malware" argument.
- OS X may not be invulnerable (what O’Donnell describes as the "securedesign" argument - I’m not too sure about his aversion to the spacebar, but I agree with his reservations as to the Mac’s presumed superiority in this respect), but OS X does at least have a security model, and it’s by no means a bad one.
However, it’s far from perfect: in the past week, Heise have checked and reported that several vulnerabilities highlighted recently at CanSecWest remain unpatched. Well, these things take time, as we’ve seen with recent Adobe and Microsoft updates, and it’s possible that the presentation in February was the first notification they received. Be that as it may, it’s clear that the Mac community is not escaping the attention of vulnerability researchers (white hat, black hat, grey hat and all…)
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
To find out more about ESET, visit the ESET website.