Home / Blogs

Mac Hit by Another Wave of Malware… Users in Denial?

Terry Zink

In case you haven't been watching cyber news recently, last week various security researchers published that Macs were infected by the Flashback Trojan and that the total number of infections worldwide was 600,000. This number was published by a couple of blogs.

I debated writing about this topic since we had a previous Mac outbreak last year that initially spiked up, caused Apple to go into denial about the affair before issuing a fix, and then the malware kind of went away. Will this follow the same pattern?

It's not surprising that Apple is in denial about this; they are very tight lipped and reveal very little about their security procedure. To both, them, and their users, the product is perfect. Even in the comments section of the following article, users are skeptical that 1 in 100 Macs are infected; it couldn't really be Macs that are infected, it must be Windows PCs:

Sigh… this 600,000 number is not solid by any stretch and everyone is using it as linkbait all over the Internet.

...

The truth of the matter is no one else has TRULY confirmed this number and it may very well be Windows machines contributing vastly to these numbers.
Their own admission:

"… The difficulty in identifying what kind of machines are connecting to the C&C servers is that when the user agent from the infected computer communicates with the server, it doesn't supply definitive data on the operating system that's installed ... "

The author of this comment obviously has no idea how malware infections are counted. Yes, it is more art than science but a number of 90% or 98% malwares as an estimate does not mean guess. It means that given the total amount of data they have, it probably ranges between 80%-98% Macs. It does not mean that the estimates are off by an order of magnitude and really correspond to Windows machines.

Another comment:

Trojans are NOT viruses! They require a user to be tricked into installing this type of malware onto their own Mac.

This is 2012. A/V companies don't even use the term "virus" anymore, they use the term "malware." There are various types of malware out there and it doesn't matter whether users get infected peer-to-peer, or by drive-by downloads, or some other mechanism.

I personally wouldn't be surprised if the number was far higher or far lower because we are ALL basing these numbers off of ONE company's data set. ONE company's word.

One data set doesn't cut it in the science world. Why are we letting that go in the computer science world right now?

It's worse than that. Not only is it one company's word, it's probably one guy at that company who came up with the number. He probably has some ways of counting everything, shares the number with his managers and with marketing, and that's the number that's reported.

But it's also a reasonable estimate of the total number of infections. Most companies who count data like this have good ways of acquiring it.

No one knowledgeable about the Mac has EVER said that Mac OS X is immune to malware!

No. Most just deny that malware is a problem on the Mac.

By Terry Zink, Program Manager
Follow CircleID on
Related topics: Cybersecurity, Malware
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

The Roots of Flashback denialism Bill Cole  –  Apr 14, 2012 1:47 PM PDT

People who have watched the issue of Mac malware for a long time have some special reasons to be skeptical of Flashback hype. I absolutely agree that some of the expressed skepticism is at odds with reality, but it is understandable.

First, it is important to understand that AV vendors have been episodically firing up their best FUD generators for a decade to convince Mac users that they should all go out and buy AV software for every Mac now because the Mac Malware Apocalypse has started. That premise has never been true before last week. Second, Flashback is a cowardly species of malware that runs away from geeks' Macs. It makes no attempt to infect if it finds any of a number of common apps including Xcode (Apple's free IDE), multiple AV programs including ClamXav (a GUI wrapper of the free clamav package), network monitoring tools, and even MS Office (presumably due to gross incompatibilities that would reveal the malware.) Having Xcode installed is pretty common, since it has been the normal means of getting tools installed for use in cross-platform open source software and so is usually installed by anyone who has used environments like Fink, MacPorts, or Homebrew to get access to that realm of software. Most of the other things that scare off Flashback are also somewhat more likely to be installed on systems used by people who are attentive to the risk of malware on their Macs. Finally, those of us who have been using Macs long enough remember that there used to be a real MacOS malware problem in the System 6 and 7 era, and the dominant folklore (which includes seeds of truth…) is that we essentially solved that ourselves despite the commercial AV racket and Apple, rather than in cooperation with them.

The result is that with a penetration on the order of 1%, Flashback has infected a very large number of Macs but it largely has avoided the Macs of people who are attentive to the risk of malware or who otherwise care about what's "under the hood" of their Macs. That population sees no Flashback in their world unless they happen to also work with other sorts of people's Macs. They also are likely to understand that the AV industry has been crying wolf for a long time to sell products to them that are de facto worthless and frequently destabilizing. The Mac "Power User" community has been conditioned to distrust AV vendors and to trust in their own behavioral discipline to keep their machines clean.

Unfortunately, that conditioning has made some of us who ought to know better reflexively scoff at the Flashback stories. It takes a little discipline (or maybe just the right amount of ADD…) to see the mass media coverage and react by hunting down the original sources to judge their credibility instead of just firing off a scoffing response because that's been an appropriate thing for the last 5 similar stories.

Flashback IS DIFFERENT. Those of us who are uninfected despite our lack of maximally paranoid AV in service cannot credit our morally superior self-discipline or magical invulnerability of MacOS X for our pristine state, we can only be grateful for a first seriously dangerous malware species that avoids exposure-prone systems and for our luck of it being discovered in the wild when infection was still around 1%. The next exploitable gap might not have the visibility of a major Java flaw and Flashback has provided a useful lesson in how to attack MacOS for script kiddies who may not have previously bothered to look at how the dynamic runtime linker works.

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign