McAfee bites into Apple security

TalkBack 9 of 55:

Next »

« Previous

• Thread View
• Flat View

Being a software engineer doesn't qualify you to speak about security

So you can code? That's nice, but it doesn't mean you understand the underlying security mechanisms of OSX or Unix or Windows.

First of all, the 'root by default' thing in Windows is most certianly a BAD thing. I never said it wasn't - only that it was a marketing decision, not a engineering decision. it causes nasty things to happen like rootkits, and whatnot, and make cleanup extremely hard in many cases.

But your focus on root is where you've gone completely wrong and is a red herring in this argument. Marketshare means everything in the case of most Windows malware - the exception being vulnerable network daemons.

You can crow on about how OSX is so secure till you turn red, but the fact is OSX has never been exposed to the onslaught of profit seeking a-holes who release worms for Windows, and if it was, there is nothing in it's design that tells me it wouldn't get hit by a tidalwave of baddies.

Think about what it would take to spread a worm via one of the most common mediums - email.

Say I'm an evil script kiddie, who wants to steal people's banking passwords. I decide I'm going to write a self spreading email worm that entices users in some clever way to open up a zip file and run it. 99% of Windows email worms today work this way, so I think it's a good example.

So, I have my payload, a list of 100,000 random email addresses and control of a few people's Windows machines. If I send out my virus to those 100,000 email addresses, how many of those are going to end up being read by people on a Windows machine, and how many will be on a Mac? Of those, how many will actually FALL for it?

Lets say, the virus makes it to the in-box of 60,000 Windows users, and only 1000 of them fall for it and infect themselves. In order to spread further, the virus would have to harvest email addresses from the victims computer and send itself to those addresses. If the virus managed to find an average of just 11 email addresses on each of the 1000 machines it infected, it would be able to send itself out to 110,000 more people. That's 1000 more than it was originally sent out to.

Now look at the Mac side of things. Lets say, out of 100,000 addresses, 3,000 end up in Mac users in-boxes, and 500 of them fall for it and infect themselves. If the worm found an average of 11 email addresses on each machine, it would be able to send itself out to 5500 people. After that, the virus is absolutely *doomed* to extinction.

Now, you can play with the example numbers I gave all you want, but the fact is that would need a signifigantly larger number of OSX users on the net to make a simple email work even possible. You can apply this same train of thought to other mediums like web based exploits or P2P downloads. Think about Safari for example. Sofari ahs has multiple code execution vulns discovered. But if a website has a safari exploit, how many who visit it will be using macs. Out of those, how many will be running the vulnerable version of safari, or Safari at all?

The only method of infection that is not affected much by market share are network based worms that infect vulnerable network daemons, and OSX comes with no ports open, so that's irrelevant.

Now onto your false belief that lack of root permissions are signifigant factor in stopping malware.

I'm clueless about the exactly how OSX in layed out, so I'll give you an example of how you could do it in FreeBSD (the OS I'm using to type this message out right now).

First you have to have some point of entry. A vulnerability in an app like Firefox, or KDE would do, or the most common - the user falling for an email worm. In full featured Window managers like KDE, if you double click on a shell script it will execute. The execute bit could be pre-set by placing it in a zip file. Windows users fall for this crap all the time (unzipping a email attachment and executing the contents) so I don't see why, if enough people used OSX, some wouldn't fall for it too. It amazing what people will click on when you give then names like "bigboobies.sh", or "Ana Kournikova.jpg.sh".

The initial evil code would copy itself to the users home folder in a hidden directory, like ~/.evilcode or ~/.kde/.evilcode. It could then go out of the net and download a simple command-line IRC client, copy it to it's folder, connect out to some predetermined IRC channel, and retrieve more commands.

In order to stay alive after a reboot, there are several options the malware would have. The first, and best would be the crontab. In FreeBSD, by default every user has their own crontab. When the machine is rebooted, the malware would be launched by cron automatically, with the user's permissions of course. There are other places where the malware could put itself, so that if the crontab is not available, it at least can start up when the user logs on. Off the top of my head I can think of a few places. ~/.xinitrc ~/.shrc ~/.profile or maybe ~/.kde/autostart if the user is running KDE. I think there is a startup place for Gnome too.

Now this was an example with FreeBSD - not OSX, but there have to be some equivalents in OSX to the examples I've given - After all, it's based on my beloved FreeBSd right?

There is nothing in OSX that would prevent code from dropping into the users profile and connecting out. Remember, there is not firewall turned on in OSX by default! How many OSX users do you really think turn on ipfw and configure it to do outbound blocking?

Lastly, as for the McAfee report - Of course they trying to scare people into buying their wares. That's what they do. Right now OSX is signifigantly more secure than Windows due to it's obscurity, and the chances of infection are almost nil when OSX is used for standard desktop use.

Posted by: toadlife   Posted on: 05/06/06 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
• Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now
• Get top-ranked Novell support for Red Hat at 50% less Novell A simplified IT environment isn't just less complex, it's more reliable. ... Download Now