Malware Isn’t About Total Control

2007.02.27   prev     next

BILL Gates has taken a lot of flak lately for claiming in his Newsweek interview that total-control exploits of Mac OS X are being discovered routinely:

Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally.

Most of the criticism centers around whether his claim is factually true. Here, let me offer a different angle: Even if Gates’s claim is completely correct, it’s still a distraction from the really important point about the malware problem in Windows.

Suppose I’m a malware author and I want to write a program that spreads itself from computer to computer, all over the internet, perhaps for the purpose of building a “zombie” network that will eventually, on my command, send a flood of spam, or launch a denial-of-service attack.

First, I need a way to get into your computer. That’s where these “total control” exploits come in. So let’s say I find one. Then I write a program that scans the internet for exploitable computers, and it finds yours. And it injects itself into your computer and takes “total control.”

Then what happens? You immediately notice that something’s very wrong with your computer, because you can’t do anything. The OS isn’t responding to your clicks and key-presses. Your apps aren’t responding either. My malware has total control of your computer, so nothing else is running. After less than a minute, you hit the hard-reset button on your computer and bam — my malware is stopped.

Now let’s suppose my nefarious process is clever enough to retake control again as soon as the OS boots back up. Once again, you can’t use anything because nothing is responding, so this time you turn the computer off (terminating my malware’s search for new computers to infect) and take it somewhere to be cleaned or reformatted (thus erasing my malware). So my plan to make a zombie network is completely foiled at square one.

Successful malware doesn’t take “total control” of the computer — instead, it frequently gives up control to allow the OS and user apps to do their thing, with no absolute guarantee that it will get control back. Successful malware must coexist with your OS and user apps for long periods of time (months or years), while delicately searching for new computers to infect — and all the while awaiting my command to launch a coordinated attack.

And, successful malware must survive with you at the helm of your computer, potentially noticing that something has infected your system, and potentially attempting to remove it. This is where the real difference between OS X and Windows comes in: As discussed in John Gruber’s article Broken Windows, Microsoft’s OS permits processes to hide themselves within a horribly convoluted system, so that even if you suspect you’re infected, you’ll have a horrendous time trying to locate, terminate, and remove the malicious process(es). Conversely OS X, by design, makes it horrendously hard to protect processes from being located, stopped, and removed by the mildly savvy user. This is the real malware vulnerability from which Windows suffers and from which OS X does not. This is why malware is virtually non-existent for the typical Mac user. If I can infect a few Macs somewhere, but cannot create a self-regenerating, zombie army of compromised Macs, then as a malware author I’ve wasted my time. I should have been writing for Windows! >smacking self on forehead<

It remains to be seen whether Windows Vista will really cure any of this. Just remember, when reading reports of newly discovered and newly patched exploits in Vista — it’s not about getting into the machine, it’s about staying there. If Vista’s underlying technologies have been sufficiently reengineered to prevent the creation of protected, buried, stubborn, rogue processes, then maybe the Windows malware nightmare is finally ending. If not, it’s just getting started.

Update 2009.03.28 — Charlie Miller says:

Any security expert knows that Mac OS X is less secure than Windows. The question is which is SAFER. Because Mac OS X is still relatively rare, it is actually a little safer. But it has nothing to do with it being more secure, but rather, that bad guys are entirely focused on Windows at the moment due to the overwhelming market share Windows has. At this time, I still don’t recommend anti-virus for Mac OS X users, because there simply isn’t much malware for that platform. However, if Mac OS X market share ever goes up, there will be a landslide of exploits and malware.

Let’s all remember this quote, shall we, so we can laugh at it ten years from now.

Apple is selling millions of Macs per quarter, yet the Mac malware problem is virtually nonexistent (not “relatively rare” or “a little safer” as Miller tries to water it down). Meanwhile, just one Windows worm called Conficker is causing massive headaches for those who want to stop it — and threatens to do who-knows-what on April 1, just a few days from now — despite the fact that Microsoft and teams of security experts know all about it and have studied the crap out of it. (Microsoft’s own efforts to stop it have degenerated to offering a cash bounty for the apprehension of Conficker’s author. I’m not kidding.)

Charlie: Read my above article, and then you’ll understand why hacking into a couple computers at a hacker’s contest does not a malware threat make. If you still disagree, then here’s the real hacker challenge for you: Cook up a Conficker for the Mac, if you can. And don’t worry about Apple putting a bounty on your head. They won’t need to.

Update 2009.04.19 — OK, just heard that a Mac botnet has been discovered. That’s a point in Miller’s favor. But — the same report said that these Macs became infected when their owners downloaded pirated software from BitTorrent and other such sites, and that the illicit software was infected with a trojan horse. No word that this malware can’t be easily avoided simply by not acquiring software that way.

See also:
Malware Isn’t About Total Control
&
Security Through Normalcy
&
Security Through Obscurity Redux — The Best of Both Worlds
&
Basic Reproduction Number

prev     next