Malware Isn’t About Total Control

2007.02.27   prev     next

Bill Gates has taken a lot of flak lately for claiming in his Newsweek interview that total-control exploits of Mac OS X are being discovered routinely:

Most of the criticism centers around whether his claim is factually true. Here, let me offer a different angle: Even if Gates’s claim is completely correct, it’s still a distraction from the really important point about the malware problem in Windows.

Suppose I’m a malware author and I want to write a program that spreads itself from computer to computer, all over the internet, perhaps for the purpose of building a “zombie” network that will eventually, on my command, send a flood of spam, or launch a denial-of-service attack.

First, I need a way to get into your computer. That’s where these “total control” exploits come in. So let’s say I find one. Then I write a program that scans the internet for exploitable computers, and it finds yours. And it injects itself into your computer and takes “total control.”

Then what happens? You immediately notice that something’s very wrong with your computer, because you can’t do anything. The OS isn’t responding to your clicks and key-presses. Your apps aren’t responding either. My malware has total control of your computer, so nothing else is running. After less than a minute, you hit the hard-reset button on your computer and bam — my malware is stopped.

Now let’s suppose my nefarious process is clever enough to retake control again as soon as the OS boots back up. Once again, you can’t use anything because nothing is responding, so this time you turn the computer off (terminating my malware’s search for new computers to infect) and take it somewhere to be cleaned or reformatted (thus erasing my malware). So my plan to make a zombie network is completely foiled at square one.

Successful malware doesn’t take “total control” of the computer — instead, it frequently gives up control to allow the OS and user apps to do their thing, with no absolute guarantee that it will get control back. Successful malware must coexist with your OS and user apps for long periods of time (months or years), while delicately searching for new computers to infect — and all the while awaiting my command to launch a coordinated attack.

And, successful malware must survive with you at the helm of your computer, potentially noticing that something has infected your system, and potentially attempting to remove it. This is where the real difference between OS X and Windows comes in: As discussed in John Gruber’s article Broken Windows, Microsoft’s OS permits processes to hide themselves within a horribly convoluted system, so that even if you suspect you’re infected, you’ll have a horrendous time trying to locate, terminate, and remove the malicious process(es). Conversely OS X, by design, makes it horrendously hard to protect processes from being located, stopped, and removed by the mildly savvy user. This is the real malware vulnerability from which Windows suffers and from which OS X does not. This is why malware is virtually non-existent for the typical Mac user. If I can infect a few Macs somewhere, but cannot create a self-regenerating, zombie army of compromised Macs, then as a malware author I’ve wasted my time. I should have been writing for Windows! >smacking self on forehead<

It remains to be seen whether Windows Vista will really cure any of this. Just remember, when reading reports of newly discovered and newly patched exploits in Vista — it’s not about getting into the machine, it’s about staying there. If Vista’s underlying technologies have been sufficiently reengineered to prevent the creation of protected, buried, stubborn, rogue processes, then maybe the Windows malware nightmare is finally ending. If not, it’s just getting started.