Monday, May 08, 2006



The Mac OS X Virus Contest, A Year Later
An Open Challenge To The Technology Media

My name is Jack Campbell, until September, CEO of a manufacturing company producing Apple Computer related products.

Just over one-year ago, my company, DVForge, announced a $25,000 prize for the first virus developer who could infect two Powermac G5 computers located in our office, both with plain-Jane installations of OS X, by propagating that new virus over the internet. In the onslaught of correspondence that quickly then began streaming into our office we found enough wisdom to convince us to cancel that contest, due almost completely to potential risks to legal liabilities. But, the flare was shot into the sky, and the challenge received a huge degree of worldwide press attention, in both Apple press and mainstream press outlets. Presumedly, any virus coders who had not previously eyed the Apple platform would have seen some of this press exposure, and would have been enticed by the challenge, regardless of the retraction of the cash prize.

Well, more than a year has passed. And, surprisingly (or not, to some of us), there is still not one self-replicating virus in the wild that attacks the Mac OS X operating system. That's right, folks... not one. Not the first. Ever. Never. Zero.

Against this reality -- zero actual propagating OS X viruses in the wild -- there has been a groundswell of press attention offered recently to the notion that, somehow, Mac OS X is "nearly" as vulnerable to such afflictions as is Windows XP. In fact, this idea has become the darling for seemingly every writing hack in the industry to use as a stepping off point for whatever brand of yellow journalism they wish to pen.

When I announced the OS X Virus Contest, OS X had been on the market for four years, with still not one single in the wild virus. Now, it has been more than five years. And, guess what?... still not one in the wild virus!

We structured the contest last year to isolate the threat of an in the wild, self-replicating, self-propogating virus as that is the one true worldwide threat to any computer operating system. This can be seen from at least two hugely publicized attacks by just these creatures against the Windows OS in just the past two-years. Worldwide panic and devastation to millions of computers was the result in both instances. These were not "malware" or "trojan" attacks... and despite the yellow journalist's efforts to blur the distinction between these various security threats, the fact remains that it is the self-propagating virus, that launches from computer to computer without conscious involvement by the user, that poses the highest risk of devastating damage. So, that is where we focused.

Today, in honor of the many people who so vocally supported our virus contest last year, I am publicly challenging the many tech industry writers who have so loudly heralded "the growing OS X security risk" over the past few days to step up and show me one thing: just one in the wild virus that infects Mac OS X.

Show me that one item, and I will shut up.

16 Comments:

Blogger Miles Ward said...

Marvelous! I couldn't agree more. Where does all the defense for PC come from? It's like someone arguing that their 70's Gremlin is just a better car than my Audi S4. Silly.

10:09 AM, May 09, 2006  
Blogger dellscrewspeople said...

Hey ... buddy ... wake up and realize that you are wrong.

http://www.sophos.com/virusinfo/analyses/osxleapa.html (spreads via ichat)
http://www.sophos.com/virusinfo/analyses/osxinqtanaa.html (spreads automatically via bluetooth)
http://www.sophos.com/virusinfo/analyses/shrenepoa.html (spreads to other macs on the same network)
http://www.sophos.com/virusinfo/analyses/osxinqtanab.html (spreads automatically via bluetooth)
http://www.sophos.com/virusinfo/analyses/macamphimixa.html (spreads as an mp3 file)

10:29 AM, May 09, 2006  
Blogger allaboutdatiki said...

This Gremlin will give that S4 a run for your money:

http://www.jicketts.com/pilot/index.html

10:30 AM, May 09, 2006  
Blogger NetAdmin said...

Wow! I couldn't DISAGREE more. As a Network Admin for a large college that runs both Macs and PCs I can tell you for a fact that we had a Virus outbreak on all of our OSX computers that Sophos AV caught just recently. All it takes is 1 untrained end user to cause a snowball effect and thats exactly what happened to us. Since most Mac people think there are no virus' that can harm them they don't take any precautions about opening a file from someone else vie email or chat. One person at the school got this virus from outside via iChat, it harvested their contact list, and within minutes the entire campus Macs had their AV going crazy cleaning up this virus.

http://www.sophos.com/virusinfo/analyses/osxleapa.html

OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.

The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz.

OSX/Leap-A attempts to infect recently used applications.

10:32 AM, May 09, 2006  
Blogger maxplanar said...

Thanks for trying to get some 'fair and balanced' reporting on this issue. Week after week there's a press release by a virus-software manufacturer regarding how concerned Mac users should be, and how their peace of mind lies with the company's products. It's shocking to see so many tech journalists simply parrot the PR department, with few questioning the bigger picture behind such threats.

Next year, Microsoft will add anti-virus and anti-spyware capabilities to their new OS, Windows Vista. Companies such as McAfee and Symantec have built enormous multi-billion dollar public corporations ($4bn and $17bn, respectively) ENTIRELY on the weaknesses of Windows and see their future imploding as Microsoft does what is has done to Netscape and others before it, by simply incorporating the third-party features into the OS.

Windows users (and, by extension, the entire computing community) should be very grateful to Microsoft for their acknowledgement of responsiblity, but the AV companies are running very scared indeed, as they see the writing in the sand and see a serious tail-off in sales beginning in Q1 2007. Put simply, they need to develop a new market, or certain death looms. Hence the attempts to muscle into the previously untapped OSX market.

Due caution by OSX users is certainly fair, but until proven attack vectors and self-propagating species are exist in the wild and are a real threat to the userbase, these articles are nothing but snake-oil sales pitches.

It's really depressing to see the tech journalism community suffer from such sloppy and infantile standards - it is not well served by simply rewriting press releases.

10:39 AM, May 09, 2006  
Blogger maxplanar said...

Philip,

Dont get carried away by the Mac/PC flame war - I'm not interested in speaking to that, but instead to the issue that press releases are becoming accepted as news. The software company's are perfectly entitled to market their products, but journalists should look a little further beynd the press release. Finally, do you really think McAfee and Symantec are not concerned about slipping market share once Vista hits?

Let's try and have a mature dialogue here, not another flame war.

11:00 AM, May 09, 2006  
Blogger Robbie said...

Wait a sec... We need to know something. Are these Macs getting actively used? Unless there is another (infected) Mac on the network with drive write access to these Macs (if these things aren't browsing the net) they will not be infected. Even Windows (when protected by at least a router/firewall which I'm sure the Macs are) will not get infected by just sitting there.

11:19 AM, May 09, 2006  
Blogger MaxDrago said...

What part of "Self Replicating" and "In the WIld" wasn't understood?

None of these things use chinks in the OS's armor to get in, they are stupid ways to sidestep some of it's security by tricking a user into opening something (and in doing so letting the 'virus' make it self auto starting for that user)... but think about it... If I can get your users to click on my app... they deserve to get zapped.

Where's a virus that can spread from your Mac to my Mac without your or I doing anything. Then can it spread to another Mac without me or the next user doing something. There aren't any.

I'm not saying that there can't be, but there aren't any now, and any system that get's updated on a regular basis won't get bitten by any of the ankle biters mentioned here.

Is it just me or does anyone else feel the draft from the broken windows...

11:42 AM, May 09, 2006  
Blogger kurt wismer said...

What part of "Self Replicating" and "In the WIld" wasn't understood?

apparently, it's self-replication that people have a tough time with... self-replication does not mean that it doesn't require user interaction - that would be self-instantiation... self-replication just means it makes a copy of itself and the current osx worms/viruses do just that...

and as has been demonstrated by one of the other commenters, osx/leap has been doing it in the wild

12:57 PM, May 09, 2006  
Blogger Jack Campbell said...

The original contest, as well as the specific description in my letter here clearly tie "self replicating" and "self propagating" together. Again, as much as so many people want to dodge around this, I am talking only about the most heinous of all malware: the virus that spreads across the 'net without user involvement and then does serious damage to each infected machine it enters. OS X/leap is neither self-propagating, nor causes serious damage.

1:02 PM, May 09, 2006  
Blogger kurt wismer said...

as much as people might want to tie self-replication and self-propagation together, they are not the same and self-propagation has never been a requirement for viruses under any reasonable definition... as a matter of fact most pure viruses for the windows platform (and dos before it) required user interaction in order to operate...

self-propagation is more common in worms than it is in viruses, but even then most worms require user interaction...

the popular notion that these things spread all by themselves and use vulnerabilities in the OS to do so is a myth - relatively few fall under that category... more often than not it's the user, rather than a programming defect, that gets exploited...

1:37 PM, May 09, 2006  
Blogger Evan said...

That depends. Some worms require nothing more than a user that browses to a website with IE on Windows. Done.

Obviously in this technically required user interaction, but they weren't presented with a file, alerted by the app, and then required to authenticate as the 'superuser', in the case of most of the worms for Windows.

So, though there is one with variants...it is not affecting a lot of people. People need to take a little more responsibility for what they click on, or what admins allow to be transmitted over their network. Running straight to AVs seems like the band-aid approach.

2:51 PM, May 09, 2006  
Blogger kurt wismer said...

some worms, perhaps, but most worms are not like that... there's a very large number of email worms, for example, and those generally require you to click on an attachment... then there's the p2p worms which require you to execute the program you downloaded over some file sharing network... then there's the instant messenger worms that generally require you to run the application that was sent to you or to click on a link that was sent to you...

also, on most windows systems you already are the super user, no need for additional authentication...

People need to take a little more responsibility for what they click on, or what admins allow to be transmitted over their network. Running straight to AVs seems like the band-aid approach.

so you're going to have some magical oracle you can ask "is this file safe to send over the network"? or are you suggesting something more draconian like only allowing files from a pre-authorized list to be sent? how is a person supposed to know something is unsafe without having that knowledge packaged into a peice of software for them to query?

a whitelist (pre-authorized list) is easier to maintain but it's very limiting... a blacklist is more flexible but requires someone (ie. the av vendors) to provide the actual list...

4:07 PM, May 09, 2006  
Blogger Chris said...

I agree that in a pratical sense, it can be stated that Mac OS X has yet to be hit with a virus. I have never know anyone personally to have their Mac infected, yet I have never known a PC user to not have been hit, and I have been involved in both communities as everything from an MCSE Certified IT to a Mac-based Web Developer.

I feel that the point that Jack is trying to make, is that no known virus has ever hit the Mac community at large. There are claims of hits in this post's comments, but even then it is contained to within a single network (campus). Hardly what I call a threat, unless you feel threatened by mosquitoes when you leave the house.

FYI, look up the viruses that 'dellscrewspeople' listed on Symantec's site, and under threat assessment, tell me that you really think Mac users should be concerned. Here's a couple for the lazier folks.

OSX.Leap.A
OSX.Inqtana.A

5:41 PM, May 09, 2006  
Blogger kurt wismer said...

not to put too fine a point on it but the symantec page on osx/leap.a is inaccurate... look at what it has to say about damage - this is an overwriting virus and it lists all types of damage as not applicable... it's not even internally consistent as the written description later on the same page says that it deletes files...

the sophos page (http://www.sophos.com/virusinfo/analyses/osxleapa.html)
is better in my opinion... you'll see that it too shows the prevalence for the worm to be fairly low, but it is still in the wild...

7:30 AM, May 10, 2006  
Blogger Middle-agedman said...

Looks like NetAdmin is an employee or lackey of Sophos. I don't believe for a second that any university got "hit" with this "virus."

Like some people have already commented, news and press releases by software companies that want Mac users to buy their useless "antivirus" programs should not be taken as "news."

The fact that Sophos' program responds to a particular file doesn't mean that the file is a "virus."

10:05 PM, May 17, 2006  

Post a Comment

<< Home