The Mac OS X Virus Contest, A Year Later
An Open Challenge To The Technology Media

My name is Jack Campbell, until September, CEO of a manufacturing company producing Apple Computer related products.

Just over one-year ago, my company, DVForge, announced a $25,000 prize for the first virus developer who could infect two Powermac G5 computers located in our office, both with plain-Jane installations of OS X, by propagating that new virus over the internet. In the onslaught of correspondence that quickly then began streaming into our office we found enough wisdom to convince us to cancel that contest, due almost completely to potential risks to legal liabilities. But, the flare was shot into the sky, and the challenge received a huge degree of worldwide press attention, in both Apple press and mainstream press outlets. Presumedly, any virus coders who had not previously eyed the Apple platform would have seen some of this press exposure, and would have been enticed by the challenge, regardless of the retraction of the cash prize.

Well, more than a year has passed. And, surprisingly (or not, to some of us), there is still not one self-replicating virus in the wild that attacks the Mac OS X operating system. That's right, folks... not one. Not the first. Ever. Never. Zero.

Against this reality -- zero actual propagating OS X viruses in the wild -- there has been a groundswell of press attention offered recently to the notion that, somehow, Mac OS X is "nearly" as vulnerable to such afflictions as is Windows XP. In fact, this idea has become the darling for seemingly every writing hack in the industry to use as a stepping off point for whatever brand of yellow journalism they wish to pen.

When I announced the OS X Virus Contest, OS X had been on the market for four years, with still not one single in the wild virus. Now, it has been more than five years. And, guess what?... still not one in the wild virus!

We structured the contest last year to isolate the threat of an in the wild, self-replicating, self-propogating virus as that is the one true worldwide threat to any computer operating system. This can be seen from at least two hugely publicized attacks by just these creatures against the Windows OS in just the past two-years. Worldwide panic and devastation to millions of computers was the result in both instances. These were not "malware" or "trojan" attacks... and despite the yellow journalist's efforts to blur the distinction between these various security threats, the fact remains that it is the self-propagating virus, that launches from computer to computer without conscious involvement by the user, that poses the highest risk of devastating damage. So, that is where we focused.

Today, in honor of the many people who so vocally supported our virus contest last year, I am publicly challenging the many tech industry writers who have so loudly heralded "the growing OS X security risk" over the past few days to step up and show me one thing: just one in the wild virus that infects Mac OS X.

Show me that one item, and I will shut up.

Comments

kurt wismer said…
What part of "Self Replicating" and "In the WIld" wasn't understood?

apparently, it's self-replication that people have a tough time with... self-replication does not mean that it doesn't require user interaction - that would be self-instantiation... self-replication just means it makes a copy of itself and the current osx worms/viruses do just that...

and as has been demonstrated by one of the other commenters, osx/leap has been doing it in the wild
Jack Campbell said…
The original contest, as well as the specific description in my letter here clearly tie "self replicating" and "self propagating" together. Again, as much as so many people want to dodge around this, I am talking only about the most heinous of all malware: the virus that spreads across the 'net without user involvement and then does serious damage to each infected machine it enters. OS X/leap is neither self-propagating, nor causes serious damage.
kurt wismer said…
as much as people might want to tie self-replication and self-propagation together, they are not the same and self-propagation has never been a requirement for viruses under any reasonable definition... as a matter of fact most pure viruses for the windows platform (and dos before it) required user interaction in order to operate...

self-propagation is more common in worms than it is in viruses, but even then most worms require user interaction...

the popular notion that these things spread all by themselves and use vulnerabilities in the OS to do so is a myth - relatively few fall under that category... more often than not it's the user, rather than a programming defect, that gets exploited...
Evan said…
That depends. Some worms require nothing more than a user that browses to a website with IE on Windows. Done.

Obviously in this technically required user interaction, but they weren't presented with a file, alerted by the app, and then required to authenticate as the 'superuser', in the case of most of the worms for Windows.

So, though there is one with variants...it is not affecting a lot of people. People need to take a little more responsibility for what they click on, or what admins allow to be transmitted over their network. Running straight to AVs seems like the band-aid approach.
kurt wismer said…
some worms, perhaps, but most worms are not like that... there's a very large number of email worms, for example, and those generally require you to click on an attachment... then there's the p2p worms which require you to execute the program you downloaded over some file sharing network... then there's the instant messenger worms that generally require you to run the application that was sent to you or to click on a link that was sent to you...

also, on most windows systems you already are the super user, no need for additional authentication...

People need to take a little more responsibility for what they click on, or what admins allow to be transmitted over their network. Running straight to AVs seems like the band-aid approach.

so you're going to have some magical oracle you can ask "is this file safe to send over the network"? or are you suggesting something more draconian like only allowing files from a pre-authorized list to be sent? how is a person supposed to know something is unsafe without having that knowledge packaged into a peice of software for them to query?

a whitelist (pre-authorized list) is easier to maintain but it's very limiting... a blacklist is more flexible but requires someone (ie. the av vendors) to provide the actual list...
Chris said…
I agree that in a pratical sense, it can be stated that Mac OS X has yet to be hit with a virus. I have never know anyone personally to have their Mac infected, yet I have never known a PC user to not have been hit, and I have been involved in both communities as everything from an MCSE Certified IT to a Mac-based Web Developer.

I feel that the point that Jack is trying to make, is that no known virus has ever hit the Mac community at large. There are claims of hits in this post's comments, but even then it is contained to within a single network (campus). Hardly what I call a threat, unless you feel threatened by mosquitoes when you leave the house.

FYI, look up the viruses that 'dellscrewspeople' listed on Symantec's site, and under threat assessment, tell me that you really think Mac users should be concerned. Here's a couple for the lazier folks.

OSX.Leap.A
OSX.Inqtana.A
kurt wismer said…
not to put too fine a point on it but the symantec page on osx/leap.a is inaccurate... look at what it has to say about damage - this is an overwriting virus and it lists all types of damage as not applicable... it's not even internally consistent as the written description later on the same page says that it deletes files...

the sophos page (http://www.sophos.com/virusinfo/analyses/osxleapa.html)
is better in my opinion... you'll see that it too shows the prevalence for the worm to be fairly low, but it is still in the wild...

Popular Posts