Mac and Linux Not Immune to Viruses

By Larry Seltzer  |  Posted 2004-11-01 Print this article Print

Opinion: Any operating system in the hands of naive users can be as dangerous as a Windows computer.

Its easy for administrators and computing professionals to get frustrated with users for all kinds of reasons, but security has to be one of the biggest reasons these days. Lets consider the recent release of a malicious script for Mac OS X. This script itself is not really much of a threat because it has no means of propagation, but as a Mac admin Id take that as small comfort. The script is a tool for building genuine worms with social engineering as the front door.

So what if the script requires admin/root access? Even if the Mac user is running as a less-privileged user, all the attack has to do is to ask for the root password. Unless you have an actual separate administrator for your computer, you have to have the root password handy for certain tasks that inevitably come up, such as installing programs and devices.

Social engineering is at the heart of the vast majority of attacks out there, not any particular exploit. With a few occasional exceptions—Sasser, for example—the real threat to users is through trickery. These days, a savvy user could probably get along with just a firewall and no anti-virus software because almost anything caught by the anti-virus software needs to trick you into running it first.

Last weeks outbreak of the latest Bagle variant is a perfect example. Its fundamentally no different from almost all the other Bagle variants. How do these things spread? And why would one spread more than the others?

As anti-virus vendor BitDefenders Chief Technology Officer Bogdan Dumitru said: "At this time, I can think of no reason other than deft initial seeding. The author, or authors, must have had a list of vulnerable machines at hand."

There is nothing about the new Bagle that makes it better able to spread—not to minimize the horror it perpetrates on your system. The worst part of it, and probably the whole point, is that it installs a back door for attackers to commandeer your system for their own nefarious purposes.

One of those purposes, I suspect, is to spread the next version of the worm. Just because anti-virus companies are seeing many copies of a new worm doesnt mean that lots of regular users have actually become infected by running the e-mail attachments.

But lets get back to how they got infected to begin with. With Bagle-like worms the user typically gets a message with a spoofed from: address (once again, an argument for SMTP authentication), a subject like "Re:" and a clever message body like ":)." Most of the copies Ive received of the newest Bagle have an attachment named "JOKE.CPL." You can also receive a copy of this file through file shares.

So, to get infected you have to run the file. Mind you, you probably only got this file if you arent running anti-virus software (which would block it) or a modern e-mail client (which, by default, would strip executable attachments).

Of course, worms such as these dont exist for platforms other than Windows, but why couldnt they? The executable attachments are platform-specific and their authors dont write them for less popular platforms because their comparative rarity makes it less likely that a recipient will be able to become infected.

Talk about "security through obscurity"! The only thing keeping these scourges off of Linux and the Mac OS is that its not worth the work to get such business. The exact same thing is true of spyware and adware. Of course you could write such things for the Mac and Linux and they would work.

Well, technically they would work. If I wrote a mail worm for Linux and seeded it well enough (I could even use infected Windows systems for the initial seeding with a special Windows virus just for the purpose), I suspect it still wouldnt get very far, because very, very few typical consumers run Linux systems. Linux users are on average, simply by virtue of their running Linux, more sophisticated than typical consumers.

The Mac is different. I suspect a typical mail worm for the Mac could get some traction if it spread enough copies and had a good social engineering scheme. But the most immediate reaction to it would be that more than 90 percent of the recipients wouldnt be able to run it. There are a few little tricks you could put into such a worm, such as preferring harvested addresses with domains at "" and at universities and companies standardized on the Mac, that would assist it.

But the most interesting threats these days are already cross-platform. Phishing attacks are technically very simple and rely purely on gullibility. The heart of the typical phishing attack these days is an e-mail from a company or bank and a link that looks something like this:
    <a href=""> </a>

If you get the message and click the link fast enough, the Web page will still be up and you will have the opportunity to enter your personal information so that you can be robbed. Theres nothing about this that is Windows-specific.

So users of alternative platforms can look forward to a future of increasing participation in the explosion of development that heretofore had been limited to Windows. In some ways were already there, but if they can deliver the users, malware authors everywhere will respond to the challenge.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. More from Larry Seltzer Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Be sure to add our security news feed to your RSS newsreader or My Yahoo page

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel