Its easy for administrators and computing professionals to get frustrated with users for all kinds of reasons, but security has to be one of the biggest reasons these days.
Lets consider the recent release of a malicious script for Mac OS X. This script itself is not really much of a threat because it has no means of propagation, but as a Mac admin Id take that as small comfort. The script is a tool for building genuine worms with social engineering as the front door.
So what if the script requires admin/root access? Even if the Mac user is running as a less-privileged user, all the attack has to do is to ask for the root password. Unless you have an actual separate administrator for your computer, you have to have the root password handy for certain tasks that inevitably come up, such as installing programs and devices.
Social engineering is at the heart of the vast majority of attacks out there, not any particular exploit. With a few occasional exceptions—Sasser, for example—the real threat to users is through trickery. These days, a savvy user could probably get along with just a firewall and no anti-virus software because almost anything caught by the anti-virus software needs to trick you into running it first.
Last weeks outbreak of the latest Bagle variant is a perfect example. Its fundamentally no different from almost all the other Bagle variants. How do these things spread? And why would one spread more than the others?
As anti-virus vendor BitDefenders Chief Technology Officer Bogdan Dumitru said: “At this time, I can think of no reason other than deft initial seeding. The author, or authors, must have had a list of vulnerable machines at hand.”
There is nothing about the new Bagle that makes it better able to spread—not to minimize the horror it perpetrates on your system. The worst part of it, and probably the whole point, is that it installs a back door for attackers to commandeer your system for their own nefarious purposes.
One of those purposes, I suspect, is to spread the next version of the worm. Just because anti-virus companies are seeing many copies of a new worm doesnt mean that lots of regular users have actually become infected by running the e-mail attachments.
But lets get back to how they got infected to begin with. With Bagle-like worms the user typically gets a message with a spoofed from: address (once again, an argument for SMTP authentication), a subject like “Re:” and a clever message body like “:).” Most of the copies Ive received of the newest Bagle have an attachment named “JOKE.CPL.” You can also receive a copy of this file through file shares.
So, to get infected you have to run the file. Mind you, you probably only got this file if you arent running anti-virus software (which would block it) or a modern e-mail client (which, by default, would strip executable attachments).
Of course, worms such as these dont exist for platforms other than Windows, but why couldnt they? The executable attachments are platform-specific and their authors dont write them for less popular platforms because their comparative rarity makes it less likely that a recipient will be able to become infected.
Talk about “security through obscurity”! The only thing keeping these scourges off of Linux and the Mac OS is that its not worth the work to get such business. The exact same thing is true of spyware and adware. Of course you could write such things for the Mac and Linux and they would work.
Well, technically they would work. If I wrote a mail worm for Linux and seeded it well enough (I could even use infected Windows systems for the initial seeding with a special Windows virus just for the purpose), I suspect it still wouldnt get very far, because very, very few typical consumers run Linux systems. Linux users are on average, simply by virtue of their running Linux, more sophisticated than typical consumers.
The Mac is different. I suspect a typical mail worm for the Mac could get some traction if it spread enough copies and had a good social engineering scheme. But the most immediate reaction to it would be that more than 90 percent of the recipients wouldnt be able to run it. There are a few little tricks you could put into such a worm, such as preferring harvested addresses with domains at “mac.com” and at universities and companies standardized on the Mac, that would assist it.
But the most interesting threats these days are already cross-platform. Phishing attacks are technically very simple and rely purely on gullibility. The heart of the typical phishing attack these days is an e-mail from a company or bank and a link that looks something like this:
If you get the message and click the link fast enough, the Web page will still be up and you will have the opportunity to enter your personal information so that you can be robbed. Theres nothing about this that is Windows-specific.
So users of alternative platforms can look forward to a future of increasing participation in the explosion of development that heretofore had been limited to Windows. In some ways were already there, but if they can deliver the users, malware authors everywhere will respond to the challenge.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.