October 17, 2005

Mac OS X Viruses: Results (sort of, except not really)

October 16th has come and gone, which means I'm virtually a year older and also that the deadline for my challenge to find a Mac OS X virus would have just passed, except I never actually started the dang contest.

I've been thinking about this a lot, because I consider honesty and honor to be a pretty big part of my gestalt, and I don't want to be viewed as a welcher. But, the truth is, almost nobody who responded to my original challenge read the whole dang post.

So, a couple of people found pointers to what might be viruses and posted about them and said, "Ok, do I win?" But, see, what I'd said was, "So, here's my plan. I'm not putting it into effect yet, but I'm soliciting comments, and if nobody can prove it's a bone-headed idea, I'll go ahead with it."

See, so it's not really fair to reward people who jumped in immediately after that and posted about viruses to try to claim the prize, because people who actually read the instructions were waiting for me to actually say, "Go," which I never really got a chance to say because most of the runners just jumped over the starting line and ran into the woods the second I suggested we might want to have a race. (To torture a metaphor.)

Also, seriously, I was just totally snowed by all the people responding. I mean, that was a lot of stuff. If anyone actually read all those responses, I apologize to you and your family.


But what of the meat? Was there any? Are there Mac OS X viruses? The answer is... well, maybe. I admit, at some point I had to stop reading everything people were writing in there, but I did see three nuggets that need followup.

Most likely is "Opener", which appears to fit all the requirements for being a real virus, and also apparently had a victim, as detailed in this article. There are a lot of different reports on what Opener does and how it might spread; I very much want to know if it really can infect a machine without the user actually giving it power explicitly (if inadvertently). It seems possible and even likely that there are different versions of "Opener" out there, since viruses tend to mutate as kiddies get hold of them and try to increase their power. So, while it was easy to write off "Opener" as not qualifying based on some descriptions of it, others seem more compelling. I want to look at this code myself.

An anonymous poster who possibly isn't a native English speaker but does seem to know a lot about malware also made comments about Opener ("When a password has been found on a remote machine by the brute force process, it installs his code by sshing various commands on the remote host."), which make it sound much like a virus, indeed, except it requires that the target machines have SSH turned on in order to be infected-- I do not know if SSH was on by default when Opener was making its rounds. I'd like to know this.

He also mentions, "Mail malicious bundle was created before your check point and it was designed to send a /tmp/xxx/virus file to all your friends each time mail.app receives your mail," which sounds like a virus, yes. Bears investigating.

And, finally, he mentions, "Do you know MacSerialJunkie? On the private cracks section there's a warning of a virus/worm spreading on a cracked version of ArchiCAD 9." My initial feeling is that it doesn't count if you knowingly download and run a cracked program; it's a lot like complaining that the horse you just stole isn't very fast.

So, I count three possibilities: the Mail bundle (How does it spread?), Opener (Does it really work over SSH? If so, did Mac OS X ship with SSH enabled at the time Opener was spreading?), and the cracked ArchiCAD 9 (Do we count this? If so, should we act surprised if we have sex with Pamela Anderson and end up with Hepatitis?).



Blogger alxknt said...

i am quite sure mac osx has Never shipped with ssh enabled by default. you've always had to enable it by ticking the 'Remote Login' option in the sharing preference pane.

October 17, 2005 5:12 AM

Blogger Carl Johnson said...

Trojans are known to have existed for OS X. For example, there was one file on P2P networks that claimed to be MSOffice, but really it was like 4kb and just said "rm -rf /" or something. So, supposedly, that burned someone. I never saw it myself though, just heard about it.

October 17, 2005 5:24 AM

Anonymous Anonymous said...

Those all sound like trojans, not viruses, to me.

October 17, 2005 6:04 AM

Anonymous Anonymous said...

Is it just me or does it seem like you are purposely mentioning these competitions without technically starting them? I can't think of any reason for talking about a competition, offering a sizable bounty, deciding upon an END DATE, and then not doing anything for a couple weeks while all of the illiterate but harmless joes out there submit stuff. If you don't want to give out boatloads of cash, don't offer it in the first place—plenty of people would still be happy to compete. And if you really are innocent, then I apologize, but you should still rethink the way you do this.

October 17, 2005 6:19 AM

Anonymous Anonymous said...

While I haven't personally entered the 'possible' contest, I would like to point out that while you did say you have not begun the contest at the time of the post, that you would also begin it save for the event of it being a boneheaded idea. Unless you silently nodded your head to a post stating the how the idea is somehow boneheaded, it should be safe to assume that the contest is a reasonably good idea, and therefore would have been started. (There is no mention to when it would have been started, but it would have been before the 16th). To reiterate, "if nobody can prove it's a bone-headed idea, I'll go ahead with it."

That's all. (But posting at 4:27 does not a rested person make)

October 17, 2005 7:33 AM

Blogger Danny Cohen said...

Hepatitus? Yes. Herpes? No.

October 17, 2005 8:39 AM

Anonymous Anonymous said...

SSH has never been enabled by default on client machines. It has always been enabled by default on server

October 17, 2005 8:52 AM

Anonymous Taki said...

I think it would be fair to require a virus to install itself without any user interaction. A program that loads itself via ssh (as long as ssh is on by default) counts. A program that wipes my hard disk instead of installing a cracked copy of AutoCAD does not.

I could slap together something like the latter in 5 minutes. The former is quite a bit more difficult, as it should be given how dangerous it would be.

An interesting question would be if it's necessary for the program to spread from your machine to be a virus, or if simply wiping your files over ssh would be sufficient. I would say it has to spread on its own, otherwise it's just an automated hacking tool.

October 17, 2005 12:09 PM

Anonymous Anonymous said...

I think there were obviously some problems with the contest as proposed. Not with the idea or the concept, but with the "official rules" of the contest.

Whenever you propose something in public that offers a prize, you need an official rule document as long as your arm because hoardes of morons are going to try to abuse the system.

This contest was proposed in the spirit of fun and cooperation, but most people didn't read the text or understand the idea. The contest was widely reported as "Wil Shipley's Virus Writing Contest" and held in shocked contempt for being irresponsible and arrogant.

Of course, it was none of these things, but it was obvious that the contest, as described, was problematic. This is, no doubt, why it was never made official.

Does that make Wil a tease? No. If I say I'm thinking about eating steak tonight, and a bunch of PETA people start screaming at me, while a bunch of other people cook me a steak, does it make me a tease to leave the room and get some KFC?

Ooh, KFC. Gotta go.

October 17, 2005 12:17 PM

Blogger Wil Shipley said...

YOU'RE a tease for mentioning KFC. Man I love that stuff, but man I shouldn't eat it. It's like a hundred zillion calories per bite.


No, I'm not purposely mentioning contests and not starting them. There have been four "contests" so far, and of those this was the only one where I decided it was "No Action", as they say in betting parlance.

The math problem with Grapher, the first programming problem, and the most recent programming problem have all been (or will be, in the latter case) awarded prizes, or had their prizes substituted for other prizes at the request of the winner.

October 17, 2005 1:03 PM

Anonymous Anonymous said...

Hey Will,
I really don't see your point on that subject.
I mean, the Windows worms and viruses
you mostly find nowadays are not made by "professionals", but by people who are using
construction toolkits.
But I know enough people who are researching
infection techniques for MacOS X viruses to know
that we are not that much safer than the Windows world.
Believe it or not, it's up to you and it won't change
anything anyways...

October 17, 2005 1:50 PM

Anonymous Anonymous said...

People say we (and by "we" I mean OSX and its users) aren't much safer, but there are some very real differences in the operating systems that tell me otherwise.

The fact Windows ships (the last time I checked) with ports open and services active that most people didn't need or even know about, whereas OSX ships almost completely closed.

The fact that administrators are not root, so must sudo most risky activities.

The fact Unix in general was born to be a multi-user networked operating system, whereas the addition of internet operability to the current Windows architecture was an afterthought.

The fact OSX makes it easy to keep things on your computer more or less under control, whereas I, an expert user, can't decipher most of what Windows is talking about.

Are we completely virus-proof? Of course not, but we're a hell of a lot better off than Windows.

October 17, 2005 2:19 PM

Anonymous Anonymous said...

Well, This doesn't really count but at a customer's home today (15" PB/Tiger/OfficeX) we discovered Sneaky Macro Viruses (Ugh, Microsoft) picked up
over the summer and infecting everything ever since (and annoying her friends, I'm sure)- Yes Virex IS running on the computer...weird-
no scan.dot fix it files anywhere either (so far).
it's not really a virus- I know,but this is the ONLY incident of this nature I've seen on a Mac in 3 years.

October 17, 2005 3:37 PM

Anonymous Anonymous said...

I'm just wondering how many web sites are going to link to this post.

The reason being that a lot of web sites were prompt to link to your "there's no viruses on Mac OS X" post but since your current feeling is that the situation might not be as white as you previously thought, maybe this will not suit them.

Concerning the Mail bundle virus propagation, you will always find someone to click on an attachment or even un-archive it and run it. It's based on statistics and common sense (or lack of).

October 17, 2005 11:46 PM

Blogger Cody said...

Am I the only one who thinks Apple should sue you? I think this contest is criminal and everyone who submits a virus should be arrested or fined. THis is not a legitament contest, once its been done once there will be more who try to follow. Is that what you want?

October 18, 2005 3:56 AM

Anonymous noliv said...

Cody : Please read the original post about this contest and you will understand that it is not about submitting a virus...
And yes, you are the only one who thinks Apple should sue Wil. ;)

October 18, 2005 6:24 AM

Anonymous Anonymous said...

KFC? Stay away from that stuff.

It ain't chicken -- it's pieces of the Colonel!

October 18, 2005 6:56 AM

Blogger Ian Betteridge said...

Taki commented that "I think it would be fair to require a virus to install itself without any user interaction." If you follow this logic, then the vast majority of Windows viruses aren't viruses at all. Most malware spreads through some brand of user stupidity, whether that's clicking on a "document" that someone sends them via email (which is in fact an .scr file) or downloading something dubious from a warez/pr0n source.

October 18, 2005 9:50 AM

Anonymous Anonymous said...

Ian commented that Taki commented that ... Oh, I'm bored already.

No, Ian: not all Windows malware is viruses. What has that to do with a pound of herrings?

I might have guessed that someone from Brighton would like À Rebours (the place is known for its decadence) and, moreover, not be capable of reading it in the original French.

October 18, 2005 11:06 AM

Anonymous Anonymous said...

ssh has never been on by default. So any "virus" that requires that to propagate is not going to spread quicly or widely. I have played around with various versions of "Opener" and everyone I saw required me to enter my admin password to do anything malicious. Even if it didn't require me to enter a password, an application that requires me to click on it is NOT a virus. A virus has to be able to self-propagate without ANY interaction from anyone.

October 18, 2005 11:16 AM

Anonymous Nathan said...

I apologize for saying "Do I win?" before. It was a joke. I completely understood your post. I was hoping to at least spur the conversation on some...instead it was misunderstood.

Opener is the closest we got to a "real" virus.

But I do not know if it is fair to expect a virus to install itself. All the people I know using windows (except for my grandmother) have only gotten viruses that they installed themselves. My grandmother got the one that was a worm and shutdown her computer every so often. Maybe my friends are not your average users, but I think they are. A link in someone's AIM profile can take down a computer running IE with active X running. Just click OK to install a "plugin".

Like I said, I don't know.

I don't think any money should be given out for someone's google skills by the way. So I vote no go on the contest. It's all about whoever can lookup crap the fastest.

October 18, 2005 11:26 AM

Anonymous Anonymous said...

You're sounding a lot like Jack Thompson right about now...

October 18, 2005 11:51 AM

Anonymous Anonymous said...

For a virus that takes advantage of ssh, the fact ssh is open or closed by default does not suddenly disqualify it as a virus. That just means fewer people will be affected.

October 18, 2005 11:54 AM

Blogger Wil Shipley said...

Hmm, yes, now that you mention it, I *do* sound like a crazy, conservative lawyer who was trying to shut down video games by offering a $10,000 reward to anyone who wrote an incredibly disgusting game for him and now claims it was satire when someone actually did it. ON PLANET STUPID, I DO.

Seriously, read my original post. Among the many, many differences here is the fact that I said, RIGHT UP FRONT, "THIS IS A TRIAL BALLOON." There's no hidden PARDOY here. There's no changing my story, there's a case of me making a posting that a bunch which some people didn't read closely. That's NOT MY FAULT.

It's a case of reading the LARGE PRINT. If you think our cases are the same, go get $500 out of Tycho and Gabe. Oh, except you didn't even TRY to enter the contest that didn't happen, did you? You're just posting here because you want to grouse at me, because it's fun to be the guy who takes down the know-it-all. Hey, why don't you post your reasons why you don't like Star Wars III, too, since you're here and you're showing your red little wing-patches anyways.

Here, look, I'll save you the trouble of arguing, because all internet arguments go to the same place. I'm Hitler. There, I said it. I'm Hitler. You win.

October 18, 2005 12:30 PM

Blogger Drew Hamlin said...


October 18, 2005 4:52 PM

Blogger Troy Phillips said...

When it come to the definition of a virus/worm etc, I like the following from Sophos:
Worm: A type of virus that does not need a host program. It has the ability to self-replicate and often will use email and the internet to spread.
Trojan: A seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Trojans are sometimes used in conjunction with viruses. A backdoor Trojan is a program that allows other computer users to gain access to your computer across the internet. Do not replicate.
Virus: A computer program that copies itself. Often viruses will disrupt computer systems or damage the data contained upon them. A virus requires a host program and will not infect a computer until it has been run. Some viruses spread across networks by making copies of themselves or may forward themselves via email. The term 'virus' is often used generically to refer to both viruses and worms.
Troy Phillips

October 21, 2005 2:18 AM

Anonymous Anonymous said...

But I do not know if it is fair to expect a virus to install itself.

I don't understand this. The original post asked about MacOS X viruses and whether there'd be a likely problem making a competition out of hunting for one in the past. The target of this hunt is a virus. A virus must by definition replicate itself.

A "virus" that does not replicate itself strikes me as the "honor code virus" I read about, in which an ordinary plaintext email informs you've been hit by the "honor code virus" and are duty-bound to forward it by hand to every address in your contact list. This email is, of course, not actually a virus. Why? It does not actually replicate itself. Self-replication is the name of the game here.

A few years ago, when my MSFT-employee friend had disconnected his machines from the internet out of concern over Nimda and Code Red, my Apache logs were filling with attempted attacks by numerous MSFT-IIS installations all over the world. The online logs at the OpenBSD mailing lists show folks asking whether their firewall rules are causing errors with MSFT's servers at Hotmail, when in fact MSFT's own IIS boxes were attacking his web site and eating into his bandwidth. My MSFT-employee friend is a developer, a senior guy who writes custom solutions for huge consulting clients on behalf of MSFT, and the only way he could imagine to protect his network was to disconnect it from the rest of the world. I found this quite informative. When I emailed him (at work) to show him my Apache logs that indicated I was getting more attacks than legitimate requests for content, he was afraid even to open the plaintext files, so afraid was he of what his OS and apps would do to content he received.

The questions for MacOS X and viruses seem to be (a) is there a mechanism Apple ships that launches apps without user intervention, and (b) has this method been exploited by malware that does not require a human to actually consciously execute the malware?

I can imagine some ways one might write malware to take advantage of credulous MacOS X users, but I really can't imagine anything on MacOS X that would produce the huge torrent of self-propagating executable traffic that has swamped whole networks of MSFT installations. I'd be eager to see it.

On the other hand, with respect to "oh, they don't target it because it's so small", I suggest a peek at Netcraft's survey of web servers. IIS has less than a third of the web servers on the planet, whereas Apache vastly dominates the landscape. Why is it my logs never show attacks by infected Apache installations? Ahh, perhaps it's to do with the security architecture ....

October 24, 2005 9:19 AM

Blogger Sandor said...

Well, as a long run computer user (25 years now), I thought I've seen it all and been everywhere, but as any categoric affirmation, I'm wrong.

In the early days of viruses (circa 1985), they were not more than geek's expression of art form or to make practical jokes to friends, until someone found the way to get profit from it. (Notice I'm not pointing fingers at no one).

I like the idea of the contest you threw out, because in my head the idea your original post intended was to encourage sportsmanship and to make your point clearly that OS X is the Superman of all OS.

Is there kryptonite?
can you see it around??

So, no problem for now, right?

But Lex Luthor may be around the corner, or maybe he's already been on Clark Kent's apartment seeding kryptonite averywhere (including his toothpaste).

My point is that in computer world, as any other human activity, there are no absolute things ( I think Einstein pointed out this first), and that you can't see something doesn't mean it doesn't exist.

As a MD I had a strict scientific formation, later, as a biostatistics teacher, I found that anything can be proven by statistic methods, and most important, and basic to any scientific knowledge, if you do a scientific trial and you don't get enough information or evidence you just say "I thought there were no OS X viruses, and as far as I can research or notice, there is no evidence to prove me wrong..."

BTW, I am an apple fan since apple ][ (1979), and of course I've seen the evolution up to day (all this crap was written on a G4 OSX Tiger powerbook), and belive me we are not absolutely safe, but we are safer than running Windows, will we ever be?, no one knows, we still have a lot of evolution to see

November 23, 2005 7:45 PM

Anonymous manuel said...

wil- what i really wonder about is this: why is there no "kill ie - make ff default"-virus for windows? read more about it on my site: http://peek.in/index.php/the-kill-explorer-make-firefox-default-virus/

reference to you :)

November 29, 2005 5:29 PM


Post a Comment

<< Home