Monthly Archives: January 2008

Why there’s so little malware for the Mac

Recently, Mac expert John Gruber has been asking why there is effectively no malware [malicious software] for the Mac. So far, the theories people have offered don’t match what I see as the reason.

In a nutshell, it’s because malware is no longer a hobby. It’s big business, with all that entails: economies of scale, industry consolidation, and standardization. All of which make it cheaper to target Windows and abandon the Mac.

There are lots of ways you can make money from controlling someone else’s computer. You can steal information (bank account numbers and passwords), or you can do things you wouldn’t want traced back to you, such as sending spam.

It turns out that if you want to get information, it’s often easier to ask people than to search their computers. Just send out email that looks like it came from the bank, using some scary pretense to urge them to log onto the bank website through a phony link provided in the email. This is known as a phishing attack. (Banks make this easier by regularly sending email that looks less legitimate than the phishing attacks.)

Much of what criminals want to do with random people’s computers involves sending spam. And the rest is similar enough that for the sake of argument, I’ll just focus on spam.

Back in 1997, there were plenty of unprotected mail-forwarding computers (“open relays”) so you needed only a little technical skill to send all the untraceable email you wanted. By 2000, the open relays had been closed, but security was still lax enough that you could hire someone to break into enough computers to send your spam. If you (or the person you hired) were a Windows expert, you’d break into a Windows computer. Otherwise you might target Mac or Unix machines.

We’ve come a long way, security-wise. These days, all the really dumb mistakes have been fixed. As a result, you can’t just hire a smart kid off the street and start spamming. You have to hire someone who’s got some specialized skills.

But why pay $80,000 to hire an unscrupulous professional, when you can rent all the compromised computers you want at a reasonable price? That’s the value proposition of a botnet. The best and the brightest criminal minds write malware (such as the Storm worm) to take over millions of computers. Then they resell computer time at a price that maximizes their profits: low enough to attract as many customers as possible, but as high as those customers are willing to pay.

The costs of running a botnet are something like:

  • The cost of developing the software to recruit computers, which is an ongoing expense as exploited computers get cleaned off or retired, and as security holes get closed.
  • The incremental cost of adding one more computer to the network. Practically zilch.
  • The cost of developing and maintaining the software used to access the botnet.
  • General business expenses: sales, marketing, etc. For a business this big, organized crime is probably involved.

Like so many software businesses, there are virtually no incremental costs. A virus that is good enough to spread to 100 computers will likely spread to 10,000 computers. And if you have enough of the compromised computer market, you can hire a whole team of people to keep you one step ahead of the security experts.

The economics favor taking over more computers than you need and using each one as little as possible, since people aren’t likely to fix their computers if the malware never becomes a nuisance.

So let’s say you have a big botnet, and you want to make it bigger. Which is the cheapest way to grow it by 5%? (A) Have your existing staff (plus maybe a few new hires) make your existing malware 5% more effective, or (B) hire some Mac or Linux experts, and capture a comparable portion of those computers?

To target a Mac or Linux computer, you need to know some sophisticated details about how those operating systems work. And it’s a moving target: as exploits become known, they get fixed. You can’t just hire run-of-the-mill programmers. Plus you’ll need to rewrite your payload (the software used to access the botnet.) And the more software you have on target machines, the more information you’re providing to your adversaries. So you’d end up nearly doubling your development staff and end up with a software platform that’s harder to maintain and leaves you more exposed. It’s hard to imagine a scenario where that makes sense.

And that’s assuming that you even want to grow the botnet. Once you have enough computers to satisfy the demand, being more clever just gives your adversaries more bugs to fix–and more incentive to fix them.

Mr. Gruber asks what the situation would be like if the PC market were more evenly divided between Mac OS, Windows, and Linux. So long as there are enough PCs to satisfy the demand for zombies, there is no reason for the entrenched players to branch out into Windows or Linux. And the cost to develop a competing botnet would be big: software development, sales and marketing, law enforcement evasion, kneecap protection, etc. One could imagine a world where Windows computers are in the minority, but common enough to satisfy all of the demand. Indeed, it may be the case that a large percentage of the zombies today are running Windows 98.

In short, the notion that Macs should get 5% of the malware because they have 5% of the market is based on the notion that there are lots of independent malware writers. If there are a small number of big players, and Macs aren’t strictly needed, then it makes sense for there to be no malware to speak of for the Mac.


As a postscript, I’d like to mention that this discussion is just about malware. I mentioned phishing before, and that’s just one example of a cross-platform attack: persuasive ploys are just as effective against Mac users as Windows users. And computers have become hardened to the point that the Storm worm, responsible for the world’s largest (known) botnet, requires human intervention to spread.

Focusing too much on the OS misses the point: the weakest link in computer security is no longer the computer. We can debate whether the Mac’s “are you sure you want to install this?” warnings are better than Windows’ but at the end of the day, a sufficiently motivated user is going to bypass any security feature.