Large Prize Offered For Writing Mac Virus

Mordant writes "Some experienced Mac developers are offering a $25K prize to the first person to successfully infect two 'naked' Internet-connected Macs running stock Apple software. The best part is that if any Symantec employee succeeds in infecting the Macs, the prize goes up to $50K (Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda)!" Update: 03/26 20:24 GMT by Z : Well, that was quick. Jack Campbell has cancelled the contest, after he "...was contacted by a large number of Mac users, and Mac software professionals who shared their thinking with me about the contest."

Stupid

This has got to be one of the stupidest contests of this type I've heard about.

1) If a virus has spread over every Mac on the Internet, then it's harmful.

2) Many people would say that ANY virus is harmful, just by virtue of it being a virus (spreading, infecting.)

3) I'm so sure it's worth $50,000 for Symantec to finally put that "Antivirus companies don't write viruses" myth to bed.

4) We're going to use antivirus software to determine if we've been infected... which will only catch previously known viruses.

5) Hey you guy that wrote the virus that spread to every Mac on the Internet: just identify yourself afterwards, and we'll pay you.

Re:Stupid

It's a quote from Full Metal Jacket [imdb.com] directed by Stanley Kubrick:

Hartman: Private Joker, do you believe in the Virgin Mary?

Joker: Sir, no sir!

Hartman: Well Private Joker! I don't believe I heard you correctly.

Joker: Sir, the private said "No sir!", sir!

Hartman: Well, you little maggot, you make me want to vomit!

...

Hartman: Are you trying to OFFEND me?

Joker: Sir, negative sir! Sir, the private believes that any answer he gives will be wrong, and the senior drill instructor will beat him harder if he reverses himself, sir!

Hartman: Who's your squad leader, scumbag?

Joker: Sir, the private's leader is Private Snowball, sir.

Hartman: Private Snowball!

Snowball: Sir! Private Snowball reporting as ordered, sir!

Hartman: Private Snowball, you're fired! Private Joker is promoted to squad leader.

Snowball: Sir, aye aye sir!

Hartman: Disapear scumbag!

Snowball: Sir, aye aye sir!

Hartman: Private Pyle!

Pyle: Sir, Private Pyle reporting as ordered, sir!

Hartman: Private Pyle, from now on, Private Joker is your new squad leader, and you WILL bunk with him. He'll teach you everything, he'll teach you how to pee!

Pyle: Sir, yes sir!

Hartman: Private Joker is silly and he's he ignorant, but he's got guts, and guts is enough.

Re:Stupid

No the article doesn't say that explicitly, you'd have to understand how viruses spread, and make a logical connection to get there.

Let me help you out.

Here's my paraphrasing of the individual claims, from memory. I'd quote better, but oh look, they've cancelled already.

-We have two Macs on different Internet connections. We won't tell you the IPs.
-We're going to check for the next couple of months and see if they are infected, just by being on the Internet.
-(Vague statements about being successful enough in the wild)

Leaving alone the email vector, which I've agreed elsewhere is(was) viable, how do the viruses get onto their two Macs? Has to be both, mind you.

Re:Stupid

DVforge is owned by one Jack Cambell [jackwhispers.com], a known con artist and admirer of publicity stunts. This is exactly that and nothing more: a publicity stunt.d I'd be very surprised if 1) either of the two computers actually exist, 2) the prize money exists, 3) if the computers exist and the prize money exists, then Jack will ever pay up if someone wins.

Re:Stupid Publicity Stunt

A quick visit to the website reveals that their
"Mac Virus Contest" is a totally bogus bit of
showmanship. ( From the: "Even bad publicity
is still publicity" Department ):

DVForge Virus Prize 2005
The Contest That, Sadly, WIll Never Be

Contest goal: To lay to rest, once and
for all, the myths surrounding the lack
of spreading computer virii on the
Macintosh OS X operating system, by
sponsoring a contest that challenges
virus writers to actually prove that
they can introduce a harmless virus
into two modern OS X Macs.

That was the goal of a contest
announced recently by DVForge, but,
due to a variety of influencing factors
was cancelled shortly after having been
announced.

A Statement About The Contest Cancellation
"In response to the statements put forth
this past week by Symantec Corporation
suggesting that Mac users are at
substantial risk to infections from viruses,
our company crafted and announced a contest
that would have paid a $25,000 prize for
the successful creation of such a virus,"
said Jack Campbell, DVForge, Inc. CEO,
"During the first several hours after making
the public announcement, I was contacted by
a large number of Mac users, and Mac software
professionals who shared their thinking with
me about the contest. A few of these people
are extremely well-regarded experts in the
field of Mac OS X security. So, I have taken
their advice very seriously, and have made
the difficult decision to cancel our contest.

I have been convinced that the risk of a virus
on the OS X platform is not zero, although it
is remarkably close to zero. More importantly,
I have been convinced that there may be legality
issues stemming from such a contest, beyond
those terminated by our own legal counsel,
prior to announcing the contest. So, despite
my personal distaste for what some companies
have done to take advantage of virus fears
among the Mac community, and my own inclination
to make a bold statement in response to those
fears, I have responsible choice but to retract
the contest, effective immediately."

DVForge, Inc. supports honesty and integrity by
manufacturers in all public communication. And,
we strongly discourage the use of exaggeration,
innuendo, or loosely stated claims in an effort
to increase sales of a company's products. We
believe in accurate, fair marketing statements,
and in allowing an accurately informed public to
then make its own decisions about purchasing,
or not purchasing, a company's products or
services. We implore all Mac industry businesses
to support these same values.

We do not endorse the creation or distribution
of computer viruses. U.S. and international law,
as well as simple good judgment forbid the
transmission of computer viruses.

Re:Stupid

Oh you say, no fair pointing at third party software bugs, they don't count. Well sure they do

It is not correct, however, to blame Apple for the bugs in Apache. When people rant about bugs in IE, they blame Microsoft and the IE developers. When people rant about bugs in firefox, they don't complain to Torvalds, do they?
This competition was about the bugs on Macs, and the accusations that Macs are as vulnerable as Windows PCs. Third party software is not "Macs." The competition compares OS X and Windows, not OS X with [product] and Windows with [product.] However, it would be valid to blame vulnerable first-party software - such as Finder, or IE.

Re:Stupid

s/their/they're/
s/theve/they've/

Remember kids, if you can replace your their or there with "they are" and have it make sense, it's really "they're". If you can replace your "theve" (?) with "they have" and have it make sense, it's really "they've". Contractions!

Re:Stupid

well. the contest is REALLY about finding a remote exploit hole in a mac.

because that's what it burns down to, making it self replicating wouldn't be much of an addition.

but why bother.. just send a chain letter with an executable for mac.. that amounts to what is some of windows viruses nowadays anyways(and that's what all symbian viruses are and they're getting awful lot of attention - they're just self replicating 'mailers' that the user needs to install themselfs).. and points out that a system that has no holes doesn't really protect you from everything(it doesn't protect the user if the user WANTS to install the software, which many do).

Not as easy as you think

Sending an executable as a mail attachment is easy, but fooling a user into launching is is much harder on the Mac than it is on Windows.

Unlike Windows, the MacOS uses filesystem embedded filetype and resource fork information to determine what kind of file a file is. You can't just change the filename into photo.jpg or letter.doc to make the attachment look like a photo or a word document. If it is an executable, the Mac will show it as such.

This means you will have to convince the user that the ececutable in question comes from a trusted source and that it is safe to launch. Even then, MacOS X will open a dialog that explains to the user that this is the first time this application is about to be launched, that it might be dangerous and then ask if the user wants to proceed. At that point most Mac users will cancel if they are not sure what this application is and where it came from.

But even if they proceed to launch the application, then the application still won't be able to install anything on the user's machine. If it tries to do that, the user will again be notified that some software is about to be installed and that an administrator password is required to do so.

Somebody would have to be incredibly naive to ignore all the warnings and still proceed.

This type of attack is rather unlikely to be successful in causing a spreading of the trojan. The propagation mechanism is far too weak. The news about such an attack will be all over the net before the trojan had a chance to propagate.

If anybody is to succeed with an attack against the Mac, it would have to be an exploit of some security flaw in the OS or in a privileged application.

Re:Not as easy as you think

The warning that an executable is being launched for the first time is standard on MacOS X for _any_ executable. The warning is initiated by the OS, not the executable itself. It thus applies to _every_ program indeed.

If you haven't seen this, then you either haven't launched any new applications since this feature was introduced, or you are running an older version of OSX. I can't tell you exactly when this was introduced, but it has been around for a while now - my best guess would be sometime between 10.3.3 and 10.3.7.

As far as your assertion of "stupid users" who will click on anything and proceed regardless of how many warnings they are being given, is concerned I tend to think that it is not the "stupidity" of users but the presentation of alerts by the OS which makes a big difference.

Remember that there have been attempts of trojans for OSX not so long ago and they didn't cause a major impact. I seem to remember that only one person reported to have launched a hostile script and getting hit as a result.

In my opinion the way the alerts are being presented makes a big difference. I believe that Microsoft could improve the security of Windows users significantly if only they worked out how to properly alert people, how to design alerts in such a way that even lazy folks who always click through will have to stop and think before they click.

Re:Not as easy as you think

The warning that an executable is being launched for the first time is standard on MacOS X for _any_ executable. The warning is initiated by the OS, not the executable itself. It thus applies to _every_ program indeed.

This thread has the wrong idea about how this feature works. The dialog does not appear the first time any app is launched. It only appears if you try to open a document or URL that results in the Finder having to launch an app that you have never launched before. There are very few legitimate situations where you would have to do this, so it's quite likely that some users have never seen the message before.

This dialog is meant to deter the following exploit:

1. User clicks malicious link.
2. Page uses scripting to automatically downloads a disk image.
3. If the user has "open safe files" enabled in Safari, the disk image will be automatically mounted in the Finder. This makes the Finder scan the disk image for applications and add them to the Launch Services database, which is how it knows that application X opens file type Y- and that application A is a helper app for URL scheme B.
4. The disk image contains an application whose metadata indicate it can handle URLs of type malware://. The Finder sees this and registers it.
5. The malicious web pages waits a few moments so the previous few steps can complete, then attempts to redirect to malware://blah.
6. The Finder helpfully launches the application on the disk image to handle the URL. Owned.

Not as hard as you think

"Somebody would have to be incredibly naive to ignore all the warnings and still proceed."

Yes, and if ignorance really was bliss, the world would be one hell of a lot happier then it actually is.

I'm an IT consultant.

I've watched countless users sit there and click though endless dialogs warning them about how they're about to unleash bubonic plague upon the world or whatever. These people regard warnings as a hassle, something to be dismissed as quickly as possible. They do not regard them as an actual warning. Warnings are something that apply to other people.

If you change the default button to be the "safe" option, they click-and-close, try again and click-and-close, try again and click the other button and continue. They don't do this by reading the dialogs, they do this because if it didn't work the first two times they tried the first button, then it must be the other one.

If you require users to enter in "please destroy all my data" on the keyboard before running something, they will happily do that, to. While asking me why it asks them that.

If you require them to type a password, they'll type that in upon request, too. Look at how successful phishing scams are.

If all this fails to get some badware on the computer, users will seek out things like "Hotbar", "Gator", "Comet Cursor", "Bonzai Buddy", and so on, and try to install them.

People just don't want to have to think. That's the ultimate problem.

There's no doubt that the average MS-Windows system, as deployed, is hideously insecure. However, experience has shown me that even if you lock the system down well, users will still try and destroy it.

I've found the only way to keep users from compromising the security of their system is to remove their ability to do so. Then they just complain to me constantly that they cannot install all their badware. But then I can just tell them "Tough!".

Re:Easier than you think

Nice theory, but here's a few more points for you:

1. Finder doesn't display previews of Postscript files.
2. Finder doesn't display previews of EPS files, either. (It might if they have attached bitmap previews, but I'm not sure.)
3. Finder does display PDFs natively (and Quartz uses very PDF-like display lists natively), but PDF is not Turing-complete.
4. It doesn't matter if the language is Turing-complete if it executes in a contained environment. Malicious code can only harm what it has access to, by definition.

Postscript has been around two decades now, and AFAIK the only "virus" ever reported written it couldn't do anything but reset your Apple Laserwriter password. If you think you can write a Postscript program which reformats my hard drive, talks to my mail client, or even just brings up a dialogue box on my screen that says "Hi, I'm PostScript!", you're welcome to start hackin' now.

They should be the experts.

3) I'm so sure it's worth $50,000 for Symantec to finally put that "Antivirus companies don't write viruses" myth to bed.

Their people should be among the best qualified to show how easy it is to infect a Mac.

Would you accept the word of a locksmith telling you that your current locks aren't sufficient and that you should give him lots more money to put new locks on your house if he cannot SHOW you how easy it is for him to pick your current locks?

It's time for Symantec to put up or shut up. Either Macs do need their software AND they can prove it or they're just pushing their software with lies.

1) If a virus has spread over every Mac on the Internet, then it's harmful.

That's an awful big "if".

4) We're going to use antivirus software to determine if we've been infected... which will only catch previously known viruses.

That's a real problem. Either the virus writer has to modify an existing virus so that its signature is picked up, or send the virus software companies a copy of his virus so they can update their signature files.

5) Hey you guy that wrote the virus that spread to every Mac on the Internet: just identify yourself afterwards, and we'll pay you.

That's about how it will go.

Either someone has to show how it can be done, or Symantec needs to shutup about how vulnerable Macs are.

Personally, I don't see much of a problem there.

Worms attack through ports.

Viruses load themselves into memory and infect other files.

Trojans only run when you launch them.

From the article, it looks as if they're hunting for worms or exploitable holes in apps. But the most common Windows-side issues now are trojans emailing themselves to everyone.

I am going to laugh...

for days when someone suceeds at this. Never dare someone to do stuff like this, it is just too tempting of a target.

Re:It would only make OSX more secure

I hate to break it to you, but there's very little that Apple (or Mircosoft, or Linux, etc) can do to prevent many types of viruses, since they are installed by the user themselves. Think about a traditional virus that infects a binary and is run when the program is run. Or a trojan program that does bad things to your system. Good file permissions can prevent the spread of such viruses and limit their damage, but they aren't that hard to write. I've even seen prototypes for a shell script virus (in an educational setting, and non-destructive except for polluting your shell scripts). There's very little technically that anyone can do to prevent a shell script virus, at least not without making the system difficult to use (or radically redesigning the system, which will probably have other drawbacks).

Now, if you're talking about worms, yes most spread through security holes in the system, and those can be fixed. But there are many classes of malware where the security "hole" is the human doing work. And those are very hard, if not impossible to prevent.

Balance

Nice balanced submission you got there. As far as I'm aware there is no conclusive evidence that shows Macs are inherently more secure and would not suffer the virus problem that Windows does if it had Windows' market share. Note that a lot of the virus problem comes from users showing bad practice (clicking 'Yes' to install things they really shouldn't, opening attachments they really shouldn't). I wouldn't be suprised if Mac users were on average more savy, and this could contribute.

Re:Balance

As far as I'm aware there is no conclusive evidence that shows Macs are inherently more secure and would not suffer the virus problem that Windows does if it had Windows' market share.

The conclusive evidence is that OS X is a flavour of *BSD.

If that doesn't strike you as conclusive, then feel free to explain how it is that Apache running on *BSD has such a better security record than IIS running on Windows, despite the fact that the Apache setup has, always has had, and most likely always will have too, a market share far greater than that of IIS.

That certainly strikes *me* as being a pretty compelling counterargument to the greater market share theory of hacker victimization, anyway...

Re:Balance

Being based on BSD has nothing to do with anything, the userland/desktop space is where most exploits have been in recent years and the Aqua shell is no more free from exploits than Explorer is.

In particular, appfolders have had some pretty nasty broken-by-design security exploits like the URL handler variants where an internet enabled DMG would self-mount itself into the filing system and automatically reconfigure URL schemes in Safari, all without the user doing anything other than visiting a web page. I think (hope) they fixed that but it was still several months until all the holes and variants of this technique were "fixed" (really just hacked around). The help system exploits Apple suffered were similar in nature.

Essentially, Apple haven't proven themselves any more skilled at designing secure desktops than Microsoft have. That said, this sort of competition is fairly pointless: being able to "infect" a machine with no action taken by the user boils down to finding buffer/heap overflows and the like in running software. Many viruses propogate with a bit of help from the user, even if all that involves is surfing the web.

Re:Balance

Being based on BSD has nothing to do with anything,

Are you serious? It's a significant swath of the OS that you don't have to worry about!

the userland/desktop space is where most exploits have been in recent years

Wrong. Most 'theoretical' exploits have been in the BSD/OSS side of OS X. Absolutely none of those 'theoretical' exploits have been known to have been actually 'exploited' (all you've had was a 'click this to test' proof-of-concept).

the Aqua shell is no more free from exploits than Explorer is.

That's absurd. Aqua isn't what you use every day to visit untrusted sites with, while Explorer is. That makes it harder to exploit, which makes it inherently more secure.

I think (hope) they fixed that but it was still several months until all the holes and variants of this technique were "fixed" (really just hacked around).

The 'hack' fixes came out the same day, Apple's fix was about two weeks later, primarily because it wasn't a 'patch', it was a change in the policy for running apps from Safari.

Essentially, Apple haven't proven themselves any more skilled at designing secure desktops than Microsoft have.

Except for the fact that there have been *zero* malicious exploits for OS X.

Zero, none, el zip-o, a big goose egg (like the one on your face).

Re:Balance

The conclusive evidence is that OS X is a flavour of *BSD.

This is a meaningless statement. It is unclear what bearing the BSD heritage has on the ability of OS X to thwart the kind of trojan/malware attacks that Windows users are subjected to.

If that doesn't strike you as conclusive, then feel free to explain how it is that Apache running on *BSD has such a better security record than IIS running on Windows

Without knowing which versions of Apache, BSD, IIS and Windows you are referring to, it is impossible to establish whether your assertion that the Apache/BSD combo is more secure than the IIS/Windows combo is actually true.

And even if it were universally true, it is unclear what bearing any purported security benefit of Apache/BSD over IIS/Windows has on the ability of OS X to thwart the mostly email-propagated attacks that Windows users are subjected to.

That certainly strikes *me* as being a pretty compelling counterargument to the greater market share theory of hacker victimization, anyway...

If you think a non-sequitur based on unsubstantiated premises qualifies as a "compelling counterargument" of any sort, I suppose.

Re:Balance

clicking 'Yes' to install things they really shouldn't

Macs use verbs in dialog boxes, instead of 'Yes', 'No' and 'Cancel'. The button to install software on a Mac would be 'Install Software', not 'Yes', so clueless users have a better sense of what they are doing.

Discussed better here [xvsxp.com]

Re:No conclusive evidence

"Only if you choose to ignore the preponderance of evidence in the form of viruses targetting Windows."

Which may or may not be do to Windows market share. It may also not have to do with any one factor. The problem I see is when Windows zealots use the market share argument exlusively to defend Windows.

I'm really trying to extract your point from your post and not having much success.

How is Classic MacOS and DOS less secure? DOS had zero internet connectivity out of the box. Even if you added a TCP/IP stack there were no services you were going to run on DOS. If you ran Windows 3.1 or something you could run Netscape I think. But then, here we are with Windows (actually, DOS) again with about the same market share as Windows has today and no rampent network exploit problem. So again, I'm not sure what your getting at.

The fact that Windows is exploted is proof that it is insecure. That is my point. Speculating that Linux or Mac would be just as insecure if they had the same market share is just speculation. It also ignores the possiblity that a system that was easier, or even as easy, to exploit as Windows but had a smaller market share might also be exploited. So the fact that Linux and Mac exploits are not a pandemic does not mean that they are just as insecure as Windows. It's not "fact-free hystrionics", it's just observation and logic.

Now if you think Linux is insecure because Windows is exploited maybe you can elaborate on why that is so I can better understand what your getting at. If on the other hand your arguing something else, please don't confuse it with my argument because you make me feel like you are'nt really paying attention to what I am saying.

Kind Regards

Mac OS X is more secure, period.

On this subject, I recently answered a query raised during a Chronicle of Higher Education colloquy. I believe it touches on the major issues here.

Question from Lisa L. Spangenberg, UCLA:
Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don't more institutions adopt Macs and encourage faculty to use them?

Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple's periodic release of security fixes to counteract them.

First, that isn't true, regarding viruses. To date, there are no known viruses that specifically target Mac OS X. Last week's "trojan" was nothing more than an application with a different icon and misleading name that displayed a dialog box (which was an example posted to a USENET Mac programming group to illustrate this fact that has been known and possible on Mac OS for over twenty years; an antivirus vendor apparently thought this an appropriate time to dress it up, incorrectly, as some new, terrible exploit easily adapted for malicious means, when in reality it's nothing more than an application).

If you're referring more broadly to security issues in general, almost all of the security and security-related updates for Mac OS X to date have been updates for primarily server-type services that ship with the OS, all of which are disabled by default, and the lion's share of which are never even enabled, much less touched, on the vast majority of systems. I'm not saying that they should be ignored, but Apple's comprehensive and swift response to the most minor security issues does not rise to the level of the staggeringly numerous, sometimes completely automated, remote exploits, worms, and so on for Windows. It is no longer possible to even get through a full installation Windows XP on a machine connected to a public network without it being exploited before you even have a chance to patch it.

It's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware - Mac OS X is not invulnerable, and no sensible person would claim it to be. But the underlying philosophical design principles are fundamentally more secure than Windows, period. Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, and no current known ways to exploit a machine remotely, not to mention that potentially exploitable network services are disabled to begin with anyway (and remain that way unless explicitly enabled), a stark contrast to Windows. Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit. On the other hand, there are still, to this moment, unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a message, and nothing more. There is simply no equivalent to this on any other platform. Microsoft's track record and attitude on security (though admittedly much improved) versus other vendors speaks volumes on this topic.

It takes work and thought to do security, and do it right. Ease of use and security aren't mutually exclusive. The key is to make security easy to use, and Apple has so far been on the right road with Mac OS X.

But the small installed base of Macs makes them an unexciting, low-visibility target for the bad guys, and so the weaknesses don't get exploited much.

The marketshare argument only goes so far. This seems to be a version of the "Macs have no software" argument. It is indeed true that they are targeted less for this reason. But the argument that it's straight cause-and-effect is disingenuous