Just a week ago the Windows world was infected by the LoveLetter
worm - and that, labelled the first Open Source virus on
Slashdot, spawned four variants within the first day. The media was
hysterical, often forgetting that every operating systems
besides Windows was immune to the "Love Bug."
Anne Onymus has done some leg work and managed to interview one
of the Mac communities leading code crunchers.
5/11/2K: Macintosh über-hacker Jeeves Stob (yes,
it's a pseudonym - and, we think, a clever almost-palindrome) gets
frustrated every time there's a major virus.
Like a lot of Mac users, Stob never received a copy of the LoveLetter virus that was
launched one week ago - at least not from an unwitting Windows
user. He figures it must be because all his friends are too smart
to run unknown enclosures or they use Macs.
Most likely, it's both.
Stob had fun perusing the Visual Basic code used to
create the Love Bug after a hacker acquaintance forwarded him a
copy. He said the code was not at all difficult to follow,
explaining why it was so easy for others to modify the source code
and create their own variants of the LoveLetter worm. Of course,
the whole thing depends on the tight integration of
Microsoft Windows, Outlook, and Visual Basic.
In Stob's words, "It's hard to say whether that integration is a
good thing or a bad thing. It lets you do some very powerful
things, but it also makes you a ready target for malicious hackers.
In fact, it seems that Microsoft's email clients (and only on
Windows) are the only ones capable of carrying such a payload and
distributing it so widely. The ubiquity of Windows and Outlook
among the masses create a tempting target for the kind of people
who created Melissa and
LoveLetter."
As for the Mac, Stob says that's a whole 'nother story. Mac
users run many different versions of the OS and don't boot from a
hard drive called "C:" - this presents a lot more variables
for the potential Mac worm or virus maker. Mac users may or may not
have Java. They may have disabled AppleScript. A hacker cannot
depend on those kind of resources when creating a virus.
Maybe that's why there are only about five-dozen Mac
viruses, compared with over 20,000 in the Windows/DOS
world.
Mac viruses tend to be easily contained. People using Disinfectant (240K), a
freeware antivirus program discontinued nearly three years ago, can
easily clean up all viruses created before the AutoStart Worm and Word Macro
viruses. The AutoStart Worm can be disabled simply by turning
off Enable CD-ROM Auto Play in the QuickTime Settings control panel
- and several free programs can detect and eradicate it, should
your Mac become infected.
As for Word macro viruses, there have long been patches and
settings to take care of them, too. Avoiding Word would also do the
job, but with an estimated 94% of computer users across platforms
using Word, that may not be a practical solution.
- The Mac just isn't an attractive platform for the virus
maker.
I asked Stob to speculate on how one might create something like
LoveLetter for the Macintosh. He replied that it wouldn't be
terribly difficult to create the worm itself using AppleScript or
even the popular VISE software installer. As is obvious from
LoveLetter, it wouldn't be hard to get the average user to run
the program - just devise a cover letter and create a fitting
file name and icon for the worm itself.
The program itself could cause no end of problems: renaming
files, moving resources to other folders, overwriting files, etc.
This would be no trouble at all for a good programmer.
The biggest problem is viral reproduction. Just how could
the program send itself to everyone in the user's address book when
Mac users choose from such a broad variety of email clients:
Eudora, Outlook Express, Claris Emailer, Pegasus, Netscape,
QuickMail, MailSmith, Green, SafeMail, SnapMail, and PowerMail
among them - not to mention Web-based email.
The simple fact is, to successfully launch a program like
LoveLetter on the Mac, the hacker would have to address at least
the three or four most popular mail clients. Even then, with Mac
users representing perhaps 10% of the worldwide installed base,
the worm would have a tough time delivering itself to enough
people who had Macs, would actually run the program, and would be
using one of the targeted email clients.
No matter how good a Mac worm, because the Macintosh is a
minority platform, it could never cause the kind of widespread
damage and hysteria of Melissa or LoveLetter. There might be a few
isolated cases, but the media would never even take notice
of it.
Stob notes that hackers want notoriety, which means
they have to target Windows, the dominant operating system,
and its most common applications. This explains Word and Excel
macro viruses, as well as email-borne viruses that are dependent on
Microsoft email clients.
They won't get their fifteen minutes of fame any other way.
Has Stob himself ever created a virus? Grinning, he explains he
has a collection of viruses for almost every operating
system - safely stored on CD-ROM. He's learned a lot of tricks
and written his own code for any number of operating systems (he's
given up on Windows, because there's no challenge there), but has
never released a virus into the wild. "They're a great learning
tool," he notes.
Stob's personal favorite isn't really malicious, but something
akin to the Belgian "pie in Gates' face" scenario. Years ago, when
it looked like the NeXT Computer might actually compete with the
Mac, Stob created a program that would completely overhaul the
visual interface and play a sound at startup.
With Stob's little NeXT virus, Steve Jobs' little black box
acted just like a Macintosh.
- Anne Onymus
Further Reading
- Viruses
on the Mac, Stephen Beale, MacWeek, 5/7/00. "The first Mac
viruses, nVir and MacMag, appeared in 1987...."