For many years, Mac users — and, indeed, Apple itself — has touted that "Macs don't get viruses". The party's most definitely over, and Flashback is (sadly) just the beginning. I've written about the subject of Mac security before, and it's one that invariably gets some folk a little on the touchy side. Still, last week's reveal of the extent of the Flashback botnet does rather point out something that I've been saying for quite some time. Mac viruses aren't a matter of innate additional security, or some kind of golden halo; they're a matter of market size and opportunity.
Classic malware/viruses/use-whatever-term-you-feel-like targeted individual systems and were largely destructive; whether that was a matter of your data, system, or just your time. Modern malware's all about one thing: Money.
Whether it's directly ripping you off via hijacking your financial accounts, nicking your identity for other forms of theft or simply turning your computer into a for-hire botnet, cold hard cash is now the key reason for malware creation. Cold hard cash is exactly what Mac buyers have shown they're willing to part with in increasing numbers; while the Mac market is still a fraction of the Windows one, the growth rate in recent years has been outstripping the market by a surprising percentage, and that raises interest from the security community.
What's worrying about Flashback in this context isn't particularly the size of the outbreak — now correlated by Kaspersky at around 600,000 computers worldwide, most of them Macs. That's still only about two per cent of the Mac market, after all. No, what's concerning is the fact that it acts as a very large operational proof of concept. There has been proof of concept Mac malware in the past, along with very small scale outbreaks of malware — typically associated with pirated software.
Flashback acts as a rather large banner ad to every malware writer out there; Macs are ripe for the picking. Indeed, based on many of the responses I've had whenever I've written about Mac malware, I'd say that it's a very ripe field indeed, whether that's due to the perception that Macs are somehow "bulletproof", or ardent fan belief that nothing bad could happen. Not only could bad things happen, Mac users, but you're living in an age when they happen and don't even let you know that they're compromising your system.
Some of that's inevitable. You can point to OS X's Unix underpinnings all you like, but the simple fact of the matter is that it's software written by human beings, and human beings make mistakes. Software is buggy — all of it — and where there are bugs, there are exploits. Exploits are exactly what malware writers look for, and as Flashback proved, it doesn't even particularly need to rely on user input or acceptance to run.
So what's the solution? Do we all run out into the street screaming, waving our hands around and proclaiming, (in best Tim Brooke-Taylor fashion) that we're teapots? No, that's not really necessary. Although if you do feel inclined, send me the video — I could do with a laugh.
Once you're all tuckered out, make sure your system is updated and secured as best you can manage. It'd probably also help to point out to Apple that it'd be useful for them to be far more proactive with security updates in the future, given that the Java vulnerability that allowed Flashback to propagate was patched for other systems nearly two months ago.