Mac Trojans Exploit User Vulnerabilities, Not Security Holes

With the news that Trojans have been found in pirated software, is it time to start worrying that Macs are not secure?

Something has changed, right?

Well, the news is important, but don't sell your Mac just yet. There is a big difference between a Trojan and a virus.

Both a virus and a Trojan can do the same things to your computer, but how they get installed is very different. A virus uses a weakness in the operating system to sneak in, while a Trojan uses deception to fool the user into installing it. These differences are important and worth looking at in more detail.

We all need applications to be installed on our computers to get anything done. Most applications run in their own little environment, and if anything goes wrong, the app crashes but the rest of the computer continues to run fine. This wasn't always true, but modern operating systems, like Windows XP and Mac OS X, do a better job of keeping each piece of software running safe away from others.

Some applications, like drivers, can't work alone. They need to work with many other applications. A printer driver has deeper access to your computer than other software. These applications/drivers can be written to avoid the protection of the operating system, because in order to function they has to do more than normally allowed.

Where do these applications get the permission to operate with so much access? From you, the user. That's why you get those alerts when you install or run a new program. The operating system is checking with the user before allowing anything new to run.

Once you run something for the first time, any malicious software code has a chance to run and take over your computer and mess things up. This is okay in the security sense, because you, the user, allowed it to happen. This is why you need to know what you are doing before installing software. (This is why I don't like it when my kids install software from the Internet.)

Trojans

Here is where Trojans come in. They are bad code hidden with good code. This is why the two Trojans were found with pirated software, the legitimate version of this software wouldn't have the Trojans attached. The user who downloads the pirated software unknowingly accepts the bad code when they installed the pirated software. Sure, a "virus checking" program can test for this situation once they learn about the problem, but it may be too late for you if you are one of the first who were downloading the pirated software.

The worst kind of Trojan is a rootkit exploit. This kind of malware is designed to hide itself in the operating system so that even the operating system doesn't know that it is there. This is the hardest to remove. Sony was accused of doing this with the copy protection software on its music CDs. This is not a good practice for legitimate program developers, and Sony had to settle the lawsuit against it.

We know that a Trojan is software you installed yourself - you personally gave permission for it to be on your computer. You were tricked into accepting it, but the computer did nothing wrong in following your request.

An application may be free of Trojans, but there will still be errors in the code (bugs) that usually don't hurt anything. Sure, errors may make the application crash, but the operating system should keep it isolated. The good news is that everyone is constantly trying to find and fix these errors to improve performance and keep things running smoothly.

Viruses

Among the people looking for these bugs are security experts and virus writers. If the security experts find it first, they are supposed to notify the programmers to fix their code. Once the bug is known to virus writers, they start figuring out a way to use the bug to insert bad code (a virus) into a document, picture, webpage, etc. This will trick the application into running the bad code (virus) and allow it to mess with your computer.

The virus writers wait until the day that a patch is announced to write a virus to exploit the flaw. This works, because not every computer is patched that same day - or even that month. They have time to circulate their virus to the unpatched computers and wreak their havoc. The sooner they release their virus, the more time it will have before systems are patched.

The shortest time is the zero day exploit, meaning a virus is written the same day the patch is released. Obviously these flaws are similar to older ones, for a virus to be written so quickly. This shows that the same sorts of mistakes are being made again and again. Constant work is going on to continually exploit computers. This, in turn, means that there is probably a big financial incentive to find and exploit these flaws.

Worms

A special type of virus is called a worm. This type has a way to replicate itself and move onto other computers, often through email or other network connection. The problem with worms is that they spread themselves and can quickly infect millions of computers, as the Conficker worm has been doing for months on Windows PCs.

A virus is worse than a Trojan because it works through applications that you installed in good faith. You have to trust something, and applications from good vendors should be safe. Virus writer are exploiting the flaws for their gain, but some of the problem does fall on the shoulders of the original software vendor for letting easy mistakes through.

Why the Mac has been better at security is whole other story. Finding two Trojans on pirated software doesn't change things much.

Remember that a Trojan is installed by a person who has been tricked, while a virus fools an application to allow it to run. To be safe don't run any software you are not sure of, especially pirated software. Also watch out for strange attachments in emails that come from people you don't know or who aren't in a habit of sending attachments.