Got root?

Mac, Linux, BSD open for attack: Kaspersky is yet another in a long running series of predictions that we non-Microsoft folk are in for a rude awakening as soon as those bad-boy virus writers notice us.

In spite of BSD and Linux owning the market when it comes to web servers, Linux tearing up the data centers for back end servers of all types, making strong moves in the laptop arena and even gaining significant market share in the general user market, that just hasn't happened, yet.

I had to say "yet" because there's some unwritten law that says you have to imply impending ruination when mentioning this subject, even if you are stating facts that would seem not to support this dire future. To wit, notice the closing word in this title: OSX Malware not taking off yet

Today we know of over 236,000 malicious malware items. These are mostly meant for the MS-Windows environment. Only about 700 are meant for the various Unix/Linux distributions. Current known Mac OSX malware count is even less with 7, so pretty much non-existent at the moment. For older builds of the MacOS there are 69 known malicious items, with an additional 8 items for MacHC that used hypercard script extensions which had to be manually installed as an addon package.

Apparently this untenable situation has now existed for long enough that it is actually causing distress in some quarters: Mac.Blorge reports Experts baffled by lack of malware.

That piece points out that Mac systems have now reached over 8 percent of overall market share. And "yet".. the uncooperative malware writers just aren't doing what they are supposed to do.

Or maybe they are just having a harder time doing it.

To be at marginally useful, malware needs administrative access. Without "root" (or its Windows equivalent, "Administrative user"), attacks are limited. Not impossible, of course, but harder and less effective. If you have to escalate privilege, that's one more lock to break. If you already have that privilege, you don't have to attain it. So who has "root"?

Well, just about every single XP machine outside of corporate environments is usually logged in as someone with admin privileges. Even in small businesses, that's the default situation because XP is just too annoying to use any other way. Ford Motor Company surely locks down its XP machines; Joe's Bar and Grille probably does not.

Unix machines? In corporate environments, "root" logins almost never exist. Sudo with limited privileges in the larger businesses, "root" for shutdown only even in small systems, I have rarely, rarely seen common use of "root" in business Unix systems.

Home Linux systems? Sometimes unsophisticated users do run as root. I've seen that, and I've also seen Linux systems get hacked with ordinary accounts using weak passwords. Home users can be sloppy. If Linux has a weakness, there it is: naive new users.

Mac OS X? Almost never is anyone logged in as root. Most OS X systems don't even have a root password set; they operate only with sudo. The majority of Mac users likely don't even know that "root" exists, period.

So, the correlation betwewen likely root users and malware counts seems pretty strong, doesn't it?

• Windows XP - high number of "root" users - several hundred thousand malware instances
• Unix and Linux - "root" usage low - less than a thousand instances
• OS X - "root" usage almost nil - less than ten instances

Of course correlation doesn't always mean anything. Linux machines are often of higher value than OS X machines (more apt to be servers holding potentially valuable data), so that could explain why Linux gets attacked more than OS X. If Apple ever makes progress in the server market, things could change. However, we have to remember that Apple has a BSD base and BSD has a long standing reputation for better security. BSD has always been strong as web servers, so the attack value is there, and yet ("yet" again!) the reputation stands.

But we can't forget that hacking challenge where OS X was the first to succumb. Of course that wasn't like firing bullets against targets to see which fails first; the attackers made a conscious decision to concentrate their efforts on OS X first. That was probably because they knew something that made them think their method might be successful, and of course it was. My point here is just that although only a handful of threats exist now, a concentrated effort would likely turn up more.

Why isn't that effort being made? Probably the "lack of value" - OS X machines are usually not storing valuable data. That still leaves value as 'bots, though, but then we get back to the ease of compromise issues: Window's PC's are going to be easier to take over and the "herd" will be homogenous, with no need for different control code. The bot herder doesn't see Mac's as rich hunting ground and any such machines in a herd would need special handling - probably not worth the effort.

So which is it? The market penetration argument, the probable value explanation, or the "got root" stats? Or maybe all that?