Sourcefire researcher Adam J. O’Donnell, who used game theory to predict when Macs would be hit with malware.
It was always just a matter of time until malware writers started targeting Macs. Until suddenly, time was up–much sooner than expected.
The Flashback Trojan that infected 700,000 Macs at its peak earlier this month represents a rude awakening for Apple users who long believed their computers to be immune from the kind of malicious software that infects PCs. Security researchers know that Macs are no better protected from cybercriminals’ attacks than Windows machines. But for years, it was believed that Apple’s low market share would protect it from online evildoers. Why waste time coding a virus for Apple’s tiny sliver of users when a much vaster sea of vulnerable Windows machines was waiting to be infected and hijacked for click fraud, denial of service attacks or credit card theft?
But fraudsters are shifting their focus to Macs nonetheless. In a Web conference with reporters Thursday morning, antivirus firm Kaspersky presented stats showing that instances of Apple malware have climbed steadily from practically none in 2003 to around 250 this month. (See chart at left.)
The causes of that shift have a little to do with Apple’s growing market share, says Adam J. O’Donnell, a security researcher with the firm Sourcefire. But they also have a lot to do with the security of Windows users.
Four years ago, O’Donnell wrote a paper for IEEE Security Privacy (available in PDF here) that used game theory to predict exactly when malware writers would turn their focus to Apple’s Mac OSX. He assumed that non-Mac users run antivirus software, that Mac users don’t, and that antivirus software has an 80% success rate at detecting new variants of malware.
Then he wrote some simple equations. (Skip this paragraph if the word “equation” makes you cringe.) If v is the value derived from successfully attacking a target computer, and f is the market share of non-Apple computers, then cybercriminals would start hitting Macs when (1-.8)fv = (1-f)v, based on that 80% antivirus success rate. Solve for f, and you get 5/6.
In other words, Apple would have to reach more than 16% market share before it’s an appealing target for cybercrime. So why are Macs already being infected en masse with malware when they only have around 11% market share, by IDC’s last count? (See chart at right.)
It’s certainly not because cybercriminals are irrational, says O’Donnell. It’s because antivirus programs became more effective than he bargained for.
“I assumed that antivirus effectiveness rate was around 80%. But as that number goes up the market share where Macs become interesting targets goes down,” he says. “If we look at the limits, as antivirus effectiveness reaches 100% it becomes very interesting to attack Macs.”
In fact, antivirus does seem to be detecting malware at a significantly higher rate today than the 80% that O’Donnell factored in. According to a March test by antivirus auditor AV Comparatives, the best antivirus software detected 99.7% of malware variants in a test set of 300,000 samples, and the worst antivirus software, Microsoft’s free Internet Security Essentials, detected 93.1%. (In Microsoft’s defense, its program also had the least false positives of any tested.)
When I plug that least-optimistic 93% detection rate into O’Donnell’s equation instead of the 80% he assumed in 2008, I calculate that Apple would only need to have 6.5% market share before it started attracting cybercriminals’ attention. And given that’s a threshold Apple passed years ago, it’s no wonder fraudsters are experimenting with mass Mac attacks.
Article source: http://www.forbes.com/sites/andygreenberg/2012/04/20/cybercrime-game-theory-why-apples-malware-grace-period-ended-early/?feed=rss_home
View full post on National Cyber Security » Virus/Malware/Worms