Like many Windows professionals I laughed out loud when I read the headline, Cybercriminals create botnet using Macintosh computers. I swear, I heard angels sing! I was so excited, I couldn’t read the bloody thing! Symantec, in a brilliant stoke of comedy, published their discovery of the “iBotnet” and made me fall off my chair.

It just doesn’t get much better than this.

Like one CBC reader wrote, Where is your messiah now?

But the stars of this comedy show are the Apple fanboys. One distraught CBC reader and Macintosh user claimed, “no one has made a virus for MacOS X that can successfully propogate [sic] in the wild,” even though Sophos consultant Graham Cluly wrote about something called Leap-A three years before the fact.

I tell you, the sight of Apple fanboys in denial over the findings of real virus experts fills my heart with joy.

---

It doesn’t get much better than this. Here’s Apple’s legions of fanboys screaming foul at Symantec, just because they discovered the thing and they’re using it to sell Mac anti-virus software. And to top it all off, we have Apple pulling a 2007 anti-virus advice web page, only to say, “um, since no system can be 100% immune from every threat, running anti-virus software may offer additional protection.”

Like so many Windows professionals I want to run up to my blog and write about rolling on the floor laughing at all of the Steve Jobs worshipers. Okay, so I have a weakness for kicking religious fanatics when they’re down.

We need to take the high road here. Windows pros deal with this every day, and now that Mac pros are dealing with it, we need to help.

With no Vista viruses in two years, maybe they can learn something from us.

Unfortunately, this is not the professional way. Windows professionals deal with ignorant users and moronic designs every day, and now that Mac professionals are dealing with the same morons, we should sympathize.

After all, Symantec is an undisputed champion of selling fear, and it is dreadfully easy to avoid Mac malware, and it is stupid to download pirated software in the first place; Macintosh PCs even use Intel processors these days. So aside from the name of the system, what is really so different between them and us?

---

I’m not saying give them special treatment. Only that it’s time to treat these former fanboys with the respect and humility they deserve, and help keep them malware-free and save them from bad design. After all, with no Vista viruses in two years, maybe they can learn something from us.

Related Links:

• Mac malware tide on the rise — The Register
• Apple anti-virus advice was nothing new — The Register (Yep, same, tired old advice)
• Apple in Denial: Mac anti-virus support advice disappears off Apple website — Sophos

I showed you way back in early February how the antivirus firms remained calm & cool during a round of media hoopla over the Conficker / Downadup worm. Nearly two months has passed since then. It’s now the end of March … and the antivirus firms remain calm & cool.

In other words: nothing has changed.

In all that time, IBM’s Internet Security Systems never raised its Internet threat level above “normal.” In all that time, Kaspersky Labs never raised its assessment of the worm above “moderate risk.” In all that time, McAfee never raised its global threat condition due to Conficker / Downadup. In all that time, the SANS Internet Storm Center never raised its Internet threat level above “green.” In all that time, Symantec never raised its ThreatCon due to Conficker / Downadup. In all that time, Trend Micro never posted a medium- or high-risk alert over the worm.

And what about antivirus vendor Sophos? Well, in the days leading up to this latest hoopla … they fretted more about Russian brides than the Conficker / Downadup worm.

I still can’t recall a time in the last twenty years when when so many antivirus firms remained so calm during a media circus. A second media circus, no less. Color me stupified.

A new headline at PC Magazine calls the Downadup worm an “epidemic.” Other news outlets have latched onto the story with similar weasel words and trigger phrases. If you take the “growing exponentially” claims at face value, then throw away your PC right now because we’re doomed. Experts predict this worm will infect at least 8.7 billion PCs by Sunday.

The antivirus firm behind the hype is now offering prizes to people who test their new product. “Wow, that’s really cool!” F-Secure doesn’t want all that global media exposure to go to waste, you know…

(“One computer for every dollar the ILoveYou virus cost, eh Rob?” Exactly! You’re catching on.)

In other words, I may have been mistaken in yesterday’s “died on the vine” comment. The media has waited a very long time to orgasm over a virus story and I once again wonder if they can hold back their ecstasy…

…Except there’s a tiny little problem. The antivirus vendors just don’t seem interested in it!

Take Symantec, for example — they actually lowered their ThreatCon status today from “2″ (elevated) to “1″ (normal). Kaspersky Labs still describes Downadup as a “moderate risk.” Neither McAfee nor Trend Micro has updated their alert pages. SANS continues to show a “green” Internet threat level. About.com virus expert Mary Landesman tackled a different subject in today’s column.

And F-Secure…

Hmmm, F-Secure. You know, I don’t think F-Secure will like the rest of my column.

F-Secure — the antivirus firm behind the “nine million” estimate — announced they released a “Removal Tool” for the Downadup worm. Oh, and be sure to check out their new beta security product! “Feedback enrolls users into prize giveaways,” F-Secure bragged. “We recently received another batch of our very popular laptop stickers, so as a bonus, we’ll pass along a stack to Tomi [from the Customer Involvement Team].”

Waitaminit. Laptop stickers?!? Pardon me while I say “wow, that’s really cool!”

Folks, the press wants us to believe there’s a global “epidemic.” So what does F-Secure do with all the media attention they whipped up? Why, they turn it into an opportunity to recruit beta testers for a new product!

{sniff} Do I smell something familiar? Or did I just forget to the flush the toilet?

My original notion for this column centered on the media hysteria I expected from F-Secure’s huffing over variants of the Downadup worm. Quoting from a (level-headed) story in The Register:

[The Downadup worm] that attacks a patched vulnerability in Microsoft Windows, is making exponential gains if estimates from researchers at F-Secure are accurate. They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million. The astronomical growth stunned some researchers, although others cautioned the numbers could be inflated since the counting of infected computers is by no means an exact science. Most agreed F-Secure’s estimate was certainly plausible and if it proved to be correct, represented a major development in the world of cyberthreats.

6.5 million newly infected PCs, you say? All of them whacked in a four-day period? Hmmm. The timing of this makes me wonder how many of those PCs showed up under the plastic tannenbaum.

Yet it would seem my worries about hysteria have died on the vine. Consider the following:

The media yawned when F-Secure claimed the Downadup worm tallied another 6.5 million PCs in a four-day period…

• The SANS Internet Storm Center continued to display a “green” Internet threat level;
• Symantec continued to hold at “ThreatCon 2” with no mention of the Downadup worm;
• McAfee didn’t even mention it in a “breaking advisory”;
• ISS maintained an “AlertCon 1” with no mention of the Downadup worm;
• Sophos technovangelist Graham Cluley raised little more than an eyebrow in his corporate blog; and
• About.com antivirus guide Mary Landesman devoted only two paragraphs in her blog.

Only Kaspersky Labs seems to have given F-Secure some shrift when they announced a virus alert on their website. Yet they only identified it as a moderate risk. So, uh … let’s call it “short shrift” and leave it at that.

The media, too, seems to have collectively yawned over F-Secure’s declaration. One CNN Headline News anchor — dare I say it? — almost smirked while reading from the teleprompter. (In all fairness, it isn’t the first time a CNN mannequin has smirked or spoken in an upbeat tone about a devastating computer virus attack.)

This non-media circus reminds me yet again of Aesop’s fable of the boy who cried wolf. F-Secure, on the other hand, will doubtless call up the Cassandra fable to dismiss any accusations of wolf-crying.

One quote in The Register‘s story leapt out at me for its irony:

“This thing has gotten way out of hand,” said Paul Ferguson, a security researcher for anti-virus provider Trend Micro who has spent the past several weeks tracking the worm’s progress. “It seems pretty spectacular to me that there could be that much growth.”

I dismiss Ferguson’s quote as ironic because Trend Micro’s “vinfo” page hasn’t declared a medium- or high-risk alert. How can we take him at face value when his company doesn’t even wail about it on an alert page?

---

Antivirus vendors and computer news reporters have certainly suffered a drought of hysteria in the past few years — and I myself fret that we’re due for another hystericane.

F-Secure will doubtless call up the Cassandra fable to dismiss any accusations of wolf-crying…

Why, then, hasn’t the Downadup worm generated “the perfect storm” of media hysteria?

The answer may lie in an amazing buildup to America’s “double major holiday.” Yesterday was Martin Luther King Jr. Day while today sees the inauguration of Barack Obama. News organizations appear highly focused on the orgasm of festivities in Washington, DC—

—and the media’s infatuation with U.S. politics may have simply overshadowed everything else of importance.

“You sound a bit facetious, Rob.” Yeah, okay: you caught me. Longtime readers will recall the fact government experts reminisce about the Nimda worm as a global catastrophe that cost billions of dollars and that would have qualified as one of the worst acts of cyber-terrorism ever caught on tape. And those experts still bemoan the fact it didn’t get much airplay … because it came just one week after the equally devastating physical terrorism of 9/11/01.

First Nimda; now Downadup. This leads me to ask a philosophical question. “Why do the world’s most devastating computer security attacks always seem to take place when reporters are too preoccupied to give it the attention it truly deserves?”

Windows Secrets editor Woody Leonhard and I go way back. I mean waaaay back. We moved in some of the same circles in those halcyon days when I worked deep within the financial industry. I labeled him “one of the foremost authorities on macro viruses” in the previous millennium.

Leonhard asked for my viewpoint while fleshing out his recent column on the Sinowal trojan, aka the Mebroot trojan. Let’s pick up at the point where he mentions me:

So, you’d figure the banks and finan­cial insti­tu­tions being targeted by Sinowal / Mebroot would be up in arms, right? Half a million compro­mised accounts for sale by an unknown, sophi­sti­cated, and capable team that’s still harvesting accounts should send a shiver up any banker’s spine.

I asked Rob Rosenberger about it, and he laughed. Rosenberger’s one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.

“I’ll be labeled a heretic for saying this, but … from a banking perspec­tive, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.

“Banks have dealt with this kind of fraud for many, many decades,” Rosenberger continued. “Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspec­tive, the cost to obey govern­ment regu­la­tions dwarfs the cost of any indivi­dual case of fraud.”

The banking industry will call me a heretic, claiming “we actually do quite a bit to reduce this kind of fraud!” Very true — but government regulations force bankers to be accurate, not to be advocates. If your credit card gets harvested, a banker will correctly tell you to file a police report so the cops can catch the robbers.

The government, too, will call me a heretic, claiming “we actually do quite a bit to reduce this kind of fraud!” Very true — but law enforcement agencies focus on protecting the society, not the individual. If your credit card gets harvested, a policeman will correctly tell you to file a copy of the report with your bank so they can credit you for any fraudulent transactions.

Let’s get back to Leonhard:

If the bankers aren’t going to take up the fight against Sinowal / Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.

In this particular case, the major AV packages have failed to detect Sinowal / Mebroot over and over again. It’s hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they’ve left the barn, so to speak.

Very true. Vmyths has documented quite a bit of wolf-crying over the last two decades. I’d give you a link to something more specific … but I honestly don’t know where to begin.

And despite all their chest-thumping, the antivirus industry doesn’t put their money where their mouth is. They’ll only go so far as to announce they’ve joined “the fight against crime,” as if to lend credibility to the fact they wear tights & capes & codpieces and fight whatever crime amuses their shareholders.

Chest-thumping law enforcement agencies don’t put their money where their mouth is, either. You don’t hear about the U.S. Justice Department offering rewards for information leading to the arrest & conviction of credit card harvesters scattered all over the world.

Microsoft finally one-upped everyone when they set up a $5 million “Anti-Virus Reward Program.” Despite all their chest-thumping, the antivirus industry remained mostly silent about it. Go figure.

Continuing with Leonhard’s column:

The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.

Very true — but here I must defend the antivirus industry. They tried to offer “behavioral monitoring and other techniques” back in 1991, much of it based on techniques proven in the 1980s by Andy Hopkins and Wolfgang Stiller, et al. Antivirus firms couldn’t market their newfangled “hybrid” products because their customers wanted nothing to do with them. They blindly demanded virus-scanning technology, period.

---

Leonhard goes on to say:

The only company that seems to be in a position to fix the [exploited vulnerability] is Microsoft. But it’s hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP’s successors (I use the term lightly) don’t appear to have the same flaw.

This is short-sighted, however. It’s only a matter of time before Sinowal / Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.

I agree very strongly with Leonhard. Quoting myself from a previous column: “Symantec worked for years on Vista’s security back in the day when Microsoft called it the ‘Longhorn project.’ We know this because, years ago at a global Virus Bulletin conference, Symantec gave a hoity-toity speech on all of the new types of malware they feared would debut with Redmond’s new operating system.”

The tech­nology of fraud gets better each year, but this type of fraud remains con­sis­tent. From a banking per­spec­tive, the cost to obey govern­ment regu­la­tions dwarfs the cost of any indi­vi­dual case of fraud.

So. Who (besides the criminals) can we blame for present and future Internet-centric credit card fraud?

• You can’t really finger Microsoft. Their customers scream so much for ease of use that it drowns out any whimpers for cumbersome security.
• You can’t really finger the antivirus industry. Their customers still demand inferior technology.
• You can’t really finger the customers. They only know what they find on store shelves.
• You can’t really finger the government. They’re just a very large customer.

You could almost describe it as “four corners of stagnation,” couldn’t you? Continuing with Leonhard’s column:

If Microsoft decides to take on Sinowal / Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says ‘I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup.’

Aha, but the initial setup would be just that — initial. These Sisyphean programmers would toil forever just to keep up with the bad guys. It would be like … um … like … well, it would be like working at an antivirus firm, wouldn’t it?

Now, don’t get me wrong! I’ve long believed an elite team could tackle this eternal project. But they won’t work for Microsoft, they won’t work for an antivirus firm, and they certainly won’t work for the banking industry. There’s simply no profit in it.

A product for the good of society that prevents credit card harvesting would need to come from a government team working towards society’s best interests under the auspices of, say, US-CERT.

Just don’t hold your breath for a government solution to credit card harvesting over the Internet. As I told Leonhard: “from a banking perspec­tive, frauds like this have never qualified as a major threat.” The technology of fraud gets better each year, but this type of fraud remains consistent. Government officials and bankers alike will highlight the need for “user education” and that will be that.

From a banking perspective, Leonhard is just one more person with a Cassandra complex…

Enrique! Long time no talk. Congrats on the new job title. Hope all’s been well since that time I phoned you re: a root-yielding vulnerability in Norton AntiVirus.

An open letter to Enrique Salem, the incoming CEO at Symantec

But hey, enough chit-chat.

Almost eleven years has passed since we sat down in your office to discuss my impact on your stock price and your impact on the security industry. I think it’s time to repeat the performance. Naturally, we’ll talk about Symantec’s long-term goals & plans under your leadership. And I suspect you’ll want to hear about my long-term plans to bring computer security criticism into the mainstream.

I’d also like a special briefing on each of the following topics:

1. Why you don’t change your “ThreatCon level” when you announce serious vulnerabilities in your own software.
2. How you will counter Microsoft’s recent OneCare announcement.
3. Why you failed to release an antivirus product in tandem with Vista, plus what you’ll do to make sure you don’t miss the boat again.
4. An overview of your transfer of malicious technology to the Chinese government decade-long penetration into China’s markets, plus the obstacles you still need to overcome.

Please don’t introduce me to an HR rep and don’t flash your purse strings at me. In return I won’t ask for a job, grant, or buyout.

Let’s aim for January or maybe early February when things are still slow. I’ll pay for my airfare & hotel. You pick up the tab at a trendy lunch spot. See you then!