With all the talk that goes on about how and why Macs are or aren’t as secure as any other computers, I thought I’d weigh in. Now I’m not a professional security expert. I’m just a regular software developer, although I do put on the “white hat” regularly and try to find exploits in the products I build. My theory on the conspicuous absence of OS X malware is that the scale just isn’t big enough. Sure, there are plenty of Macs in use, but bot herders need massive scales to achieve their goals.
Suppose I’m a bot herder (I hope it’s obvious that this is purely hypothetical). I unleash malware that takes over computers and “calls home,” allowing me to send spam for my paying clients. Since the number of people who read spam is very low, and the number of people who buy products advertised in spam is even lower, I need to send huge volumes of spam to make my services worthwhile for my clients. And sending lots of spam requires lots of compromised computers.
As software vendors patch vulnerabilities in their software, I have to find new vulnerabilities and write new malware to exploit them. This requires considerable effort on my part, and takes away from time I could spend doing things I enjoy. Also, as more users become more security-conscious, there are less machines left open to attack.
Suppose for a moment Windows, Linux and Mac OS X are all equally exploitable, and writing a piece of malware for each takes the same amount of time. What am I going to do? Am I going to write three sets of malware to attack the three platforms, or will I pick one to concentrate on?
Of course, the answer depends on market share. The more even the market share, the more likely I would be to write malware for multiple platforms. Also, it’s worth thinking about where the machines are primarily used.
Linux is used primarily in server and professional environments. Machines that are critical for business operations run by tech-savy operators means the machines are more likely to be secured properly and suspicious software will be removed promptly. So scratch Linux. I want to target home users with DSL or cable internet.
So I’m left with a choice of targeting Windows or OS X. What do I do? I look at market share. I know these figures are probably wrong, but suppose OS X runs on 5% of my target machines and Windows runs on 90%. What am I going to target?
The answer should be obvious. I’ll target Windows. I could target OS X as well, but then I’d be spending twice as much time writing malware for less than 6% more compromised machines to send spam from. It just doesn’t make business sense.