PH461A04@VAX1.UMKC.EDU (Bureau de Guerra) (03/04/91)
>> Observation 2: Mac viruses are not easier to write than PC viruses for >> [...various reasons deleted...] >> that infect each platform. When I last checked (and this was awhile >> ago), there were some 5 different Mac viruses, with no more than five >> variations on a particular strain: total of about a dozen Mac viruses. >> At the time, the number of PC viruses numbered 23 distinct strains and >> over a 100 total viruses. Alot of has to do with the number of >> vandals writing viruses for the Mac vs. DOS, but it also has to do the >> relative ease with which viruses can be written for DOS vs. the Mac. >There are possibly more practical reasons as to why there are more pc viruses >than mac viruses: There are MORE pcs than macs, not just more "vandals >writing", tho the two quantities are clearly related. I saw a blurb a while >back in PC Week saying there were around 45 million pcs in the US (apparently >not counting Europe and elsewhere). Unfortunately, there was not a >corresponding figure for macs. The macintosh macs up about ten percent of the domestic pc market (higher in some overseas locations), so say four to five million. Lets consider: 23 pc viruses/45M pcs 5 mac viruses/4.5M macs There seems to be (to significant numbers) about the same ratio. Are mac viruses easier to write? No (but see below) Discussion Follows: PC's are easier: PC viruses primarily attack the partition tables and boot sectors of a disk. Because a significant part of the OS resides in firmware on the macintosh, "boot sectors" do not have the same functionality on the mac as on the pc. PC viruses that infect EXE and COM files similarly rely on the architechure of how a program is loaded and executed; the mac process is sufficiently different that the "append" method of virus attack will not work. Macs are easier: PC viruses trap interupts, perform their task and then (hopefully) call the original interrupt. Thus pc viruses can only activiate on BIOS calls. The mac takes advantage of the 68000's capacity to emulate instructions: a call to a macintosh toolbox or OS is actually a machine instruction that the 68000 can't understand; it sends this to a dispatcher that routes the call to the proper routine. The dispatcher relies on a jump table. Thus every toolbox and OS routine on the mac (the newer macs use 512K ROMS if that gives you some idea of # of routines) can be trapped and redirected: Apple and third party developers (including virus writers I'm sure) take advantage of this to exapand and customize the mac. Macs also isolate their code into "resources." The code to display a window for example is stored in a WDEF resource, to handle a special kind of menu in MDEF, etc. One can replace the WDEF in a program with another, and the application should still run. I used this to write a WDEF that draws a smiley face on the screen when its closed. By replacing the default WDEF in the system, every program I run now displays a smiley face when a window is closed. One common virus actually masquerades as a window code, replacing the default window code in the system. Because the whole macintosh OS revolves around resources, the functions for loading, copying and modifying resources in files is part of the os and used frequently by most programs. Finally, since the macintosh ships with a multitasking operating system that does not have independent segments, a virus running in an application in one segment can infect an application in a second segment. Which Platform is Easier? Criteria: 1) Ease of infecting new disks 2) Ease of infecting applications/operating system 3) Difficulty in detection/prevention 4) Size of virus to be effective 5) Degree of technical proficiency to program 1. PCs can be infected easily through boot sector/partion table; macs do not have this problem. 2. Because of the resource nature of macs, infecting new applications can be as easy as moving a resource into the application's resource fork (one OS call) eg nVIR, WDEF 3. Because of (2), memory resident virus dection schemes on the macintosh are easily implemented. Also, because of the macs control over floppy insertion/ejection, disks can be forced to be scanned upon insertion. This same functionality does not exist on the pc. Also, because of (2), scanning a mac disk for an infection is also easier. PC virus detection is straight forward, but virus prevention is much less sophisticated. 4. A PC virus is typically only a few dozen bytes long. A macintosh virus can be serveral thousand bytes easily (the WDEF virus, for example, needed to duplicate the full functionality of the default WDEF to be transmitted undetected for as long as possible; coding a WDEF is not a project to be undertaken lightly.) 5. Due to the size, complexity of duplicated features, and requirements for properly handling memory management, etc, mac viruses are by nature more complex, and hence more difficult to code. Also, judging from the fact that 400 versions of 23 PC viruses exist, where only a handful of strains of the mac viruses exist, modification [and hence evasion of detection] of pc viruses is easier. Because of 1,3,4, & 5 vs. 2, I conclude that programing a mac virus is more difficult than programming a pc virus. Jonathan E. Oberg ph461a04@vax1.umkc.edu
CHESS@YKTVMV.BITNET (David.M.Chess) (03/22/91)
A few nits on Jonathan E. Oberg (ph461a04@vax1.umkc.edu)'s basically sound posting: > PC viruses primarily attack the partition tables and boot sectors of a > disk. I'm not sure what this "primarily" means. There are in fact more file-infectors than there are boot-infectors for PC-DOS. >PC viruses trap interupts, perform their task and then (hopefully) >call the original interrupt. Thus pc viruses can only activiate on >BIOS calls. No. The typical file-infecting virus traps INT 21 calls, which are DOS, not BIOS, calls. Boot-infectors do typically trap BIOS calls. But of course a virus doesn't *have* to trap any calls at all; the Vienna-648 virus, which was reasonably widespread at one time, was a non-resident virus that didn't trap anything. >4. A PC virus is typically only a few dozen bytes long. The typical file infector is 1000 or so bytes long; a typical short one is a few hundred bytes, a typical long one is a few thousand. Boot infector lengths are similar. I know of only one virus that's really "a few dozen bytes" (45, I think it is), but it's very unusual. DC