About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

The Apple Virus

It's real.

Get It

Try It

CAMBRIDGE (Rixstep) — Rixstep are absolutely chuffed to announce the release of their Keymaster applications to combat the Apple Virus.

Read on.

By Way of Introduction

We helped run an IT factory in Stockholm. We had beautiful offices, with a direct look at the waters of Stockholm and a rooftop that offered the famous 'Strindberg view'. We had two floors in that huge building, and had hundreds of IBM PCs. We turned over classes of hundreds of students every five weeks.

Once we got a former system admin who came to us for a new job. He noticed something wasn't right on his workstation, and began poking around. 'I think this machine is infected', he told us. He took his 'Doctor Solomon' to class and tested. He found the Form Virus.

Simultaneously, before the start of the term, we'd sacrificed ten days of lush life in the country to complete our 'Quick 'n' Dirty' program suite. 'Quick 'n' Dirty' included two disk sector editors, a text reader, a new hex editor, and so forth. It also had a full file manager that did not use MS-DOS in any way - it read the MBR and worked from there, as everything can be reduced to macros.

So our file manager could see and do everything.

Once our admin student had identified the virus on his computer, a boot sector virus, we could look into how this virus - 'Form' - worked. It contaminated boot sectors and hid more code in sectors way at the back, so to speak, of the hard drive, and it protected this hidden resource by marking the sectors as 'faulty'.

Easy enough. We first did a complete 'check disk' to make sure the disk was otherwise healthy, then opened our 'Quick 'n' Dirty' disk editor to edit the FAT tables. And, sure enough, there were things at the end of the drive marked 'faulty'. So, as this was a full-screen disk editor running at interrupt/driver level - and we love stuff like that - we simply cleared the 'faulty' bit in those sectors, then we exited our 'DiskView' and ran the 'check disk' program again. This time it found the discrepancies, and it saved the sectors in question to disk. And we now had kidnapped the actual code of the Form Virus.

'Greetings!' it said, in plain text, and went on to assure that it didn't actually hurt anything. The greeting ended with the curious salutation 'Fuckings to Corinne'.

Whoever Corinne was, she was definitely appreciated.

We now showed our findings to the others in our group. And, with the help of the admin student, we set up a dedicated workstation at the back of the lab. And we told our students that they must not use any diskettes until they'd been checked at our dedicated workstation. Amazingly, things worked well - until problems arose from those in the morning group.

We were namely two groups of two groups - two groups in the morning and two in the afternoon. Ours worked in the afternoon. Things went well until we told the morning teachers what we'd discovered and what they had to do.

Those morning teachers didn't like it very much. Computer viruses are a myth, we heard one of them say. We produced a printout of Form and had this teacher read it. He blushed.

The next morning, that teacher came into our offices with a case full of diskettes. He'd been 'patient zero', downloading who-knows-what online, infecting all the machines he came into contact with. And once Form moves to the hard drive and goes resident, there's no way to stop it, short of eradication as performed by our dedicated workstation.

Viruses: they only exist on PCs. Those PCs have to be running either MS-DOS (PC-DOS) or Windows. You have to be able to 'attach' to running code. They're complex to create. They exist in the actual files one 'executes' on disk. Be it a program file (EXE) or a boot sector, which is also executable code.

This is all possible because Microsoft filesystems can't be protected. So viruses exist.

But take the same computer and run Linux on it - and odds are you won't find a virus.

User programs could in theory contract viruses, if their executables are not protected, and if the virus writer just happened to know the exact name and location of one of your own applications. Which isn't very likely. So Linux - and Unix in general - will not have viruses.

Unix/Linux program files are very well protected by the system itself, and yes, the architects have thought through just about every possible permutation to thwart hacking of any kind.

So, whilst viruses can and do exist on Windows, they mostly cannot on Unix.

Except with the Mac. The Mac has the Apple Virus.

The Apple Virus

Apple's Mac has a sort of virus. And it's resident. In the system itself. As provided to you by Apple. Right there, right out of the box, it's there when you open it for the first time. Supplied by the vendor Apple itself.

It's called Gatekeeper.

Actually, that's a bit of an oversimplification. The 'virus' is actually what's known as the 'extended attribute'. That triggers Gatekeeper. Same diff, one might say.

Extended Attributes

Exactly how extended attributes are implemented on Unix varies from platform to platform, from vendor to vendor. Not all types of Unix even have them - not even the 'super-secure' ones.

Extended attributes are arbitrary metadata. That data is not attached to a program executable, but stored somewhere else at the vendor's discretion. Exactly how this data is stored on Macs is not fully disclosed by Apple. But it's concluded that it exists in a parallel 'stream' separate from the files to which it's associated - a stream that can be indexed and searched. However it's done, this data exists and can be used in arbitrary ways.

Apple chose to use this data to trigger their 'Gatekeeper' system.

'Gatekeeper' is how Apple can control system activity on a system, such as the Mac, where Apple actually can't control system activity. Gatekeeper isn't really needed on the iPhone, the iPad, or the watch, because those operating systems require certification for all program code - certification that's 'attached' to the program files just like a virus. Except this time it's perfectly legal, and you're expected to love it, and love Apple for it. Because Apple loves you and is only protecting you.

But the Mac is different. The platform's been around too long. There's too much legacy code for the Apple Mac. The Mac exists for tinkering - at least in theory. Just imagine a developer finding out he has to get Apple's permission (and pay for it) to run his own code on his own computer...

No, that won't work. So what Apple did was create a system that makes it extraordinarily difficult - but not 100% completely impossible - to run one's own code. Then they keep nudging programmers in the direction of the App Store. Get your code certified and you can promote your products at the App Store! Don't do that and you can't! It costs you $100 per year just to be able to apply for the App Store.

And Apple will only list the products they like. And they don't always tell you why they don't like something - you have to guess.

(Yes, there are some huge lawsuits ongoing, and yes, major voices like Forbes, the New York Times, and software legend Paul Graham have condemned Apple for this indefensible behaviour.)

It's all down to the bottom line, despite all the lofty chitchat. It's all down to an estimated sure-fire revenue stream of - at current rates - $6 billion per year. No up-front costs. Pure profit. They exact it. Annually. It's directly feudal.

Many programmers invested lots of blood, sweat, and tears into Apple's Mac. They did this even after Apple betrayed them, in the final years of the last millennium, when they promised they'd continue to support NeXT's cross-platform compatibility with Microsoft Windows, the really lucrative market.

Yes, they promised and promised and promised - until everyone was securely inside their walled garden, and escaping became prohibitive. And now, instead, they're stuck with the Apple Virus instead. They have to pay a sort of 'jizra', in various stages. First a flat fee up front, payable even if Apple won't put their products in the App Store, and then an unprecedented 30% of their earnings - unheard of in the payment processing industry...

The Mac programmers are stuck. They're locked in. They either play the game according to Apple's rules or they lose it all. And, once inside the App Store, they're elbowed out by Apple's friends, the 'big players' who get help from Apple every step of the way. Programmers for the Mac are suffering (as are programmers for the iPhone and the iPad). They're being fleeced.

This leaves them with only one alternative - to get out. After years and years of devotion and belief in Apple and the future of the Mac.

The Alternative

There's another alternative, in principle: defy Apple. Placement in the App Store is basically essential, it's not nearly good enough, but it's all they'll get if they stick with Apple. But they can defy. They can provide 'Apple Virus-free' software through their own websites and hope for the best.

Most Mac programmers don't quite know how to go about that, however. Anything you download will automatically get the 'Apple Virus'. As soon as you do anything with your download, the virus spreads.

Unzip an infected download, and Apple's own Unarchiver will dutifully infect every extracted file. It's been specially programmed to do this. The idea is to give you no way out - to get you to succumb to Apple.

But you don't have to. Neither as a programmer, nor as an end user. It's possible to get your software outside the App Store and not be bothered by the 'Apple Virus'.


You can use Rixstep's Keymaster until you figure out what you want to do with your future. Your future, as you've already realised, can't be with Apple.

Until you find your new grazing grounds, use our Keymaster.

Two Editions, Two Versions

There are two editions and two versions of Keymaster. All of them do the same thing, more or less. The idea is to protect disk directories from infection by the 'Apple Virus'.

There are two methods to protect. Either visit the directories in question at regular intervals, or use Apple's own technologies against itself, and visit when Apple's told you they've just done something.

The latter method is preferred. But, on rare occasions, one of Apple's own 'daemons' can act up. So, in such case, you should use the former.

The simpler, free, version offers only to protect your standard home directories. The more sophisticated ACP version can protect any directory anywhere on your disk. ACP users have full access to all ACP file management utilities, and so can detect what Apple's done to the hard drive. For those users who don't have the ACP, the 'free' version offers a way to tally existing 'infections'.

If you cleanse your downloads with Keymaster, the 'Apple Virus' is gone, and their Gatekeeper can't get you in its clutches. You can use, at any time, any software you want.

If you want to distribute your software outside the App Store and not pay the Apple 'jizra', then your customers can run our Keymaster on it, for free. (And you're encouraged to include the technology in your own product.) (Give it a try.)

Anything is better than living under the heel of Apple. Your business might even thrive. One thing is certain. You get back that 30% that Apple took away from you. And save $100 right away.

One of Many

Rixstep has many utilities to combat the 'Apple Virus'. Clean And Seal can be used 'after the fact' to manually remove the 'viruses'. XA Batch can be used to run a specified cleanse of targeted disk areas. Xattr, the very first such utility for the Mac, released fifteen years ago, can be used to edit (or remove) any such 'viruses' on a per-file basis. And so forth.

See the ACP index for further information.


See the purchase page for information on pricing in various currencies and for purchase links.


It's a Virus

The Apple Virus is a true virus in every sense of the word. Don't let Apple ruin your business. Get Keymaster - get it free, or get it with the ACP. Taste freedom. Get it now.

See Also
Keymaster: Mind the Gap
Industry Watch: The Catalina Files

About Rixstep

Stockholm/London-based Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long. Rixstep have many years of experience behind their efforts, with teaching and consulting credentials from the likes of British Aerospace, General Electric, Lockheed Martin, Lloyds TSB, SAAB Defence Systems, British Broadcasting Corporation, Barclays Bank, IBM, Microsoft, and Sony/Ericsson.

Rixstep and Radsoft products are or have been in use by Sweden's Royal Mail, Sony/Ericsson, the US Department of Defense, the offices of the US Supreme Court, the Government of Western Australia, the German Federal Police, Verizon Wireless, Los Alamos National Laboratory, Microsoft Corporation, the New York Times, Apple Inc, Oxford University, and hundreds of research institutes around the globe. See here.

All Content and Software Copyright © Rixstep. All Rights Reserved.

John Cattelin
Media Contact
ACP/Xfile licences
About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.