UPDATED: Symantec researchers issues first Mac botnet malware warning

Security researchers at Symantec have uncovered what they suspect may be the first Mac OS X botnet launching denial-of service attacks. As revealed in a recent edition of Virus Bulletin, the researchers claim to have found two malware types which use different tricks to grab control of infected Mac OS X machines.

The two malware bundles are called OSX.Iservice and OSX.Iservice.B, and appear to be spread within pirated copies of iWork 09 and Photoshop CS4, distributed on the popular P2P torrent network. We've talked about these before but now these infected machines are springing into action.

Seems the malware maker got hold of original copies of both application and inserted the malicious binaries into the software. Users who download and install these apps may then be affected. Researchers Mario Ballano Barcena and Alfredo Pesoli warn this to be “the first real attempt to create a Mac botnet”, and state that these zombie Macs are already going about bad business. Thousands of Macs may have been infected, they warn.

The men also note the malware author appears to have used the most flexible and extendible approach when creating the code, “therefore, we would not be surprised to see a new, modified variant in the near future,” the researchers said.

- The infection is also known as: OSX/iWorkServ.A [F-Secure], OSX/IWService [McAfee], OSX/iWorkS-A [Sophos], OSX_KROWI.A [Trend], OSX/iWorkS-Fam [Sophos], OSX/Krowi.A [Computer Associates].

- They warn: "Users who download files from third party sites and from P2P networks such as BitTorrent are at risk. More generally, anyone who surfs the internet should be aware of the threat of fake web sites, called phishing sites, that steal passwords, identity information and credit card numbers. "

- Asked if Mac users are under attack, Symantec notes: "The short answer, no. Users of Macintosh computers continue to have little to fear from viruses, trojans and worms so long as they take reasonable precautions."

The two versions of the trojan, called OSX.Iservice and OSX.Iservice.B both create a network of computers (a “botnet) that can used by cyber criminals to attack web sites, send junk email, steal passwords (SPAM) and other malicious activities. This network has been called by some, "iBotnet".

The trojans are distributed in pirated copies of Apple Computer’s iWork ’09 and Adobe Photoshop CS4 found on some P2P networks. Other than installing the company's anti-virus technologies (and warning against free solutions purporting to do this. as these are often flawed), the company advises Mac users who frequently download files and apps should, "Create a limited or non-administrator account for day to day activities. Use an account with full privileges only when necessary."

The fake iWork ’09 installer has the filename iWork09.zip and is approximately 450MB in size. In contrast, the legitimate trial version of iWork ’09 that is available from Apple is named iWork09Trial.dmg and is slightly over 451MB. The iWorkServices.pkg contains the Trojan executable named iworkservices, and is approximately 404KB in size. The Trojan first determines if it is the root user on the compromised computer and if not, it will end. Then, it checks to see if it was executed with the file name iWorkServices. If not, it will create the following folder:

The Trojan then copies itself to both of the following locations: /usr/bin/iWorkServices

It then modifies the following file to ensure that it runs when the compromised computer restarts:

The Trojan then restarts itself from its new location in /System/Library/StartupItems/iWorkServices, and decrypts an AES encrypted configuration file, which is located in /private/tmp/.iWorkServices. Finally, the Trojan acts as a back door and opens a port on the local host for connections. It then attempts to connect to the following remote hosts:

We're fairly confident now this isn't a wide-spread outbreak, but do hope that any Mac user who may have been affected now has the knowledge they need to identify if indeed they have been, and potentially to protect themselves from any further propogation of this malware thingummy...

But if a government was using Mac OS X at that point they would be vulnerable.

By the way, The US Army is using Mac OS X for their website:

http://www.army.mil/

and is deploying more for security reasons because it would make them more secure.

You miss the point again. The reason why it wasn’t exploited is because the install base isn’t large enough.

If Mac OS X was a large install base it would have been exploited because you could be guaranteed that some users wouldn’t have patched the original bug.

This is how most windows viruses spread (and Linux too). Unpatched machines. Some users/administrators are just too stupid to patch a box. So when you take in the limited amount of Mac OS X users and the fact that there are different versions the viable attack vector is very small. You’d have to find someone that has the specific build you want to attack...and in this case the bug was in the first version of Mac OS X. So you’d have to find someone who bought a Mac with the original version and didn’t patch it right away. Using today’s number of usres of Mac OS X users isn’t reality of what was in place at the time of the bug.

I’m sure Microsoft would love to just say everyone was on Windows 7 the day it launchd but that’s not reality. So how many of those Mac OS X boxes with the bug were actually on a LAN during the time of it being unpatched? Give me that number and you’ll see why it was never exploited.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.