Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

UPDATED: Symantec researchers issues first Mac botnet malware warning
9 to 5 Mac ^ | 10/1/2009 | Jonny Evans

Posted on 10/01/2009 11:05:22 AM PDT by Swordmaker

Security researchers at Symantec have uncovered what they suspect may be the first Mac OS X botnet launching denial-of service attacks. As revealed in a recent edition of Virus Bulletin, the researchers claim to have found two malware types which use different tricks to grab control of infected Mac OS X machines.

The two malware bundles are called OSX.Iservice and OSX.Iservice.B, and appear to be spread within pirated copies of iWork 09 and Photoshop CS4, distributed on the popular P2P torrent network.  We've talked about these before but now these infected machines are springing into action.

Seems the malware maker got hold of original copies of both application and inserted the malicious binaries into the software. Users who download and install these apps may then be affected. Researchers Mario Ballano Barcena and Alfredo Pesoli warn this to be “the first real attempt to create a Mac botnet”, and state that these zombie Macs are already going about bad business. Thousands of Macs may have been infected, they warn.

The men also note the malware author appears to have used the most flexible and extendible approach when creating the code, “therefore, we would not be surprised to see a new, modified variant in the near future,” the researchers said.

We’re attempting to unearth further information at this time.

UPDATE: We've managed a little chat with Symantec, details follow:

- The infection is also known as: OSX/iWorkServ.A [F-Secure],    OSX/IWService [McAfee],    OSX/iWorkS-A [Sophos],    OSX_KROWI.A [Trend],    OSX/iWorkS-Fam [Sophos],    OSX/Krowi.A [Computer Associates].

- They warn: "Users who download files from third party sites and from P2P networks such as BitTorrent are at risk. More generally, anyone who surfs the internet should be aware of the threat of fake web sites, called phishing sites, that steal passwords, identity information and credit card numbers. "

- Asked if Mac users are under attack, Symantec notes: "The short answer, no. Users of Macintosh computers continue to have little to fear from viruses, trojans and worms so long as they take reasonable precautions."

More general info on the malware:

The two versions of the trojan, called OSX.Iservice and OSX.Iservice.B both create a network of computers (a “botnet) that can used by cyber criminals to attack web sites, send junk email, steal passwords (SPAM) and other malicious activities. This network has been called by some, "iBotnet".

The trojans are distributed in pirated copies of Apple Computer’s iWork ’09 and Adobe Photoshop CS4 found on some P2P networks. Other than installing the company's anti-virus technologies (and warning against free solutions purporting to do this. as these are often flawed), the company advises Mac users who frequently download files and apps should, "Create a limited or non-administrator account for day to day activities. Use an account with full privileges only when necessary."

The fake iWork ’09 installer has the filename iWork09.zip and is approximately 450MB in size. In contrast, the legitimate trial version of iWork ’09 that is available from Apple is named iWork09Trial.dmg and is slightly over 451MB. The iWorkServices.pkg contains the Trojan executable named iworkservices, and is approximately 404KB in size. The Trojan first determines if it is the root user on the compromised computer and if not, it will end. Then, it checks to see if it was executed with the file name iWorkServices. If not, it will create the following folder:

/System/Library/StartupItems/iWorkServices

The Trojan then copies itself to both of the following locations: /usr/bin/iWorkServices

/System/Library/StartupItems/iWorkServices

It then modifies the following file to ensure that it runs when the compromised computer restarts:

/System/Library/StartupItems/iWorkServices/StartupParameters.plist

The Trojan then restarts itself from its new location in /System/Library/StartupItems/iWorkServices, and decrypts an AES encrypted configuration file, which is located in /private/tmp/.iWorkServices. Finally, the Trojan acts as a back door and opens a port on the local host for connections. It then attempts to connect to the following remote hosts:

69.92.177.146:59201

qwfojzlk.freehostia.com:1024

We're fairly confident now this isn't a wide-spread outbreak, but do hope that any Mac user who may have been affected now has the knowledge they need to identify if indeed they have been, and potentially to protect themselves from any further propogation of this malware thingummy...


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: malware
Navigation: use the links below to view more comments.
first 1-2021-4041-42 next last
This is rehashed FUD from June. No one has seen even one member of this so called "iBotnet"!

"Asked if Mac users are under attack, Symantec notes: "The short answer, no."

That proves this is more FUD!

1 posted on 10/01/2009 11:05:22 AM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker
the apple gets bit.
2 posted on 10/01/2009 11:06:39 AM PDT by the invisib1e hand (L;)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Sales for Symantec’s Mac antivirus software must be lagging.


3 posted on 10/01/2009 11:08:41 AM PDT by Sparko ("Barack Hussein Obama He said Red, Yellow, Black or White All are equal in His sight. Mmm, mmm, mmm")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

If I am interpreting this correctly, you would have to download something with this in it, and then install whatever it is, in order to do damage. Am I understanding this?


4 posted on 10/01/2009 11:09:37 AM PDT by La Lydia
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

bump for later reading


5 posted on 10/01/2009 11:12:47 AM PDT by Albion Wilde ("I apologize to hookers for having associated them with the House of Representatives.--Jim Traficant)
[ Post Reply | Private Reply | To 1 | View Replies]

To: La Lydia
If I am interpreting this correctly, you would have to download something with this in it, and then install whatever it is, in order to do damage. Am I understanding this?

Yep, just the way 90% of viruses get on PCs.

6 posted on 10/01/2009 11:15:59 AM PDT by Anitius Severinus Boethius
[ Post Reply | Private Reply | To 4 | View Replies]

To: Swordmaker

Why would anyone waste their time creating a virus for the Mac? It would make more sense to target a PC since they dwarf the users of Mac.

I bet this was done by someone close to the AV company or the company that made the software that was pirated (so that it will scare others to not try and steal their software). Other than that no one wants to waste their time making a Mac virus.


7 posted on 10/01/2009 11:21:33 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: La Lydia

Correct. And you’d have to type in your admin password to allow it to be installed. And even then it can’t reproduce automatically to other machines.


8 posted on 10/01/2009 11:26:47 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 4 | View Replies]

To: for-q-clinton
Why would anyone waste their time creating a virus for the Mac?

It's ripe for picking, almost no AV in use. Get 1% of the users and you have a 300,000-strong botnet, a big one by any standard.

9 posted on 10/01/2009 11:41:27 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 7 | View Replies]

To: Aria; ~Kim4VRWC's~; 1234; 50mm; 6SJ7; Abundy; Action-America; acoulterfan; Aliska; altair; ...
iBotnet FUD— PING!

Not only is this FUD, but it is rehashed FUD from way back in May.

These are the same Bozos who claimed in May's Virus Journal, a $150 subscription online magazine for hackers, that they had found the first Mac botnet and further claimed that there were more than 20,000 Macs involved in it. They did not report it to Symantec, their supposed employer, who still lists number of Macs infected with this Trojan as 0 to 50. This article, despite its inflamatory headline, reports the truth:

"Asked if Mac users are under attack, Symantec notes: "The short answer, no."


Mac Ping!

If you want on or off the Mac Ping List, Freepmail me.

10 posted on 10/01/2009 11:42:58 AM PDT by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

It’s dead, Jim.


11 posted on 10/01/2009 11:43:01 AM PDT by LasVegasMac (Islam: Bringing the world death and destruction for 1400 years!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Yep if you aren’t downloading illegal software you have nothing to worry about.


12 posted on 10/01/2009 11:59:04 AM PDT by chris_bdba
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Be vewy vewy quiet. I’m hunting viwuses.

heheheheheheheh!


13 posted on 10/01/2009 12:08:28 PM PDT by SlowBoat407 (Achtung. preparen zie fur die obamahopenchangen.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: antiRepublicrat

But there are still more windows 9x boxes (I think) out there that are even more ripe for the picken and can do more damage.


14 posted on 10/01/2009 12:24:40 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 9 | View Replies]

To: for-q-clinton

Wouldn’t it just be cool to be the first and wipe out an entire talking point?


15 posted on 10/01/2009 12:33:04 PM PDT by Wright Wing
[ Post Reply | Private Reply | To 14 | View Replies]

To: for-q-clinton

Wouldn’t it just be cool to be the first and wipe out an entire talking point?


16 posted on 10/01/2009 12:33:21 PM PDT by Wright Wing
[ Post Reply | Private Reply | To 14 | View Replies]

To: antiRepublicrat

Okay, then maybe this is a stupid question, but why all the alarm and dire warnings then? If even low-tech dumb bunnies like me have figured out how to avoid this, how can it be that much of a threat? I found a concert and recital I wanted on that bit torrent thing, but decided not to indulge and ordered the DVD instead. Better safe than sorry.


17 posted on 10/01/2009 1:55:22 PM PDT by La Lydia
[ Post Reply | Private Reply | To 8 | View Replies]

To: La Lydia

Scare people to create a market for your products.


18 posted on 10/01/2009 2:14:54 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 17 | View Replies]

To: for-q-clinton

You don’t think these people are always looking to expand their business? If you were a business, wouldn’t you go after a market of 30 million more producers?

Besides, the 9x pool has been pretty much picked over already.


19 posted on 10/01/2009 2:27:54 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 14 | View Replies]

To: La Lydia
If I am interpreting this correctly, you would have to download something with this in it, and then install whatever it is, in order to do damage. Am I understanding this?

Yes. But you'd ALSO have to be stupidly running in Root which is not activated in the default install of OS X. Far less than 1/10 of one percent of Mac users have activated a root account. Even fewer will routinely run in root.

That's why it is so hard to believe the claim of a 20,000 unit botnet. First you have to be smart enough to know how to activate root and simultaneously stupid enough to try to rip off, from pirate site, a free copy of trial software that is more easily obtained from Apple's own servers. The BitTorrent sites that had hosted the infected files back in January reported that the total downloads of the malware, before the files were removed, was in the " dozens." What are the odds that any one of those fewer than 100 downloaders was running in root and thereby vulnerable to being infected by this Trojan?

20 posted on 10/01/2009 2:36:30 PM PDT by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 4 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-42 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson