Skip to comments.UPDATED: Symantec researchers issues first Mac botnet malware warning
Posted on 10/01/2009 11:05:22 AM PDT by Swordmaker
Security researchers at Symantec have uncovered what they suspect may be the first Mac OS X botnet launching denial-of service attacks. As revealed in a recent edition of Virus Bulletin, the researchers claim to have found two malware types which use different tricks to grab control of infected Mac OS X machines.
The two malware bundles are called OSX.Iservice and OSX.Iservice.B, and appear to be spread within pirated copies of iWork 09 and Photoshop CS4, distributed on the popular P2P torrent network. We've talked about these before but now these infected machines are springing into action.
Seems the malware maker got hold of original copies of both application and inserted the malicious binaries into the software. Users who download and install these apps may then be affected. Researchers Mario Ballano Barcena and Alfredo Pesoli warn this to be the first real attempt to create a Mac botnet, and state that these zombie Macs are already going about bad business. Thousands of Macs may have been infected, they warn.
The men also note the malware author appears to have used the most flexible and extendible approach when creating the code, therefore, we would not be surprised to see a new, modified variant in the near future, the researchers said.
Were attempting to unearth further information at this time.
UPDATE: We've managed a little chat with Symantec, details follow:
- The infection is also known as: OSX/iWorkServ.A [F-Secure], OSX/IWService [McAfee], OSX/iWorkS-A [Sophos], OSX_KROWI.A [Trend], OSX/iWorkS-Fam [Sophos], OSX/Krowi.A [Computer Associates].
- They warn: "Users who download files from third party sites and from P2P networks such as BitTorrent are at risk. More generally, anyone who surfs the internet should be aware of the threat of fake web sites, called phishing sites, that steal passwords, identity information and credit card numbers. "
- Asked if Mac users are under attack, Symantec notes: "The short answer, no. Users of Macintosh computers continue to have little to fear from viruses, trojans and worms so long as they take reasonable precautions."
More general info on the malware:
The two versions of the trojan, called OSX.Iservice and OSX.Iservice.B both create a network of computers (a botnet) that can used by cyber criminals to attack web sites, send junk email, steal passwords (SPAM) and other malicious activities. This network has been called by some, "iBotnet".
The trojans are distributed in pirated copies of Apple Computers iWork 09 and Adobe Photoshop CS4 found on some P2P networks. Other than installing the company's anti-virus technologies (and warning against free solutions purporting to do this. as these are often flawed), the company advises Mac users who frequently download files and apps should, "Create a limited or non-administrator account for day to day activities. Use an account with full privileges only when necessary."
The fake iWork 09 installer has the filename iWork09.zip and is approximately 450MB in size. In contrast, the legitimate trial version of iWork 09 that is available from Apple is named iWork09Trial.dmg and is slightly over 451MB. The iWorkServices.pkg contains the Trojan executable named iworkservices, and is approximately 404KB in size. The Trojan first determines if it is the root user on the compromised computer and if not, it will end. Then, it checks to see if it was executed with the file name iWorkServices. If not, it will create the following folder:
The Trojan then copies itself to both of the following locations: /usr/bin/iWorkServices
It then modifies the following file to ensure that it runs when the compromised computer restarts:
The Trojan then restarts itself from its new location in /System/Library/StartupItems/iWorkServices, and decrypts an AES encrypted configuration file, which is located in /private/tmp/.iWorkServices. Finally, the Trojan acts as a back door and opens a port on the local host for connections. It then attempts to connect to the following remote hosts:
We're fairly confident now this isn't a wide-spread outbreak, but do hope that any Mac user who may have been affected now has the knowledge they need to identify if indeed they have been, and potentially to protect themselves from any further propogation of this malware thingummy...
"Asked if Mac users are under attack, Symantec notes: "The short answer, no."
That proves this is more FUD!
Sales for Symantec’s Mac antivirus software must be lagging.
If I am interpreting this correctly, you would have to download something with this in it, and then install whatever it is, in order to do damage. Am I understanding this?
bump for later reading
Yep, just the way 90% of viruses get on PCs.
Why would anyone waste their time creating a virus for the Mac? It would make more sense to target a PC since they dwarf the users of Mac.
I bet this was done by someone close to the AV company or the company that made the software that was pirated (so that it will scare others to not try and steal their software). Other than that no one wants to waste their time making a Mac virus.
Correct. And you’d have to type in your admin password to allow it to be installed. And even then it can’t reproduce automatically to other machines.
It's ripe for picking, almost no AV in use. Get 1% of the users and you have a 300,000-strong botnet, a big one by any standard.
Not only is this FUD, but it is rehashed FUD from way back in May.
These are the same Bozos who claimed in May's Virus Journal, a $150 subscription online magazine for hackers, that they had found the first Mac botnet and further claimed that there were more than 20,000 Macs involved in it. They did not report it to Symantec, their supposed employer, who still lists number of Macs infected with this Trojan as 0 to 50. This article, despite its inflamatory headline, reports the truth:
"Asked if Mac users are under attack, Symantec notes: "The short answer, no."
If you want on or off the Mac Ping List, Freepmail me.
It’s dead, Jim.
Yep if you aren’t downloading illegal software you have nothing to worry about.
Be vewy vewy quiet. I’m hunting viwuses.
But there are still more windows 9x boxes (I think) out there that are even more ripe for the picken and can do more damage.
Wouldn’t it just be cool to be the first and wipe out an entire talking point?
Wouldn’t it just be cool to be the first and wipe out an entire talking point?
Okay, then maybe this is a stupid question, but why all the alarm and dire warnings then? If even low-tech dumb bunnies like me have figured out how to avoid this, how can it be that much of a threat? I found a concert and recital I wanted on that bit torrent thing, but decided not to indulge and ordered the DVD instead. Better safe than sorry.
Scare people to create a market for your products.
You don’t think these people are always looking to expand their business? If you were a business, wouldn’t you go after a market of 30 million more producers?
Besides, the 9x pool has been pretty much picked over already.
Yes. But you'd ALSO have to be stupidly running in Root which is not activated in the default install of OS X. Far less than 1/10 of one percent of Mac users have activated a root account. Even fewer will routinely run in root.
That's why it is so hard to believe the claim of a 20,000 unit botnet. First you have to be smart enough to know how to activate root and simultaneously stupid enough to try to rip off, from pirate site, a free copy of trial software that is more easily obtained from Apple's own servers. The BitTorrent sites that had hosted the infected files back in January reported that the total downloads of the malware, before the files were removed, was in the " dozens." What are the odds that any one of those fewer than 100 downloaders was running in root and thereby vulnerable to being infected by this Trojan?
I didn’t even know I had something called root. And I now am beginning to seriously doubt that “The Opera Gala: Live from Baden-Baden (2007)” was one of the infected downloads. Oh well. Better the DVD.
I hope you get over it real soon. lol
“My toof hurts!”
If you don’t know whether you are you probably aren’t!
1. The malware checks to see if it's running as root, meaning euid=0 (effective uid). This is easily accomplished by any Mac user who set up their own machine, because you don't have to "activate the root account" to do it.
"sudo" is available to all members of group "admin", and the default install user is made a member of group admin so they can administer their own machine. As you know, if you run sudo from the commandline, it requests your password and then runs the command that follows, as root (euid=0). I expect that the well-known installation gui-dialog prompt for password is exactly the same mechanism -- allowing the current user to elevate to root privilege by doing a setuid of 0.
It does NOT require activating the user account called "root".
2. You mean "run as root", not "run in root".
Not really. The virus here can be done easily on any machine that someone idiot is willing to steal programs and install them not knowing if they had a virus or not.
The talking point you are referring to is being able to attack a Mac over the wire without the need of a user installing a trojan. And that was already defeated with the first version of Mac OS X when the man in the middle attack was found to be viable against their update website.
Once again Mac is just too small a footprint to worry about.
This isn’t a virus but a trojan.
Once again, if the footprint is so small, all someone needs to do is write one virus that affects OS X for all to see. Then you can continue with the nonsensical argument that the Mac “footprint” is too small. How many millions of Macs will it take?
Give us a number or continue to move the goal post.
I’ll give a number 20% of the user base. Then it might actually get some attention.
Microsoft today just announced FREE Anti-virus software they have had in beta for years. Now all these anti virus folks are going to go bye bye.
It was viable, but only for a malicious server on your own LAN masquerading as Apple's server. No Mac user ever was attacked in such a way. That unexploited vulnerability was closed seven years ago.
so. Point is it was a viable attack vector so the point is moot—meaning it’s already been done. The fact it didn’t occur in the wild see the previous posts about it being a waste of time to attack such a small percentage of machines.
You really don't know what you are talking about, for-q-Clinton. I agreed it was a viable vulnerability but I did not agree that it was a viable vector. For this to work your your local area network had to already be compromised. It was a vulnerability in the early versions of OS X that was first announced by Apple when it fixed the problem. It was never exploited, nor was the possibility of it being exploited very credible, given the extreme difficulty of placing a spoofed server on a LAN.
In other words, it hasn't "already been done." This was not even a "proof-of-concept" demonstration as it was not demonstrated, merely closed.
Every vulnerability has the potential to be exploited but some are almost impossible. This man-in-the-middle attack is not a means of attacking thousands of computers, it was a retail hacking trick.
Attacking computers with malware is not a matter of percentages of all computers, for-q; it's a matter of sheer numbers. With the upcoming announcement of Apple selling more than ten million Macs this fiscal year, the sheer number of un-protected Macs out there in the wild is somewhere north of 45 million. Viruses have been written targeting just 12,000 vulnerable Windows XP computers protected by BlackIce's firewall. Others were written aimed at fewer than 30,000 smart cell phones and there was even a virus written that targeted the dozens of iPods that had been converted to run Linux, so why are the crackers and virus authors NOT writing malware for the potentially lucrative target of 45 million sitting ducks? There is a reason, but it isn't obscurity.
Oh I see you dont’ deal with big enough customers or government business to understand how this was/is a significant point of attack.
Yes there are huge risks with that point of attack, but you’re right if you’re a home user it’s doubtful that it will be exploited. But if a government was using Mac OS X at that point they would be vulnerable.
Nenernenernener..... Warning! Warning! Danger Will Robinson!!! The Sky is falling!!!
All your base are belong to us!!! Somebody sent us up the bomb!
10 million new macs sold in Apple’s fiscal year, add to that the fact that the OS has been out in some form for 7 years - and how many millions of OSX machines are now online? Even if we said 45 million, would that not be an attractive target, since 99.9997% believe their machines are essentially virus and trojan-proof and thus run no form of antivirus?
That is why the “obscurity” argument just doesn’t fly...
It might be the first time, but a second time... then it isn’t the first!
Why are you crowing about a mere "speck" in the eye of OS X, while ignoring the multiple "logs" in your own preferred platform's eyes, for-q?
I fully understand it was a potential point of attack with "huge risks"there have been thousands of such potential points of attack on Windowsbut I also understand that this one for OS X was never exploited. I also understand that such an exploit depended on the existence of an already compromisedby some other meanscomputer on the local area network where the targeted computers are connected before it could have been a danger. I also completely understand that this so-called "significant point of attack" was in a very early version of a developing technology and that the vulnerability was present only for a very short time before it was pro-actively CLOSED, SEALED SHUT, ENDED by Apple soon after it was discovered, before it was ever known about by anyone who could have exploited it.
The point is, for-q, Apple added digital security signature technology to all of its Software Update packages to prevent a success of man-in-the-middle attacks using this means of attack. That preventive measure is something not done by Microsoft for Windows Update until at least a year after Apple did it.
Shall we discuss some of the "logs" in Windows eyes? Shall we talk about all the "significant points" of attacks that existed in every version of Windows of the past, for-q? Ones that were actually exploited... for example, the vulnerabilities used by the various versions of the Conficker/downadup/kido worm that did indeed infect thousands of military and government computers this past year?
Are you aware, for-q, after Apple had closed the vulnerability you are claiming "has already been done" implying to readers of this thread that the mere existence of the vulnerability means that it WAS exploited and that the Mac has been infected with malware, that the man-in-the-middle attack WAS used by crackers to intercept update requests from Windows' users and infect those users' computers?
You, with your claim "that it has already been done," are apparently incapable of understanding the difference between a potential vulnerability and a real world, out-in-the-wild, exploit doing actual damage.
By the way, The US Army is using Mac OS X for their website:
and is deploying more for security reasons because it would make them more secure.
You miss the point again. The reason why it wasn’t exploited is because the install base isn’t large enough.
If Mac OS X was a large install base it would have been exploited because you could be guaranteed that some users wouldn’t have patched the original bug.
This is how most windows viruses spread (and Linux too). Unpatched machines. Some users/administrators are just too stupid to patch a box. So when you take in the limited amount of Mac OS X users and the fact that there are different versions the viable attack vector is very small. You’d have to find someone that has the specific build you want to attack...and in this case the bug was in the first version of Mac OS X. So you’d have to find someone who bought a Mac with the original version and didn’t patch it right away. Using today’s number of usres of Mac OS X users isn’t reality of what was in place at the time of the bug.
I’m sure Microsoft would love to just say everyone was on Windows 7 the day it launchd but that’s not reality. So how many of those Mac OS X boxes with the bug were actually on a LAN during the time of it being unpatched? Give me that number and you’ll see why it was never exploited.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.