UPDATED: Symantec researchers issues first Mac botnet malware warning
Security researchers at Symantec
As revealed in a recent edition of Virus Bulletin, the researchers claim to have found two malware types which use different tricks to grab control of infected Mac OS X machines.
The two malware bundles are called OSX.Iservice and OSX.Iservice.B, and appear to be spread within pirated copies of iWork 09 and Photoshop CS4, distributed on the popular P2P torrent network. We've talked about these before but now these infected machines are springing into action.
Seems the malware maker got hold of original copies of both application and inserted the malicious binaries into the software. Users who download and install these apps may then be affected.
Researchers Mario Ballano Barcena and Alfredo Pesoli warn this to be “the first real attempt to create a Mac botnet”, and state that these zombie Macs are already going about bad business. Thousands of Macs may have been infected, they warn.
The men also note the malware author appears to have used the most flexible and extendible approach when creating the code, “therefore, we would not be surprised to see a new, modified variant in the near future,” the researchers said.
We’re attempting to unearth further information at this time.
UPDATE: We've managed a little chat with Symantec, details follow:
- The infection is also known as: OSX/iWorkServ.A [F-Secure], OSX/IWService [McAfee], OSX/iWorkS-A [Sophos], OSX_KROWI.A [Trend], OSX/iWorkS-Fam [Sophos], OSX/Krowi.A [Computer Associates].
- They warn: "Users who download files from third party sites and from P2P networks such as BitTorrent are at risk. More generally, anyone who surfs the internet should be aware of the threat of fake web sites, called phishing sites, that steal passwords, identity information and credit card numbers. "
- Asked if Mac users are under attack, Symantec notes: "The short answer, no. Users of Macintosh computers continue to have little to fear from viruses, trojans and worms so long as they take reasonable precautions."
More general info on the malware:
The two versions of the trojan, called OSX.Iservice and OSX.Iservice.B both create a network of computers (a “botnet) that can used by cyber criminals to attack web sites, send junk email, steal passwords (SPAM) and other malicious activities. This network has been called by some, "iBotnet".
The trojans are distributed in pirated copies of Apple Computer’s iWork ’09 and Adobe Photoshop CS4 found on some P2P networks. Other than installing the company's anti-virus technologies (and warning against free solutions purporting to do this. as these are often flawed), the company advises Mac users who frequently download files and apps should, "Create a limited or non-administrator account for day to day activities. Use an account with full privileges only when necessary."
The fake iWork ’09 installer has the filename iWork09.zip and is approximately 450MB in size. In contrast, the legitimate trial version of iWork ’09 that is available from Apple is named iWork09Trial.dmg and is slightly over 451MB. The iWorkServices.pkg contains the Trojan executable named iworkservices, and is approximately 404KB in size.
The Trojan first determines if it is the root user on the compromised computer and if not, it will end. Then, it checks to see if it was executed with the file name iWorkServices. If not, it will create the following folder:
/System/Library/StartupItems/iWorkServices
The Trojan then copies itself to both of the following locations:
/usr/bin/iWorkServices
/System/Library/StartupItems/iWorkServices
It then modifies the following file to ensure that it runs when the compromised computer restarts:
/System/Library/StartupItems/iWorkServices/StartupParameters.plist
The Trojan then restarts itself from its new location in /System/Library/StartupItems/iWorkServices, and decrypts an AES encrypted configuration file, which is located in /private/tmp/.iWorkServices. Finally, the Trojan acts as a back door and opens a port on the local host for connections. It then attempts to connect to the following remote hosts:
69.92.177.146:59201
qwfojzlk.freehostia.com:1024
We're fairly confident now this isn't a wide-spread outbreak, but do hope that any Mac user who may have been affected now has the knowledge they need to identify if indeed they have been, and potentially to protect themselves from any further propogation of this malware thingummy...
Delicious
Digg
StumbleUpon
Reddit
Facebook
Google
YahooLatest Stories on 9 to 5 Mac
- Apple patents the 3D Apple Store - Alice in Avatar-land
- Surprise: Warner admits iTunes sales slow on price hikes
- Apple ships Aperture 3: 64-bit, Snow Leopard/Intel only, 200 features, $199/£169 (demo available)
- What's coming to the Apple Store this morning?
- Apple Store Down. Can we has Core i7 MacBook Pros?
- Apple podcasts Mac advice video clips
- iPhone gains, BlackBerry loses US smartphone marketshare
AAPL Stock Coverage
196.69+2.57
9to5 Toys
Logitech diNovo Wireless Keyboard for Mac for $35 + $11 s&h, more
ZoomIt iPhone SD Card Reader preorders for $50 + $9 s&h
Apple releases Aperture 3 digital photo management software for $199, upgade for $99
App Store Price Drops: iZombieland, Flick Fishing, Voltron, more
Boston Acoustics Horizon iPod Dock with Speaker System for $99 + free shipping
Poll
Recent comments
- Neither. It's "Cocoa". ;)
9 min 10 sec ago - Serves them right, maybe in
19 min 49 sec ago - This makes perfect
20 min 20 sec ago - Laugh? I thought I'd never
50 min 18 sec ago - Perfect, using iTunes will be
53 min 20 sec ago - click on the brush and select
55 min 20 sec ago - sarah palin can blow me!
1 hour 10 min ago - I guess if PS had decided to
1 hour 15 min ago - They were never shackled as
1 hour 15 min ago - So is this Coco or Carbon, I
1 hour 40 min ago
Who's online
There are currently 2 users and 0 guests online.
Online users
- admin
- MacLenny
Comments (28)
>>"We’re attempting to unearth further information at this time."
Yeah, like how the malware manifests itself. Might any of the hiccups most computers have from time to time be attributed to this?
Twice in the past week I've gotten emails purportedly from my daughter's email address, but they contained spam--a viagra ad in one, an .exe file in the other. I've not seen that before. The long header indicated it came from another yahoo address. I'm guessing someone with a victimized and virus-ized PC that had gotten email from my daughter bounced emails back to the addresses associated with hers. Might this new malware have facilitated that? Or might this malware have generated those emails directly from her Mac?
Tell us more.
The Mac malware mentioned likely has nothing to do with your problem. Spammers have used my address before. I've gotten messages about undeliverable messages I've never sent! The originating address is usually shut down before you can report it.
This type of e-mail issue is accomplished by spoofing the address. Unfortunately is is quite easy to do. Spoofing has been around for years and I strongly doubt it has anything to do with the problem described in this piece
Oh my. Good thing I don't pirate software.
Exactly!
for people that install stuff when they really don't know where it came from or who put it there. This is a lesson that goes back to 1990 when viruses started showing up!
Symantec is the one that actually came up with that concept. Symantec is desperate to make some money. Did you know that all virus writer actually work for anti-virus? Yup.
Your mom wrote: "Did you know that all virus writer actually work for anti-virus? Yup."
Not yup. that's just a silly assertion. So if I started writing a virus, I'd automatically become an employee of an anti-virus company? And I'd have to watch the mailbox for my weekly paychecks? I don't think so. My mom's smarter than your mom.
"Symantec is the one that actually came up with that concept. Symantec is desperate to make some money. Did you know that all virus writer actually work for anti-virus? Yup"
---
Sadly, IMO, it's common that the people with this kind of mentality that are the ones who unknowingly spread malware through lack of education and the use of warez.
It's not exactly a new concept is it, really? Malware distributed to people who want software for nothing as they are more likely to 'risk' installing something from an un-reputable source.
IMO, the reason it's so unheard of on the Mac platform is that Mac users seem to be more likely to purchase software than use pirated versions.
//ian
(Yes, I work at Symantec and no I don't write malware. This reply is my opinion only, not necessarily the gospel according to Symantec)
I don't pirate so I really am not worried about this at all. Everyone that does pirate ought to know that it can be risky.
1. Pirating is illegal and you could be prosecuted if you are caught and slapped with a hefty fine.
2. Pirated versions of software is one of the most common ways that malware is spread or infects machines.
3. You are sacrificing your own personal ethics.
ya, so? $1,000 for CS4 is just too damn pricey for me. I'll take my chances.
so you've established WHAT you are AND your price!?
Downloading it from the official site is far safer than pirating CS4, and its Free/Open. That way you can keep your computer and your conscience clear.
I'm sorry, but malicious code downloaded in pirated software is NOT malware any more than are actions taken by someone you've allowed to sit at your computer.
If this kind of crap gets on your machine, its because YOU explicitly installed it... you entered your admin password when the pirated app asked for it.
If anything, its karma, not malware.
hahahahahaha macs got a virus!
Nope, a virus doesn't need permission to install itself, run, and propagate. This does. It's not a virus, but a trojan. At this point I think they only way to protect from trojans is to educate users.
hahahaha, the noob can't read:
"- Asked if Mac users are under attack, Symantec notes: 'The short answer, no. Users of Macintosh computers continue to have little to fear from viruses, trojans and worms so long as they take reasonable precautions'."
sorry, this is only a test
"The Trojan first determines if it is the root user on the compromised computer and if not, it will end."
Since the vast majority of mac users have no idea of what root is (and it's disabled by default) how is this a problem?
Since most of the cracks of CS4 require one to modify there hosts file, it's conceivable some of those are becoming root users to do so. Smart people would just use sudo.
While I understand average people not knowing the difference between a virus, trojan and malware, it amazes me the people that talk like they know the definitions when they're totally wrong.
It's also karma that, when Apple runs ads claiming "we don't get malware or viruses", they're going to incite people to create malware and viruses for Macs. A chain is only as strong as its weakest link and, 9 times out of 10, humans are the weak link rather than the software.
ok, this is 2 (not to say there are no other viruses) but im pretttttty sure windoze is in the 10's of thousands range right now.....
Apple has claimed that Macs don't get virus. I don't recall Apple claiming that Macs are immune to malware... how could they be when a user actually installs it?
If Apple has advertised that Macs don't get malware, I would like to hear about it. I don't think they have, though.
if someone has downloaded and installed a copy of said software the article says that it is placed in (and runs) from "/usr/bin/iWorkServices and
/System/Library/StartupItems/iWorkServices". isn't it just possible to delete these folders and then edit /System/Library/StartupItems/iWorkServices/StartupParameters.plist to make sure its not there?
deleting the files will fix the problem.
...if you have it.
If you have to ask this however, you likely are not running as 'root' anyway.
not only the iWork & Photoshop CS4 modified installers, but the "Social Engineering" "Free HD web streaming" website that had run for a while, it would tell people they needed a plugin to view the content, a "quicktime component" would download (.dmg) and would prompt to install, asking for admin password, after installing, if the user went back to the website, would just get the same thing, asking to install the plugin.
I've manually removed these "malware" (cron entry, startupitem, and a couple of bits left in the /library/internet plug-ins/ directory (the actual program is usually located here that is what does the DNS hijacking, plus listens on a certain port allowing a back door into the system)
Adobe produces crap anyway. For most people there are OS X graphics programs that achieve what they would need to do at a fraction of the cost - pixelmator, acorn, lineform, opacity et al. - so why you'd risk malware by downloading something like this is beyond me ...
Apple provides a free trial of iWork too if you're that desperate for it ... you can always keep uninstalling and re-installing it if for some reason you can't justify spending the cash.
Karma sounds about right.
The Trojan first determines if it is the root user on the compromised computer and if not, it will end.
'Nuff said. Who the runs their Mac with a Root user account? I'll bet most mac users don't even know how to enable the Root user.
I don't understand why you'd rile up a bunch of people with an article like this and leave the above little tidbit of information at the very end.
Why isn't the article named "UPDATED: Symantec researchers issues first Mac botnet malware warning - only applies to idiots running a Root User account"