iBotnet: Researchers find signs of zombie Macs

iBotnet: Researchers find signs of zombie Macs

Summary: Malware hunters at Symantec have discovered a direct link between a malicious file embedded in pirated copies of Apple’s iWork 09 software and what appears to be the first Mac OS X botnet launching denial-of-service attacks.Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants -- OSX.

SHARE:

Malware hunters at Symantec have discovered a direct link between a malicious file embedded in pirated copies of Apple’s iWork 09 software and what appears to be the first Mac OS X botnet launching denial-of-service attacks.

Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants -- OSX.Iservice and OSX.Iservice.B -- using different techniques to obtain the user's password and take control of the infected Mac machine.

[ SEE: Mac OS X Malware found in pirated Apple iWork 09 ]

The variants have been found inside bogus copies of iWork ’09 and Adobe Photoshop CS4 which were shared on the popular p2p torrent network. The author of the malware downloaded the original/trial versions of each program and introduced a copy of the malicious binary into the packages.  Users who then downloaded and installed the applications from the torrent download would have been infected. It is estimated that thousands of people have downloaded the infected torrent files.

They describe this as the "first real attempt to create a Mac botnet" and notes that the zombie Macs are already being used for nefarious purposes.

The researchers pointed to this blog entry that describes a a PHP script, running as root, launching attacks against an unknown Web site.

The article goes into detail on the botnet's peer-to-peer engine, startup and encryption capabilities and configuration file structure and concludes that the person who wrote the malware is not the same as the person who actually 'used' it.

"The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it – and therefore we would not be surprised to see a new, modified variant in the near future," the researchers added.

* Image via joseloya's Flickr photostream (Creative Commons 2.0)

Topics: Software, Apple, Collaboration, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

437 comments
Log in or register to join the discussion
  • HAHAHAHAHAHAHAHAHAHA!!!!!!

    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!

    (breath)

    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHA!!!!!!

    :) :) :)
    NonZealot
    • Now stop that... It's Lies! All Lies! (NT)

      .
      Badgered
      • yep

        He already know this, that's why he's laughing.
        observer1959
      • Not an OS Break-in

        While it's notable to discover a zombie Mac infection, keep in mind that this wasn't an OS exlpoit. It was an install virus like the ones you used to see back in 1990. People who download and install pirate software should expect their computers to be compromised by a virus.

        www.admonkey.org
        mlibrescu
        • re: Not an OS Break-in

          [i]While it's notable to discover a zombie Mac infection, keep in mind that this wasn't an OS exlpoit. It was an install virus like the ones you used to see back in 1990. People who download and install pirate software should expect their computers to be compromised by a virus.[/i]

          Agreed. But as has been discussed, it really doesn't matter if it's a Tojan, Worm, or Virus. [b]The end result is a Mac botnet. E.O.S.[/b]

          Like many Windows users who don't patch and protect their systems, this can and will happen.

          The difference is that now Mac users must be alerted to pay attention, and use some method to check and protect their OS. Just like Windows users. Unfortunately, for some... this won't happen... just like Windows users.
          Badgered
          • Hey! I patented E.O.S. - You owe me $ 0.35 USD !! (NT)

            NT
            No More Microsoft Software Ever!
        • Oh really? <whew>!!

          I'll go tell my friend who just found out her Mac is part of that botnet that, as she always thought, she's perfectly fine because she owns a Mac.

          Yep, users who are infected by this trojan were asking for it. But that's not the point. The average joe Mac user believes he or she is immune to any type of attack or vulnerability just because he/she has a Mac.

          The misinformation and half-truths that Apple and its fanbois have spread throughout the years is finally catching up to some of their users.

          So to continue NZ's post:
          HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!
          HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!
          HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!
          HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!
          HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!
          HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!

          etc etc etc
          tikigawd
          • Which is really funny...

            because your average Joe computer user is a
            pirate. Grandma sure does know her way around
            these here tubes.
            bitshiftr
        • @mlibrescu4

          "keep in mind that this wasn't an OS exlpoit. It was an install virus like the ones you used to see back in 1990."

          Your point being.. Most exploits aren't through the OS itself. They're through 3rd party software or install viruses. And that applies to all OSs.

          What you -should- keep in mind is that most Mac users don't run a Firewall or Antivirus because they think their computer is secure. And Apple doesn't patch OS vulnerabilites straight away, they wait till they have a heap of them.

          Which is a bigger problem than an install virus. An install virus generally has limited capabilities compared to an OS level exploit.
          Chrissd
      • No stop following...

        Start leading :)
        wtfnix
    • My thoughts too (NT)

      <
      Loverock Davidson
    • NZ! NZ! Now I'm almost as scared as a PC user! How y'll live like this? :)

      nt
      Davewrite
      • Not so hard eh. (NT)

        NT
        Cayble
    • I like this part...

      --> (breath)

      That was a very nice touch. <chuckle>
      PollyProteus
      • Shoulda added this part at the end...

        - - -> (wheeze) ((wipe tears))
        copterdriver
    • Translation

      I feel better about myself using Windows because now someone else's
      operating system is also exploited.

      Yeah, I know, it has all the emotional maturity of a 12-year old.
      frgough
      • WRONG - its laughing at arrogance

        Many, most, if not just about all OSX users have been claiming they dont need virus protection.

        This, regardless of how at every security competition, OSX is hacked within minutes if not seconds.

        Now, someone realized that there are millions of idiot Mac owners that can be easily used for the Denial of Service Attacks.

        So yes, we are laughing at the arrogance, denial, and down-right stupidity of Mac owners.
        JABBER_WOLF
        • @JABBER_WOLF

          "Now, someone realized that there are millions of idiot Mac owners that can be easily used for the Denial of Service Attacks."

          Please provide the link that state Millions of Macs.
          Axsimulate
          • well...

            There are millions who don't use Mac, so I'd go
            with the millions triggering the true in that
            particular gate. As per the CIA World Factbook:
            There are approximately 6,790,062,216 people in
            the world.

            As for the claim there are millions of idiot
            mac owners: http://idaconcpts.com/2008/12/05/a-
            not-so-simple-question-how-many-mac-users-are-
            there-in-the-world/

            The common held belief is 22 million mac users,
            the probably more accurate is around 25. Either
            way, this is more than the 2 million required
            for the stated "millions."
            evilkillerwhale@...
          • @evilkillerwhale

            Perhaps I didn't make myself clear enough. He stated that there were millions of Macs that made up the iBotnet, I was asking for links that backed up that claim, since all I have seen so far is thousands.
            Axsimulate