iBotnet: Researchers find signs of zombie Macs

Malware hunters at Symantec have discovered a direct link between a malicious file embedded in pirated copies of Apple’s iWork 09 software and what appears to be the first Mac OS X botnet launching denial-of-service attacks.

Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants -- OSX.Iservice and OSX.Iservice.B -- using different techniques to obtain the user's password and take control of the infected Mac machine.

[ SEE: Mac OS X Malware found in pirated Apple iWork 09 ]

The variants have been found inside bogus copies of iWork ’09 and Adobe Photoshop CS4 which were shared on the popular p2p torrent network. The author of the malware downloaded the original/trial versions of each program and introduced a copy of the malicious binary into the packages.  Users who then downloaded and installed the applications from the torrent download would have been infected. It is estimated that thousands of people have downloaded the infected torrent files.

They describe this as the "first real attempt to create a Mac botnet" and notes that the zombie Macs are already being used for nefarious purposes.

The researchers pointed to this blog entry that describes a a PHP script, running as root, launching attacks against an unknown Web site.

The article goes into detail on the botnet's peer-to-peer engine, startup and encryption capabilities and configuration file structure and concludes that the person who wrote the malware is not the same as the person who actually 'used' it.

"The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it – and therefore we would not be surprised to see a new, modified variant in the near future," the researchers added.

* Image via joseloya's Flickr photostream (Creative Commons 2.0)