All Your Apple Belong To Us: First Mac Botnet?

By  |  Thursday, April 16, 2009 at 8:55 pm

Ryan Naraine at ZDNet has a shocker: Symantec has said it has evidence of the first known Botnet comprised of Mac computers that are attempting to launch denial-of-service attacks. The root cause appears to be a cracked copies of iWork ’09 and Adobe Photoshop CS4 that also includes an additional payload with the Botnet code.

These applications are apparently making the rounds on BitTorrent. Moral of the story here? Stop using pirated apps.

OSX.Iservice and OSX.Iservice.B are the names of the files, which essentially obtain the password of the Mac machine allowing the hackers to take control. Estimates of affected Macs number in the thousands, Symantec estimates.

So much for the ‘Macs are immune’ meme. While this doesn’t point to an actual vulnerability just yet, it indicates that Macs like every other computer can be used for malicious purposes.

Of course the Apple faithful will be quick to yell this down, but I don’t think dismissing this is a good idea. So suck it up people and download a Mac virus scanner. Yes, you do need it.

I think the above is enough proof that the threat is real, no?

Update: Commenter Dave Barnes brought up another good program for detecting unwanted outgoing data: Little Snitch.

 
25 Comments


Read more: ,

22 Comments For This Post

  1. sfmitch Says:

    Just to be clear – the folks who got infected downloaded pirated software & then used their Administrative level password to install the malware.

    As always, only enter your administrator password to install software when you trust the source.

    Thanks, but I’ll pass on the anti-virus software. There’s still no such thing as a Mac virus.

  2. Ed Oswald Says:

    Sfmitch, thanks for proving my point. :)

  3. Allison Says:

    I would ask for forensic proof to back these estimates of estimates.

  4. Vox Says:

    Stupidity is universal, be it users of any OS…hell, I know OS390 admins who are idiots.

    On the other hand…how does stupidity proof anything one way or another?

  5. Yikes Says:

    “Ryan Naraine at ZDNet has a shocker”

    This is not really a shocker, OSX.Trojan.iService has been discovered by Intego last January: “When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password.” At the time, the firm updated the blog post to say that: “Intego is getting reports of the iServices.A Trojan horse actively downloading new code and acting as a botnet, participating in distributed denial of service attacks on certain websites.”

    http://blog.intego.com/2009/01/22/mac-trojan-horse-osxtrojaniservicesa-found-in-pirated-apple-iwork-09/

    “So much for the ‘Macs are immune’ meme.”

    No OS is immune (as in: not susceptible) to malware. Especially when the user is tricked to install it.

    “I think the above is enough proof that the threat is real, no?”

    No, sfmitch is right. iServices doesn’t exploit any vulnerability. You won’t get it if you don’t install pirated software. If it could be installed silently without any interaction, say while browsing the web, that would be another matter.

  6. Ed Oswald Says:

    Did I say it exposes a vulnerability? People will pirate software, period. But this proves Macs can be used in malicious purposes just the same as Windows PCs. Again, get antivirus. :)

  7. Simon Says:

    Wow, we’re enjoying this a little too much aren’t we, Mr Oswald?

    I thought Technologizer was a bit better than that…

  8. Bob Van Valzah Says:

    It’s probably best to think about exactly what is being attacked to build Windows botnets vs. Mac botnets. The authors of Windows botnets have generally exploited vulnerabilities in _Windows_, while the reported Mac botnet authors exploited vulnerabilities in _people_. The compromised Macs in this botnet were administered by people who’s interest in pirated software left them vulnerable to attack.

    Windows is long past the point where an idle machine is vulnerable to remote exploit, so it’s reasonable to point out that people must _use_ a machine to make it vulnerable to becoming part of a botnet. The difference is that the Windows platform has shown a track record of vulnerabilities that can be exploited as part of relatively innocent acts (opening an office document, web surfing, reading mail) while successful Mac exploits have required careless use of administrator privilege. So in this sense, botnet authors are always attacking people. It’s a question of attacking them when they think they’re doing innocent things or attacking them when they know their guard should be up.

    I’m sure Mac OS X has had vulnerabilities in the past that could’ve been exploited to build botnets without attacking people using administrator privilege. It may have them now. You can attack any platform by attacking the administrators of it. It’s just easier to attack people using platforms like Windows due to the vulnerabilities in the platform itself.

  9. Jimmy james Says:

    99% of viruses are installed on a network as a result of a dumb user downloading and installing an infected software package, or launching an attachment in an email. Don’t brush this off as “not a virus” as it is a virus. It illegally installed on a computer without the users knowledge, that is a virus. That is the reason Microsoft started putting up all the prompts to warn you when you launched an installer. It won’t be long now, and Mac’s will have to start doing the same thing all the while idiots like you will be claiming “but this isn’t a REAL virus.” Dumb, dumb, dumb, a REAL virus uses dumb users to help it load, just like this one.

  10. sfmitch Says:

    “Of course the Apple faithful will be quick to yell this down, but I don’t think dismissing this is a good idea. So suck it up people and download a Mac virus scanner. Yes, you do need it.”

    So anyone who doesn’t agree with your sentiment is now ‘the Apple faithful’. Please get a grip. I happen to not agree with the message of your post – the only thing that makes me is willing to offer my opinion. It doesn’t get me lumped into a the mythical mindless hoard of Apple faithful who support anything Apple does.

    If the day comes when there are real viruses for Macs then I will take precautions but this is not that day. I believe Virus software for the Mac is a an unnecessary product that will reduce my system performance without providing me benefits that outweigh the cost.

    and re:

    “But this proves Macs can be used in malicious purposes just the same as Windows PCs”

    I have never heard anyone say otherwise. Of course Macs can used in malicious purposes. Any computer can.

  11. Ed Oswald Says:

    Bob, Jimmy — well put. It is malware at its core. People I think just want to mince words, and if they do, thats fine with me.

    Simon, good lord. I’m enjoying nothing — if I may ask, why when something negative is written about Apple do people get so sensitive?

  12. Dave Barnes Says:

    I would expect Little Snitch to tell me if botnet code was trying send data from my Mac.

  13. Bob Van Valzah Says:

    Ed, Negative things can be reported dispassionately or from a point of view carried through the author’s tone.

    Your use of “shocker” in your opening sentence along with “so suck it up people” in the close could suggest your point of view was sarcastic and/or condescending in the minds of many readers. They could interpret this tone as though you knew this was going to happen all along. Did you mean to scold them because they should’ve known it too? I think your article can reasonably be read that way.

    It’s certainly true that the eventual existence of Mac botnets could have been predicted and that Mac users should be prepared. But if as I said, any platform can be attacked by attacking its administrators, then singling out Mac users for a scolding seems unwarranted.

    I don’t take Simon’s comments as a reaction to something negative you wrote about Apple. Indeed I don’t interpret your article as something negative about Apple at all. Administrators of Apple products were attacked, not Apple or its products. If there’s room for a feeling of superiority, it may be among cautious administrators over careless ones.

    There are certainly “Apple people” as you call them who have a feeling of superiority over Windows users. But I hope you can see that what seems to be sensitivity among Apple people might be triggered by perceived sarcasm and condescension.

  14. Bob Van Valzah Says:

    In my earlier comments, I’ve been careful to differentiate between users of a platform and administrators of it. These roles are different in many corporate environments, but are held by the same person for other environments.

    It’s interesting to note that Apple makes no such distinction between user and administrator roles for the OS used on its iPhone and iPod Touch products. There is no notion of administrator privilege required to install an application. Consequently, they allow only digitally signed application to be installed. They sign applications only after inspection shows no signs of malware. There’s a well-reported “kill switch” mechanism that can disable an application in the field that is discovered to contain malware missed in the pre-signature inspection.

    These measures seem draconian to some and the result can reasonably be called a closed platform. But your article points up the widely under-appreciated benefit: Apple takes the burden of being the prudent administrator for the iPhone platform so that it will remain free of malware.

    I’m glad they made this choice for their handheld platform and kept the administrator role separate on the Mac. It is abundantly clear in retrospect that Microsoft did not think clearly about the separation between user and administrative roles in the initial design of Windows. Their desire to maintain backward compatibility with user applications written assuming they had administrator privilege has left XP open to wide range of systemic vulnerabilities that can never be closed. The UAC mechanism first tried in Vista offers some hope, but we’ll have to see if Windows7 final can find a proper balance between secure operation for users without being an invasive burden.

  15. Ed Oswald Says:

    Bob – maybe “suck it up” was a little strong, I will give you that. However, in my four years covering Apple I’ve found that there is a very vocal group of Macheads who when negative stories appear about Apple, the immediate reaction is to attack the messenger.

    You do tire of it after awhile, and sometimes it comes through.

    But I think here we now see that yes, there is the threat, and yes, not even the admistrator safeguards will protect some people. The fact is, people pirate software. Is it wrong? Yes. But I cannot see a valid argument in why anyone, regardless of operating system, should not have malware safeguards installed in this day and age.

    It’s no secret at hacker conventions that Mac OS is now the target of choice in contests. Eventually, they’re going to find a hole. Nobody, or no company, is perfect.

  16. Bob Van Valzah Says:

    Yes Ed, I can see how zealotry and even bigotry from any community can be tiring. It’s sometimes harder to detect and easier to tolerate when it’s coming from one’s own community.

    I’m no fan of the J-school dogma that every article contain quotes from partisan voices on both sides of each issue. I welcome reporting from a point of view as long as the point of view is acknowledged. I can certainly see how reporting on Apple news requires thick skin.

    Yes, Macs are increasingly the targets in hacking contests. Many believe that paid hackers have long targeted the Mac because users of Apple products tend to be high-value targets. High disposable income, high net worth, etc.

    Running malware scanning software on Windows can be burdensome, yet I would recommend it for most users. I do know of many savvy Windows administrators who effectively use Intrusion Detection Systems to scan their networks for signs of trouble rather than relying on scanners running on Windows. This certainly isn’t for everyone, but we have to remember that Conficker disables malware scanners and even access to scanner update sites. So it’s unwise to be overly reliant on Windows malware scanning alone.

    The need for scanning is probably proportional to the vulnerability of your platform, the riskiness of your behavior, and number of machines on your network. Perhaps we could agree that Windows users surfing porn sites from large networks are more likely to benefit from the burdens of virus scanning than the little old lady using a Mac to E-mail family from home?

  17. Ed Oswald Says:

    laughing at your last part there, and I agree. I think its a subject that the Mac community needs to come to terms with. Its an ever increasing threat. It’s also a by-product of popularity. Who wants to target a computer used by 2 percent — isn’t it a much more attractive target when that number is now four to five times that?

  18. Vox Says:

    My problem with your article, Ed, is that your premise is false.

    It is *not* the first botnet using/involving Macs (check some sites about real security, you’ll see reports from *at the very least* last year about a botnet running on Macs), so…wrong.

    Also, trojans like this one depend on only one vulnerability…users’ stupidity…and no amount of antimalware will save a system from that.

    In other words…a) this is nothing new and b) there’s no anti-stupidity program that will save a system…which means, nothing to see here, move along.

  19. Ed Oswald Says:

    Vox, your premise is also false. Anti-malware, regardless of user intelligence level, is typically built to detect suspicious activity. This is how these applications can respond to emerging threats without a new definition file, per se.

    Antimalware has made great strides in the past few years. Your impression of this type of software is slightly dated.

  20. Vox Says:

    You may be right about my impression of that type of software…being a linux user/admin for the last 12 years, I haven’t had to use any of that stuff :) And OSX being based on a decent *NIX (that being the reason why I moved to OSX on the desktop 3 months ago) shouldn’t need any of that crap, as long as one is smart about what you do and how you use and what you install on your computer.

    On the other hand…what’s suspicious activity? Who defines it in those programs? Or is it like SELinux, where everything is suspicious unless you tell it it isn’t?

  21. sfmitch Says:

    The question really comes down to ‘what are the chances a mac user will get infected if they don’t use anti-virus and/or anti-spyware software’?

    I believe the answer is still basically zero so I don’t use anti-virus and anti-spyware software on my own Macs or recommend it to others. If things change, so will I.

    Ed, do you run a Windows PC as your primary system?

    The reason I ask, is that I’ve seen Windows users come to believe that is perfectly normal to install an anti-virus software, one or more anti-spyware software and a 3rd party firewall. They wind up getting pestered with messages (downloading update now, installing update, scanning email messages # 1, scanning email message # 2, Starting scan, scan in progress, etc.), having system resources get gobbled up and still are convinced their system is infected.

    It is hard for a Windows user to embrace the Mac and its’ ready out of the box experience.

    Let’s just say that a real virus or spyware problem becomes a reality for the Mac, then is the time to install protective software. Protecting against a problem that doesn’t exist is pretty silly.

  22. Russell Says:

    Yes, Mac has had a virus. Not many but yes there was one. It is not a virus that you need to be worried about. Trojans and worms are they stuff of IT nightmares. That is what this Mac Bot issue was. The problem (both Windows and Mac) is that if someone thinks they can’t be fooled that is when they will be. Mac users are constantly saying they can’t be infected. I’ve heard many IT people say that as long as you got a Mac there is no worries. With more Macs being sold and so few are being protected (by software or by smart users), Mac Trojans WILL become more common. This Bot Scare is proof of concept. Be smart. Think before you click.

    As a side note, I have worked with computers since the early ’80s and have NEVER been infected. I have cleaned up many a computer with Malware, and its seems its always the same “I just clicked on the ad”.

3 Trackbacks For This Post

  1. [TechBlogWatch] Best of Blogs für den 17. April 2009 | TechFieber | Hot Gadget Blog. Smart Tech News. Says:

    [...] All Your Apple Belong To Us: First Mac Botnet? [...]

  2. The Roundup: Week of April 24th, 2009 | The iLife Says:

    [...] From : Technologizer All Your Apple Belong To Us: First Mac Botnet? Thursday, April 16, [...]

  3. All Your Apple Belong To Us: First Mac Botnet? | Technologizer | Mac Affinity Says:

    [...] the rest here: All Your Apple Belong To Us: First Mac Botnet? | Technologizer Ads by GoogleReliable Backup – BRU – 30 day demo – googlepages.com – Call: [...]