New OS X Backdoor Malware Roping Macs Into Botnet 172
An anonymous reader writes New malware targeting Mac machines, opening backdoors on them and roping them into a botnet currently numbering around 17,000 zombies has been spotted. The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, Dr. Web researchers noted. What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.
Well (Score:5, Funny)
I'm sure the botnet just works and that its a great feature.....
Re: Well (Score:1)
Reddit?
Will this one be popularly known as the Hipster Virus?
Quite useless article (Score:5, Informative)
Re: (Score:1, Funny)
>>Does it spread through utter user stupidity
Duh, you have to use a Mac to get it!
Re: Quite useless article (Score:1, Funny)
Hold on there, now.
Apple pays some fairly smart people to use Macs. It's not all hairdressers and graphics designers.
Re:Quite useless article (Score:5, Funny)
Well I'm a mac user and I think that you'll find that I am quite superior to you in every way.
Re:Quite useless article (Score:4, Insightful)
I've found most Mac users seem to respect BSD users. They assume anyone running windows is IQ challenged.
Re:Quite useless article (Score:4, Interesting)
I assume anyone running Windows is a gamer, anyone running OS X is doing desktop/front-end work and anyone running Linux/BSD is doing server work.
Re: (Score:2)
Re: (Score:2)
A lot of us use OS X for server work. A real terminal (though I really just need ssh and scp), can use nearly every tool I can use on Linux, yet not stuck with the *cough* horrendous Linux desktop experience.
Plus, I get the added bonus of being able to ARD mac systems, test AFP shares from servers that use them, and run Win and Linux VMs. The only way to run all three without wasting a lot of time is on a Mac.
Re: (Score:2)
I respect all real operating systems by which I mean all Unix-like operating systems. Everything else is shit, by which I mean Windows is shit. Way back, the classic Mac system software was shit too.
My wife once asked me why Unix was so great. I told her it's hard to explain, but those guys at AT&T were just touched by God or something. They did it right. Other attempts at making general purpose operating systems have not been right.
Re: (Score:2)
Re: (Score:2)
Considering the number of Windows machines on botnets.....
Re: (Score:1)
Windows machines don't count. They're designed to be backdoored. Apple's actually are supposed to be secure.
Re: (Score:2)
Nothing is ever 100%. 99.99999 is achievable but not really much fun for daily web surfing and such. The trick is to keep an OS on an Optical disk. I use a linux distro the USAF provides called LPS for banking and such. I boot my laptop from it, do my business and pull the disk and reboot for surfing the Web.
http://www.spi.dod.mil/lipose.... [dod.mil]
Re: (Score:2)
Well....I actually work for the Air Force as a civilian. Thus they already have pretty much all my personal information in my 201 file.
Comment removed (Score:4, Informative)
Re:Quite useless article (Score:5, Insightful)
Hmm, I've been on UNIX since SunOS days and Solaris was the new kid on the block. I've written a device driver that shipped in a commercial UNIX kernel. That said, I chose as my desktop a hybrid BSD/Microkernel architecture with POSIX compliance and a modern GUI. Or in other words, a Mac.
Macs are not stupid, they are made to be simple to use. That external simplicity hides a deep complexity underneath. I think people who don't understand that making something complex to be simple to use is one of the hardest things in Computer Science. A good size for desktop computers now is about 8GB of RAM or more. At any given time, 8GB will give you 2^(8*(2^23)) states, which of course will change in a nanosecond. Mac OS tries to, as much as possible, hide the states that don't mean anything to you. It's not that the MacOS guys don't know they exist. They just feel YOU don't need to know they exist. Maybe they're wrong, but it's a conscious decision where they know the states that exist and they feel that showing the states is less helpful than the confusion it would engender.. Not stupidity.
The main issue (and where you have a point though you exaggerate it way past its validity) is sometimes things are complex, and if you hide that complexity, you actually cause a disservice. Apple hides a lot of its security notices. As Macs become more and more of a target, they really need to not hide the complexity as much so that people can make valid choices on how to prevent malware infections.
Re: (Score:2)
[...] At any given time, 8GB will give you 2^(8*(2^23)) states, which of course will change in a nanosecond. [...]
First of all, you mean 8 GiB, not 8 GB.
8 GB is 8*(10^9) bytes, whereas 8 GiB is 8*(2^30) = 2^33 bytes.
Secondly, 8 GiB is actually 2^(8*(2^33)) states, not 2^(8*(2^23)) states. (What you gave was the number of states for 8 MiB.)
Re: (Score:2)
Grrr, you're right. I did 8 * 2^10 * 2^10, when i should have done 8 * 2^10 * 2^10 * 2^10. Off by mega => giga.
Thanks, my bad math. But if anything, this makes my point stronger rather than weaker.
Re: (Score:2)
Don't worry! (Score:2, Informative)
> There is really no information here. How does it spread?
You're using a Mac. You don't need to know *how* it works. It just works and is pretty! Cheer up!
Re:Quite useless article (Score:5, Informative)
The fact that they're referring to it as iWorm, suggesting it's self-propagating, yet not describing the method of propagation, seems incredibly irresponsible to me.
I read through both articles, and there's no mention of the following either:
1) Does the app use a registered Developer ID or not? If not, then the malware is only capable of running on Macs of individuals who have changed the default behavior of the system to allow apps from any source (default behavior is to either only allow apps from the Mac App Store or only allow apps from registered developers...can't remember which). If so, then Apple can revoke the Developer ID in a silent update to prevent it from executing on any machine using default settings.
2) Has Apple issued a malware definition update yet? OS X has had XProtect, a silent, built-in malware removal tool since 2011 or so, that pulls down malware definition updates on a daily basis in the background and both works to prevent malware installations as well as removes them if they are found. By the time malware gets widely reported enough that sites like Slashdot are reporting it, Apple has usually already issued an update to prevent further infections and eliminates the existing ones. Given that those articles are from a few days ago, Apple may have already done so in this case.
3) What systems does it infect? If it really is a worm that only has 17,000 computers, it may just be a case of exploiting a known bug in versions of the OS that haven't been supported for years. Or it may be that it's a brand new threat exploiting the latest version of the OS. We have no way of knowing, based on the shoddy reporting by the researchers.
4) Do users still get the default prompt that they're executing an app for the first time, or does it circumvent that somehow?
Basically, we know nothing about it or how dangerous is actually is, thanks to the researchers withholding everything about it.
Re: (Score:2)
so its clear that the user vtnhiaovyd is a 14yo minecraft fan who probably developed this extensive botnet as a way to farm gold or whatever you do in minecraft.
Re: (Score:2)
Good questions indeed. Apple has rolled out a "Safari Update" on Sept 29th, but there seems to be more to it, however, apple is very secretive about the security updates. Something I really dislike about them:
http://support.apple.com/kb/HT... [apple.com]
Re:Quite useless article (Score:4, Funny)
Windows 7 is simply Microsoft's best operating system ever. Mac fanboys should worry and circle together in defensive posture.
[203.0.113.201, 198.51.100.2, 169.254.1.19, 172.16.1.2, 203.2.11.2,]
Re: (Score:1)
Windows 7 is simply Microsoft's best operating system ever.
As a user of both Windows and OS X, I would wholeheartedly agree.
Too bad Microsoft threw it away...
Quite useless article (Score:2, Insightful)
Is this an article about how it's spread, or is this the website that it's spread from?
Probably capable of more than Reddit (Score:3)
What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.
It's a likely bet that it's been configured to find valid C&C IP addresses from other sites, too--Reddit is a high-volume user generated content site, with a lot of existing spam/troll fighting technology in place. So it's pretty likely this avenue will get blocked soon (if Reddit isn't working on it already) and the next large public-site gets rolled over to.
It's devious and brilliant, to use a public site... More devious if they built it smart enough that Reddit can't block it programatically.
Ugh (Score:1)
Fucking reddit. *shakes fist*
Oh noes .. Reality field collapses .. arrghh (Score:5, Insightful)
But then .. from TFA
Unfortunately, the researchers didn't mention how the malware spreads, but they shared that it is unpacked into the /Library/Application Support/JavaW directory, poses as the application com.JavaW, and sets itself to autostart.
So for all I know, this could either be a world shattering event where by zero day exploits are being used on OSX to leverage malware.
OR it could be like the HK protesters where by you needed to J/B your phone first.
So I am reserving my panic until I know more.
Re: (Score:2)
Given that most Macs can't run untrusted software, the mostly likely vector for malware is a trojan. Possibly attached to pirate versions of well known applications. Users of such pirate software would expect to have to explicitly give permission to untrusted software.
Comment removed (Score:4, Informative)
Re: (Score:3, Informative)
So...they get infected just like Windows does?
Just like ANY OS that accepts 3rd party software does.
Your homophobia is noted.
Re: (Score:3, Insightful)
What's really weird is that you consider a sexual slur integral to your argument.
Re: (Score:2)
Neither the fact that other people have repeated it extensively before, nor whines about "political correctness" excuse your homophobia.
Re: (Score:2)
Re: (Score:2)
Showing your true lack of intelligence there hairyfeet.
Re: (Score:2)
I think the last batch of infections around here came from programs masquerading as DATA. These programs masquerading as DATA were "installed" by trying to view the DATA as it came to the user in the platform vendors email program.
This is not quite your Android style Trojan.
Someone chose to blur the line between data and programs and confuse the end user and to seek to keep them ignorant.
DATA (untrusted) being treated as a program is also the essence of the Shellshock bug and is boneheadedly intolerable fo
Re: (Score:3)
File extensions are absolutely irrelevant. If your malware security relies in any way on users knowing what file extensions are it's broken.
There's no confusing programs for data on Macs as any downloaded executable that isn't signed won't run without explicitly allowing it (individually or by changing the default security setting).
Re: (Score:1)
How can Macs be for homosexuals when it's Windows that is designed to be backdoored . . .
Re:Oh noes .. Reality field collapses .. arrghh (Score:5, Insightful)
I run little snitch on my Macs and I'm constantly amazed at how many of my programs want to talk to some site or other. It's annoying because I have to research and see why they want to contact these places and what exactly is going on. I find that if I just block them it's almost never a problem though.
Re: (Score:2)
Non-App Store programs often check for software updates on a regular basis. Worst are those that autorun a daemon specifically for this: Adobe is one of the worst offenders (and indeed many other software crimes.)
Have you spotted any other common categories of why they might do so?
Re: (Score:2)
One program's author told me he had it sending him certain usage info. I never really got what he was talking about so I muzzled the software. It don't have shit to say no more. I cheerfully paid the Little Snitch author. Wonderful and easy to use software it is.
Re: (Score:2)
Re: (Score:2)
I would say most macs can run untrusted software.
First of all plenty of users are still in 10.6.xx and further more every "power" user changes the settings. As it is super annoying to be asked every time if you want to start this "untrusted application". For some reason there is no: "never ask again for this app" option.
Re: (Score:2)
If you once have approved it, it asks you again for that app and asks you again for that and asks you again for that app as often as you restart the app. At least that happens for me on OS X 10.9 hence I disabled that 'feature' ...
Mac OS X 10.6.xxx did not have those Gatekeeper options, hence there is no default setting ... sigh, that was the point about my post.
Re: (Score:2)
Hm, perhaps I have to check again.
For me both my OS X 1.6 and OS X 10.9 behave the same, they ask _once_ before I open a downloaded app.
And I doubt that this can be even disabled, before I disabled 'something' (have to check what I disabled) the 10.9 Mac asked at every start of the same app.
solution? (Score:3)
The backdoor applies the MD5 hash function to the value and sends a query to reddit.com. The query template is as follows: https://www.reddit.com/search?... [reddit.com] Here MD5_hash_first8 is the value of the first 8 bytes of the MD5 hash value from the current date. The reddit.com search returns a web page containing the list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
So...get Reddit to nix this query and deny the functionality to the botnet?
Re: (Score:2)
Nix their entire search query?
Re: (Score:2)
It's not like their search function works particularly well anyway....
I have seen some malware trying to infect my Mac (Score:5, Interesting)
Re: I have seen some malware trying to infect my M (Score:1)
And since the average mac user thinks their machine is impervious to viruses...alot of them would see no issue in running it
Re: I have seen some malware trying to infect my M (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Aren't viruses parts of mal(icious)wares?
Re: (Score:2)
And this differs from the average user of every other consumer or business platform in what way, again? I mean, average Windows or Android users may not "think their machine is impervious to viruses", but they seem to "see no issue in" downloading random "music" or "videos" or "software" from even the skankiest sources.
It used to be that a combination of perhaps-somewhat-better security design and low platform population kept Mac users relatively safe even in the face of "average" ignorance and complacency.
Re: (Score:1)
And this differs from the average user of every other consumer or business platform in what way, again? I mean, average Windows or Android users may not "think their machine is impervious to viruses", but they seem to "see no issue in" downloading random "music" or "videos" or "software" from even the skankiest sources.
As an example, I recently started getting quite a few emails with a .zip attachment, and inside a .doc.scr file, which is (I guess) a windows screen saver. Obviously this doesn't work on my Mac, but if it did work, I'd have to unzip manually, ignore the highly suspicious .doc.scr extension, launch it, and then wilfully ignore two warnings that my Mac gives. Not sure if it gets unzipped automatically on Windows, but I think Windows would show a .doc extension, and at least on older Windows versions this will
Re: (Score:1)
To clearify,
if Windows is set to not show extensions your file would be shown as $filename.doc
Random user wouldn't notice and think it is a Word document and double-click on it.
Re: (Score:2)
...and the OS should have promptly informed them that they were about to run a program.
HELL, the OS probably should have informed them that the file was named in a suspicious fashion likely to cause confusion. Something like ".*." should be easy enough to spot and be on the lookout for.
The file is obviously suspicious. It does not require strong AI in order to see this.
This little bit of nonsense has been a problem for so long that Microsoft should have adapted to deal with the situation by now.
It also high
Re: (Score:2)
This works because Windows hides file extensions by default. (I change this on my boxes.) It also handles Zip files as if they were folders. So you would (if you took all the steps the virus author hopes you'll take) download "Really_Important_Document" (with the .zip hidden), open it up and see "Really_Important_Document.doc" (with a .scr on the end hidden). Seeing this, you'd forget all about this hidden file extension stuff and say ".doc is a Word document, I'll open it!" Of course, it would lauch t
Re: (Score:2)
Re: (Score:2)
as it was a shitty OS
It was a pretty damn good OS... for the 1980s. When it was new, PCs were still using MS-DOS 2.x or so.
Re: I have seen some malware trying to infect my M (Score:5, Informative)
OS9? When System 7 was out, MS-DOS was at 5.x, and Windows was at 3.1.
Before OS X, MacOS was getting pretty shaky. It had no preemptive multitasking ability (well, except for A/UX and that was a completely different animal), which meant that any program that didn't use WaitNextEvent() often would hang the box, forcing one to reach for the debug/reset switch or power off button. It did show how relatively robust HFS (not HFS+, HFS) was because it handled dirty restarts quite well.
In fact, at that era, restarts were a matter of course. If you had to get a project done, restart beforehand, restart afterwards, and maybe a restart every few hours on a prophylactic basis.
OS X was a major upgrade. It didn't just fix problems with Macs that were issues since the MultiFinder days of System 6, but added real security and user separation which previously could only be put in place by third party software and various hacks (using PBSetCatInfo() to hide folders, etc.)
Re: I have seen some malware trying to infect my M (Score:4, Informative)
It's good to note for the uninformed, though, that old MacOS is a completely different codebase from a completely different source than OS X. It's not like they went through some internal process and evolved MacOS into OS X and it's some sort of continuation. Steve Jobs left and founded NeXT computer, which sold graphical workstations with a totally new OS (NeXTStep), which was a Unix derivative in terms of design, API, etc based on a core from BSD. Later, when Steve returned to Apple, he brought NeXTStep back with him. They rebranded and rejiggered NeXTStep a bit and then started calling *that* OS X. The old Mac codebase died and was replaced; it did not evolve.
Re: (Score:2)
Re: (Score:1)
30k viruses when Symantec listed 65,000 for windows. So MacOS 9 was half as shitty as Windows XP.
MacOS 9 had the best audio software before windows: Vision, Cubase, Pro Tools, ReBirth all perfected on Mac before porting to Windows.
Re: (Score:2)
Im not sure about MacOS9, i was off macs by then, but in System 7 days, DOS/Windows3.1/Win95 had tens of thousands of viruses, and Mac OS7 had literally about 7. I doubt it jumped that much in a couple years.
Windows (up until XP) still had a DOS core. It was SO easy to write a Windows virus, almost trivial. Macs on the other hand had no command shell, so everything needed to be system calls. Also, it was a new processor, Motorola 68K to Intel `86, so machine code was different. Then, byt the time MacOS
Re: (Score:2)
Re: (Score:2)
There should be no problem downloading DATA from the skankiest sources. The very idea that anyone needs to be paranoid about that sort of thing just demonstrates just how badly things have gotten both with platforms and the level of ignorance we expect out of end users.
There should be a clear line between data and programs. Operating systems should enforce it and end users should be aware of it.
Re: (Score:2)
As a web developer, I *NEVER* trust the data. Especially if it's coming from an untrustworthy source. And the most untrustworthy source is the user. ("Enter a number" "1; Delete * from Users") Of course, I build protections in my code to prevent this bad data from causing problems. I can't say the same for every program, though. Some programs will take bad data and turn it into an exploit. Yes, it is the program that is at fault, but you can't be too careful and shouldn't just trust something becau
Re: (Score:2)
Eh, most probably couldn't. If it's not a trusted developer, by default they cannot install it (a la apt-get or other package managers). They would have to have the known how and awareness to go in and change it to accept all installers, which I don't think many will.
Re: (Score:2)
And since the average mac user thinks their machine is impervious to viruses...alot of them would see no issue in running it
I think you will find the average Mac user is more intelligent than that. The less technical inclined see two rather dire warnings which would stop them. The more technical inclined know the difference between "trojan" and "virus" and don't even need the warnings.
Re: (Score:2)
That's what he said, you have to be an idiot.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
To the hecklers... (Score:5, Interesting)
There is a common believe that Macs don't get viruses or could, possible, be susceptible to malware. This week, we have seen several issues that first threaten the *nix community (which, OSX is built upon). The first was the bash bug. The second is a worm that is capable of infecting a Mac system. A few months ago, we had Heartbleed that again, was cross platform.
Yes...the Bash Bug - affects *nix machines including Macs. That means the Linux user is just as exposed. It does mean, in this particular instance, that Windows users get a break.
The Mac, link linux, has proven relatively immune to computer viruses. How many people do you know run anti-virus and/or anti-malware software on the linux desktops or servers? Exactly. The Mac is built on top of an *nix core, but is far more usable by the average user. However, when the built in safeguards are disabled, it's possible to install malware. And, it's very possible that the attack vector is an exploit of the bash bug. We don't know the method or attack vector used to infect those machines (in either of the two articles on Dr. Web). Likely, users downloaded and installed an unsigned OSX application which, unlike having to jailbreak your phone, is easy to do. That unsigned app carried and installed the worm. I say" likely", because we just don't know enough yet.
For those who aren't aware, Apple has a app store for OSX apps in addition to the iOS app store. Like it's counterpart, apps are checked by Apple and are digitally signed. A developer must belong to the Macintosh Developer network to sign their apps and have them sold through the app store. You always have the option to install apps from other sources, but they are unchecked and unsigned. And, you take your chances, just as on other platforms, if you download and install unknown code.
Apple has taken a beating these past couple of weeks on multiple fronts. The Apple haters are in full force. But, in this case, we don't know how the malware/worm was installed. So, is it fair to bust Apple's chops over it without knowing the root cause?
Re: (Score:2)
More details would be useful. Is this a Java hole, or is it just another Trojan such as when there was a pirated version of iWork out a few years ago (when it was a paid product?) Is it even a hole in Safari or another browser which gets a user's context? This seems unlikely because of the SeatBelt facility which uses sandbox_init() to keep the Web browser contained so a malicious process wouldn't be able to do much even if it got root access via the Web browser's context.
One reason why Linux and Macs ha
Re: (Score:2)
Re: (Score:3)
No, you don't. Just control-click in Finder, and choose "Open". That, unlike the normal double-click launch, bypasses Gatekeeper's prohibition on untrusted apps, instead presenting a security dialog that tells you that the app is untrusted, and asks you if you want to launch it anyway. If you tell it to do so, OS X computes a checksum for the app and adds hat signature to a list of trusted apps, ensuring that you
Re: (Score:2)
The Apple haters are [out] in full force. So, is it fair to bust Apple's chops over it without knowing the root cause?
This is a rare opportunity. Jeez, let them enjoy themselves a little.
Re: (Score:2)
Isn't Java not installed by default since the last few OS X versions anyway? You can get by just fine without Java, Flash and Silverlight these days.
You don't really need Java for most websites in 2014.
You don't need Flash since YouTube has HTML5 support.
You don't need Silverlight if you watch Netflix on your iPhone/iPad/Apple TV/etc.
Re: (Score:2)
And, it's very possible that the attack vector is an exploit of the bash bug.
That is very unlikely. If you already have downloaded my malicious code and you are already running my malicious code, why should I need a bug in a shell to do my malicious deeds?
Re: (Score:2)
Macs have never been immune to viruses.
the reason windows needs AV protection to run safely is because one account can overwrite critical OS files replacing them with malware infested fake software, and everyone by default starts out with ability to install any program including malware that later will get the special administrator privileges (on a reboot) needed to permanently infect the machine.
heartbleed and shellshock are nasty but a well hardened install will not be a problem, as the users dumb enough
Re: (Score:2)
They probably don't know how it spreads (Score:5, Insightful)
A regular user process is not going to be able to create the sub-directory in Application Support or install the launchd file to auto-start the service. For that, you'd need admin privilege, which has to be given explicitly by a member of the admin group. To get there, it has to trick an admin user to explicitly install it (in which case, it's not a worm/virus, it's a trojan), or it has to remotely trick an OS X application that runs as root or has admin privilege to do so -- but there's not much opportunity there as most services don't accept incoming connections, and those that do generally generally run as an unprivileged user. Looking at my Mac, the only service that can be connected to remotely and has sufficient privilege (if enabled) is SSH. Macs don't have that enabled by default.
Odd... (Score:2)
That gives no result, neither does the previous day (4cb43551) or even a coup
Link on how to check if infected (Score:1)
To check to see if you are infected, go to the Finder and choose 'Go to Folder' from the 'Go' menu. Copy the following path and paste it into the window that opens: /Library/Application Support/JavaW
Then, click the 'Go' button. If you just get a beep, and the window displays a message in the bottom left corner that the folder can’t be found, then you should be okay.
source: http://www.thesafemac.com/dr-web-announces-new-iworm-malware/
Re: (Score:2)
I am one too (Score:2)
You're covered ... (Score:4, Funny)
,,, we're working on global worming.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
dr web is saying their MAC antivirus will now detect it http://news.drweb.com/show/?i= [drweb.com]...
Does their "MAC antivirus" only detect it if it is there, or does it detect it whether it's there or not? Most Mac "anti-virus" software is just scareware that will find viruses whether they are there or not.
Re: (Score:3)
There are many types of malware.
Re: (Score:2)
And the control software has a real slick UI
Which reminds, me, I have go patch my Macs...
Re: (Score:2)
The article specifically states "the researchers didn't mention how the malware spreads" so we don't know for sure, but if you're a sporting type then I'll bet you $5 that it isn't a virus. I bet it's a trojan. Trojans do not reflect on the security of a system.