Slashdot Mirror
New OS X Backdoor Malware Roping Macs Into Botnet
An anonymous reader writes New malware targeting Mac machines, opening backdoors on them and roping them into a botnet currently numbering around 17,000 zombies has been spotted. The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, Dr. Web researchers noted. What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.
I'm sure the botnet just works and that its a great feature.....
There is really no information here. How does it spread? Does it spread through utter user stupidity, or is it actually dangerous? It says infected Macs are added to a botnet of 17,000 computers - is that 16,999 PCs and one Mac, or 17,000 Macs?
Oh no I've got worms
What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.
It's a likely bet that it's been configured to find valid C&C IP addresses from other sites, too--Reddit is a high-volume user generated content site, with a lot of existing spam/troll fighting technology in place. So it's pretty likely this avenue will get blocked soon (if Reddit isn't working on it already) and the next large public-site gets rolled over to.
It's devious and brilliant, to use a public site... More devious if they built it smart enough that Reddit can't block it programatically.
Who did what now?
Fucking reddit. *shakes fist*
It doesn't mean much now, it's built for the future.
But then .. from TFA
Unfortunately, the researchers didn't mention how the malware spreads, but they shared that it is unpacked into the /Library/Application Support/JavaW directory, poses as the application com.JavaW, and sets itself to autostart.
So for all I know, this could either be a world shattering event where by zero day exploits are being used on OSX to leverage malware.
OR it could be like the HK protesters where by you needed to J/B your phone first.
So I am reserving my panic until I know more.
I am Slashdot. Are you Slashdot as well?
1) how do I know I have it?
2) how do I fix it?
3) how do I prevent it?
The backdoor applies the MD5 hash function to the value and sends a query to reddit.com. The query template is as follows: https://www.reddit.com/search?... Here MD5_hash_first8 is the value of the first 8 bytes of the MD5 hash value from the current date. The reddit.com search returns a web page containing the list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
So...get Reddit to nix this query and deny the functionality to the botnet?
And to get it you have to be fairly dumb. Fake sites for subtitles that just propagate your google query to "match" the name of the film you are search, and instead of giving you a zip with the subtitle, return a dmg file. But then, you have to click on it, click to install the binary, and give a password....So as I say you have to be pretty stupid to install the malware yourself.
,,, we're working on global worming.
It little behooves the best of us to comment on the rest of us.
http://news.drweb.com/show/?i=5976&lng=en
And since the average mac user thinks their machine is impervious to viruses...alot of them would see no issue in running it
Viruses and malware are two different beasts altogether.
And this differs from the average user of every other consumer or business platform in what way, again? I mean, average Windows or Android users may not "think their machine is impervious to viruses", but they seem to "see no issue in" downloading random "music" or "videos" or "software" from even the skankiest sources.
It used to be that a combination of perhaps-somewhat-better security design and low platform population kept Mac users relatively safe even in the face of "average" ignorance and complacency. They're probably still safer than they would be on Windows (perhaps even Android), because they're still a bit of a niche market, but the margin continues to narrow.
And this differs from the average user of every other consumer or business platform in what way, again? I mean, average Windows or Android users may not "think their machine is impervious to viruses", but they seem to "see no issue in" downloading random "music" or "videos" or "software" from even the skankiest sources.
As an example, I recently started getting quite a few emails with a .zip attachment, and inside a .doc.scr file, which is (I guess) a windows screen saver. Obviously this doesn't work on my Mac, but if it did work, I'd have to unzip manually, ignore the highly suspicious .doc.scr extension, launch it, and then wilfully ignore two warnings that my Mac gives. Not sure if it gets unzipped automatically on Windows, but I think Windows would show a .doc extension, and at least on older Windows versions this will be a lot easier to launch successfully.
The "niche market" is a myth and forgetting history. OS/9 had a lot less margin of adoption and market, however as it was a shitty OS, had as much or more viruses than the alternatives. As far as I remember something in the line of 30 000 viruses as much as I recall.
as it was a shitty OS
It was a pretty damn good OS... for the 1980s. When it was new, PCs were still using MS-DOS 2.x or so.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
There is a common believe that Macs don't get viruses or could, possible, be susceptible to malware. This week, we have seen several issues that first threaten the *nix community (which, OSX is built upon). The first was the bash bug. The second is a worm that is capable of infecting a Mac system. A few months ago, we had Heartbleed that again, was cross platform.
Yes...the Bash Bug - affects *nix machines including Macs. That means the Linux user is just as exposed. It does mean, in this particular instance, that Windows users get a break.
The Mac, link linux, has proven relatively immune to computer viruses. How many people do you know run anti-virus and/or anti-malware software on the linux desktops or servers? Exactly. The Mac is built on top of an *nix core, but is far more usable by the average user. However, when the built in safeguards are disabled, it's possible to install malware. And, it's very possible that the attack vector is an exploit of the bash bug. We don't know the method or attack vector used to infect those machines (in either of the two articles on Dr. Web). Likely, users downloaded and installed an unsigned OSX application which, unlike having to jailbreak your phone, is easy to do. That unsigned app carried and installed the worm. I say" likely", because we just don't know enough yet.
For those who aren't aware, Apple has a app store for OSX apps in addition to the iOS app store. Like it's counterpart, apps are checked by Apple and are digitally signed. A developer must belong to the Macintosh Developer network to sign their apps and have them sold through the app store. You always have the option to install apps from other sources, but they are unchecked and unsigned. And, you take your chances, just as on other platforms, if you download and install unknown code.
Apple has taken a beating these past couple of weeks on multiple fronts. The Apple haters are in full force. But, in this case, we don't know how the malware/worm was installed. So, is it fair to bust Apple's chops over it without knowing the root cause?
30k viruses when Symantec listed 65,000 for windows. So MacOS 9 was half as shitty as Windows XP.
MacOS 9 had the best audio software before windows: Vision, Cubase, Pro Tools, ReBirth all perfected on Mac before porting to Windows.
The people putting out the viri and malware know that their target market is the stupid people. Just like those "call in the next thirty minutes" ads on the radio that only complete idiits would bite on. The list of said cretins is solid gold for other campaigns and swindles. Anybody dumb enough to use MacOS before the NeXT Step takeover was bound to be ripe for exploit.
To clearify,
if Windows is set to not show extensions your file would be shown as $filename.doc
Random user wouldn't notice and think it is a Word document and double-click on it.
That has been going on with warez as well for a long time. Hit Google with a software title, and some sites will offer you the ability to download it, regardless of version. Except that if your brower's user agent says Windows, you get a .exe, Mac, you get a .dmg.
> There is really no information here. How does it spread?
You're using a Mac. You don't need to know *how* it works. It just works and is pretty! Cheer up!
Is this an article about how it's spread, or is this the website that it's spread from?
OS9? When System 7 was out, MS-DOS was at 5.x, and Windows was at 3.1.
Before OS X, MacOS was getting pretty shaky. It had no preemptive multitasking ability (well, except for A/UX and that was a completely different animal), which meant that any program that didn't use WaitNextEvent() often would hang the box, forcing one to reach for the debug/reset switch or power off button. It did show how relatively robust HFS (not HFS+, HFS) was because it handled dirty restarts quite well.
In fact, at that era, restarts were a matter of course. If you had to get a project done, restart beforehand, restart afterwards, and maybe a restart every few hours on a prophylactic basis.
OS X was a major upgrade. It didn't just fix problems with Macs that were issues since the MultiFinder days of System 6, but added real security and user separation which previously could only be put in place by third party software and various hacks (using PBSetCatInfo() to hide folders, etc.)
There are many types of malware.
Remember we are talking about average users. I work with a lot of average users and the term virus and malware is interchangeable to them.
If a subtitle comes in a zip by itself instead of a plain text document, you are doing it VERY WRONG. There is no legit reason to zip up a text file like that.
Good-bye
I see you are not used to download subtitles. While I agree entirely with you in the theory part, however thats how many prominent sites are delivering them nowadays. Maybe because they often put there extra file with credits, and more rarely, multi-language subtitles packs.
yeah, and by the early 90s was a piece of garbage. I remember fairly well using from DOS in XT to several Unix variants, later (or not so later) on more potent hardware, including SCO V.
So are the computer, CPU, and hard drive, but people use those terms interchangeably.
No, malware is a broad category term that includes virus, worms, Trojans, rootkits, etc. And the old virus vs trojan distinction isn't really relevant with modern malware. The old school virus is not the threat today on windows either, and trojans etc have virus like capabilities, like silent drive by install (see Osx flashback trojan) and distribution
A regular user process is not going to be able to create the sub-directory in Application Support or install the launchd file to auto-start the service. For that, you'd need admin privilege, which has to be given explicitly by a member of the admin group. To get there, it has to trick an admin user to explicitly install it (in which case, it's not a worm/virus, it's a trojan), or it has to remotely trick an OS X application that runs as root or has admin privilege to do so -- but there's not much opportunity there as most services don't accept incoming connections, and those that do generally generally run as an unprivileged user. Looking at my Mac, the only service that can be connected to remotely and has sufficient privilege (if enabled) is SSH. Macs don't have that enabled by default.
There should be no problem downloading DATA from the skankiest sources. The very idea that anyone needs to be paranoid about that sort of thing just demonstrates just how badly things have gotten both with platforms and the level of ignorance we expect out of end users.
There should be a clear line between data and programs. Operating systems should enforce it and end users should be aware of it.
A Pirate and a Puritan look the same on a balance sheet.
...and the OS should have promptly informed them that they were about to run a program.
HELL, the OS probably should have informed them that the file was named in a suspicious fashion likely to cause confusion. Something like ".*." should be easy enough to spot and be on the lookout for.
The file is obviously suspicious. It does not require strong AI in order to see this.
This little bit of nonsense has been a problem for so long that Microsoft should have adapted to deal with the situation by now.
It also highlights the stupidity of hiding file extensions.
A Pirate and a Puritan look the same on a balance sheet.
That gives no result, neither does the previous day (4cb43551) or even a couple of days ago (7b6461c8), so what gives?
DELETE MY ACCOUNT
Another reddit story... It's becoming more frequent. I'm tellin' you people, time's almost up, bid farewell to Slashdot.. :-(
Eh, most probably couldn't. If it's not a trusted developer, by default they cannot install it (a la apt-get or other package managers). They would have to have the known how and awareness to go in and change it to accept all installers, which I don't think many will.
To check to see if you are infected, go to the Finder and choose 'Go to Folder' from the 'Go' menu. Copy the following path and paste it into the window that opens: /Library/Application Support/JavaW
Then, click the 'Go' button. If you just get a beep, and the window displays a message in the bottom left corner that the folder can’t be found, then you should be okay.
source: http://www.thesafemac.com/dr-web-announces-new-iworm-malware/
Aren't viruses parts of mal(icious)wares?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
this might be a step up from actually having javaw instead
so are disc drive and coffee tray :)
And since the average mac user thinks their machine is impervious to viruses...alot of them would see no issue in running it
I think you will find the average Mac user is more intelligent than that. The less technical inclined see two rather dire warnings which would stop them. The more technical inclined know the difference between "trojan" and "virus" and don't even need the warnings.
And the control software has a real slick UI
Which reminds, me, I have go patch my Macs...
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
It's good to note for the uninformed, though, that old MacOS is a completely different codebase from a completely different source than OS X. It's not like they went through some internal process and evolved MacOS into OS X and it's some sort of continuation. Steve Jobs left and founded NeXT computer, which sold graphical workstations with a totally new OS (NeXTStep), which was a Unix derivative in terms of design, API, etc based on a core from BSD. Later, when Steve returned to Apple, he brought NeXTStep back with him. They rebranded and rejiggered NeXTStep a bit and then started calling *that* OS X. The old Mac codebase died and was replaced; it did not evolve.
He's joking.
...and the OS should have promptly informed them that they were about to run a program.
HELL, the OS probably should have informed them that the file was named in a suspicious fashion likely to cause confusion. Something like ".*." should be easy enough to spot and be on the lookout for.
The file is obviously suspicious. It does not require strong AI in order to see this.
This little bit of nonsense has been a problem for so long that Microsoft should have adapted to deal with the situation by now.
It also highlights the stupidity of hiding file extensions.
Actually the dialog that would have popped up would warn that it was downloaded from the internet, and would have supplied a link to the URL.
You should read the book "Daemon" (and the second part, "Freedom") by Daniel Suarez. The founder of a video game company sets up a system that went into action when he died. It spread thousands of individual daemons all around the internet and they all just watch for news stories with certain phrases to trigger activities.
This works because Windows hides file extensions by default. (I change this on my boxes.) It also handles Zip files as if they were folders. So you would (if you took all the steps the virus author hopes you'll take) download "Really_Important_Document" (with the .zip hidden), open it up and see "Really_Important_Document.doc" (with a .scr on the end hidden). Seeing this, you'd forget all about this hidden file extension stuff and say ".doc is a Word document, I'll open it!" Of course, it would lauch the Windows screensaver executable and infect you. Hiding file extensions might help some users confused by all that .xyz stuff, but it also hurts that same crowd who don't realize that the .doc isn't really a Word document because it is really .doc.exe. (Not that you should open random Word documents you are sent, but that's a different topic.)
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
As a web developer, I *NEVER* trust the data. Especially if it's coming from an untrustworthy source. And the most untrustworthy source is the user. ("Enter a number" "1; Delete * from Users") Of course, I build protections in my code to prevent this bad data from causing problems. I can't say the same for every program, though. Some programs will take bad data and turn it into an exploit. Yes, it is the program that is at fault, but you can't be too careful and shouldn't just trust something because it is "data" and not "a program."
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
I have Dl'ed subtitles in zip in the past, but there are other methods i choose to use instead. If the subtitle is zipped, it usually means people are forcing you to use a mechanism to suit their ends. It is plain text, there is very little legitimate reason to zip it unless you are trying to obfuscate or force an action (click a link, look at ads, etc). Multi-langs are easily handled with separate links. I dont support those kinds of models for distributing PLAIN TEXT, its dumb. Nowadays i just use the built in mechanism in XBMC ( on an isolated machine that only runs XBMC) to grab them without resorting to dangerous methods.
Good-bye
Apple is not a niche market. This isn't 2000 anymore.
I found out early this morning that i had the malware. Deleted the executable and the startup plist file. I had not updated my os in a few months. So I did that. I am now backing up vital files for a reinstall. Sigh. Right before Yosemite goes final. So installs, installs. Backups, backups. Etc. I had a pirated a copy of photoshop cc 2014 from pirate bay. (yeah i am utterly broke and unemployed, and i had launched it only once to export one file to a specific format). And as far as i can see right now that is the only app that has the same'ish timestamp (in my apps folder) as the javaW binary from the lib/app support/javaW/ folder. In my case 31st of aug. So i have been compromised for about a month. I had the security settings set to Mac apps and identified developers only. So not completely opted out of the sandbox. I am tech/dev savvy, but not hacker-good. Is there a command for terminal that can show me every binary that has been updated since that date? so i can see if i should kill processes whilst fixing my system? Could google it but thought why not ask the "nice people" at slashdot. I lurked here for years. Posted a few comments, got called a retard for my non-native drunken-english, and never posted again until now. If you wan't to make up for it. Help me out :)
That's what he said, you have to be an idiot.
The stupidity is using file extensions as file types. But that horse has long since bolted.
Im not sure about MacOS9, i was off macs by then, but in System 7 days, DOS/Windows3.1/Win95 had tens of thousands of viruses, and Mac OS7 had literally about 7. I doubt it jumped that much in a couple years.
Windows (up until XP) still had a DOS core. It was SO easy to write a Windows virus, almost trivial. Macs on the other hand had no command shell, so everything needed to be system calls. Also, it was a new processor, Motorola 68K to Intel `86, so machine code was different. Then, byt the time MacOS 9 came around, im sure it was pretty much all PowerPC. From what i heard, it was almost impossible to write shellcode for it.
So, a huge influx of viruses for a hard to hack processor when the ease and profit was in the Windows arena? I doubt it.
Not saying that OS9 was great. It wasn't. Read the whole mess about Copeland and Taligent if you want to read about how NOT to run a company. But the virus problem wasn't the issue.
check your data please. It was a Motorola, and very common at that time. It is easy just to invent stuff.
No, malware is a broad category term that includes virus, worms, Trojans, rootkits, etc. And the old virus vs trojan distinction isn't really relevant with modern malware. The old school virus is not the threat today on windows either, and trojans etc have virus like capabilities, like silent drive by install (see Osx flashback trojan) and distribution
Very true. Versions of Mac Flashback installed without any user intervention, just visiting a web site (something most Mac users still thinks happen only to Windows users). And it infected 1% of Mac users (!) more than any single Windows malware in modern times!
Indeed, although I would say that NeXT bought Apple for very cheap (negative money).
I mean Steve Jobs remained in the seat as CEO of NeXT (now rebranded as Apple).
The operating system NeXTStep was rebranded as OS X and become their main operating system.
In fact most of the Cocoa API still bear the initials NS.
All you Apple using underwear skid marks who thought there was no possible way you could be exploited should rejoice. You now have all the features of windows!
Yea, can you tell me how to remove the malware called iOS from my smartphone? It's blocking me from getting anything useful done.
injections have been around forever and are well documented on how to sanitize and scrub your data before you send it to the database. remember bobby tables ;)
So one piece of malware seems to be working today on OSX.... There were probably a couple hundred new malware exploits written for windows...
Hmmmmm...
The article specifically states "the researchers didn't mention how the malware spreads" so we don't know for sure, but if you're a sporting type then I'll bet you $5 that it isn't a virus. I bet it's a trojan. Trojans do not reflect on the security of a system.
"Unfortunately, the researchers didn't mention how the malware spreads, but they shared that it is unpacked into the /Library/Application Support/JavaW directory, poses as the application com.JavaW, and sets itself to autostart."
and
"UPDATE, 3 October, 15:00 PM CET According to Dr. Web researchers, the malware's propagation method is unknown. They received the sample from VirusTotal, and the code does not contain any indication that it's self-replicating.
The botnet is currently dormant, as all the Reddit comments containing the C&C servers' IP addresses have been deleted."
Both sources = (http://www.net-security.org/malware_news.php?id=2875)
How long before they rewrite more reddit commands? And how to wipe it out wouldfd be, er, helpful, too... :-(