Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OS X Backdoor Malware Roping Macs Into Botnet

Posted by timothy on from the sad-face-mac dept.

An anonymous reader writes New malware targeting Mac machines, opening backdoors on them and roping them into a botnet currently numbering around 17,000 zombies has been spotted. The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, Dr. Web researchers noted. What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.

9 of 172 comments (clear)

  1. Quite useless article by gnasher719 · · Score: 4, Informative

    There is really no information here. How does it spread? Does it spread through utter user stupidity, or is it actually dangerous? It says infected Macs are added to a botnet of 17,000 computers - is that 16,999 PCs and one Mac, or 17,000 Macs?

    1. Re:Quite useless article by Anubis+IV · · Score: 5, Informative

      The fact that they're referring to it as iWorm, suggesting it's self-propagating, yet not describing the method of propagation, seems incredibly irresponsible to me.

      I read through both articles, and there's no mention of the following either:
      1) Does the app use a registered Developer ID or not? If not, then the malware is only capable of running on Macs of individuals who have changed the default behavior of the system to allow apps from any source (default behavior is to either only allow apps from the Mac App Store or only allow apps from registered developers...can't remember which). If so, then Apple can revoke the Developer ID in a silent update to prevent it from executing on any machine using default settings.

      2) Has Apple issued a malware definition update yet? OS X has had XProtect, a silent, built-in malware removal tool since 2011 or so, that pulls down malware definition updates on a daily basis in the background and both works to prevent malware installations as well as removes them if they are found. By the time malware gets widely reported enough that sites like Slashdot are reporting it, Apple has usually already issued an update to prevent further infections and eliminates the existing ones. Given that those articles are from a few days ago, Apple may have already done so in this case.

      3) What systems does it infect? If it really is a worm that only has 17,000 computers, it may just be a case of exploiting a known bug in versions of the OS that haven't been supported for years. Or it may be that it's a brand new threat exploiting the latest version of the OS. We have no way of knowing, based on the shoddy reporting by the researchers.

      4) Do users still get the default prompt that they're executing an app for the first time, or does it circumvent that somehow?

      Basically, we know nothing about it or how dangerous is actually is, thanks to the researchers withholding everything about it.

    2. Re: Quite useless article by DigiShaman · · Score: 3, Informative

      No, not really. By numbers and via common denominator, the Win32 is used by most home and businesses. One of the main factors that makes Windows so vulnerable is backwards compatibility cruft which introduces bugs and exploits. That, and a poor user security paradigm. OSX tends to break but refine with each release (more so than Windows at leas). Also, apps are signed. Unsigned apps won't run as they're untrusted. This can be overridden by the user in the security settings, but it takes a more conscious decision vs. blindingly clicking "YES, I want to run that thing".

      --
      Life is not for the lazy.
  2. Re: I have seen some malware trying to infect my M by ruir · · Score: 3, Informative

    Viruses and malware are two different beasts altogether.

  3. Re:Oh noes .. Reality field collapses .. arrghh by hairyfeet · · Score: 4, Informative

    So...they get infected just like Windows does? Because at the shop the vast majority I see are either "user installs pirated shit, gets bug" and "Hey u want to see teh hot lezbos for free? Install 'Iz_not_Viruz_is_Codec.exe" so u can watch teh hot womens 4 free!" which it wouldn't surprise me is also being used for this attack....except you know replace lezbos with "oiled up muscle men" ;-)

    --
    ACs don't waste your time replying, your posts are never seen by me.
  4. Re:Oh noes .. Reality field collapses .. arrghh by BasilBrush · · Score: 3, Informative

    So...they get infected just like Windows does?

    Just like ANY OS that accepts 3rd party software does.

    Your homophobia is noted.

  5. Don't worry! by Anonymous Coward · · Score: 2, Informative

    > There is really no information here. How does it spread?

    You're using a Mac. You don't need to know *how* it works. It just works and is pretty! Cheer up!

  6. Re: I have seen some malware trying to infect my M by mlts · · Score: 4, Informative

    OS9? When System 7 was out, MS-DOS was at 5.x, and Windows was at 3.1.

    Before OS X, MacOS was getting pretty shaky. It had no preemptive multitasking ability (well, except for A/UX and that was a completely different animal), which meant that any program that didn't use WaitNextEvent() often would hang the box, forcing one to reach for the debug/reset switch or power off button. It did show how relatively robust HFS (not HFS+, HFS) was because it handled dirty restarts quite well.

    In fact, at that era, restarts were a matter of course. If you had to get a project done, restart beforehand, restart afterwards, and maybe a restart every few hours on a prophylactic basis.

    OS X was a major upgrade. It didn't just fix problems with Macs that were issues since the MultiFinder days of System 6, but added real security and user separation which previously could only be put in place by third party software and various hacks (using PBSetCatInfo() to hide folders, etc.)

  7. Re: I have seen some malware trying to infect my M by Anonymous Coward · · Score: 4, Informative

    It's good to note for the uninformed, though, that old MacOS is a completely different codebase from a completely different source than OS X. It's not like they went through some internal process and evolved MacOS into OS X and it's some sort of continuation. Steve Jobs left and founded NeXT computer, which sold graphical workstations with a totally new OS (NeXTStep), which was a Unix derivative in terms of design, API, etc based on a core from BSD. Later, when Steve returned to Apple, he brought NeXTStep back with him. They rebranded and rejiggered NeXTStep a bit and then started calling *that* OS X. The old Mac codebase died and was replaced; it did not evolve.