Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OS X Backdoor Malware Roping Macs Into Botnet

Posted by timothy on from the sad-face-mac dept.

An anonymous reader writes New malware targeting Mac machines, opening backdoors on them and roping them into a botnet currently numbering around 17,000 zombies has been spotted. The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, Dr. Web researchers noted. What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.

37 of 172 comments (clear)

  1. Well by Anonymous Coward · · Score: 5, Funny

    I'm sure the botnet just works and that its a great feature.....

  2. Quite useless article by gnasher719 · · Score: 4, Informative

    There is really no information here. How does it spread? Does it spread through utter user stupidity, or is it actually dangerous? It says infected Macs are added to a botnet of 17,000 computers - is that 16,999 PCs and one Mac, or 17,000 Macs?

    1. Re:Quite useless article by smallfries · · Score: 5, Funny

      Well I'm a mac user and I think that you'll find that I am quite superior to you in every way.

      --
      Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    2. Re:Quite useless article by amiga3D · · Score: 3, Insightful

      I've found most Mac users seem to respect BSD users. They assume anyone running windows is IQ challenged.

    3. Re:Quite useless article by Anubis+IV · · Score: 5, Informative

      The fact that they're referring to it as iWorm, suggesting it's self-propagating, yet not describing the method of propagation, seems incredibly irresponsible to me.

      I read through both articles, and there's no mention of the following either:
      1) Does the app use a registered Developer ID or not? If not, then the malware is only capable of running on Macs of individuals who have changed the default behavior of the system to allow apps from any source (default behavior is to either only allow apps from the Mac App Store or only allow apps from registered developers...can't remember which). If so, then Apple can revoke the Developer ID in a silent update to prevent it from executing on any machine using default settings.

      2) Has Apple issued a malware definition update yet? OS X has had XProtect, a silent, built-in malware removal tool since 2011 or so, that pulls down malware definition updates on a daily basis in the background and both works to prevent malware installations as well as removes them if they are found. By the time malware gets widely reported enough that sites like Slashdot are reporting it, Apple has usually already issued an update to prevent further infections and eliminates the existing ones. Given that those articles are from a few days ago, Apple may have already done so in this case.

      3) What systems does it infect? If it really is a worm that only has 17,000 computers, it may just be a case of exploiting a known bug in versions of the OS that haven't been supported for years. Or it may be that it's a brand new threat exploiting the latest version of the OS. We have no way of knowing, based on the shoddy reporting by the researchers.

      4) Do users still get the default prompt that they're executing an app for the first time, or does it circumvent that somehow?

      Basically, we know nothing about it or how dangerous is actually is, thanks to the researchers withholding everything about it.

    4. Re:Quite useless article by ArcadeMan · · Score: 3, Interesting

      I assume anyone running Windows is a gamer, anyone running OS X is doing desktop/front-end work and anyone running Linux/BSD is doing server work.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    5. Re:Quite useless article by maestroX · · Score: 3, Funny

      Mac?
      Windows 7 is simply Microsoft's best operating system ever. Mac fanboys should worry and circle together in defensive posture.
      [203.0.113.201, 198.51.100.2, 169.254.1.19, 172.16.1.2, 203.2.11.2,]

    6. Re:Quite useless article by cant_get_a_good_nick · · Score: 5, Insightful

      Hmm, I've been on UNIX since SunOS days and Solaris was the new kid on the block. I've written a device driver that shipped in a commercial UNIX kernel. That said, I chose as my desktop a hybrid BSD/Microkernel architecture with POSIX compliance and a modern GUI. Or in other words, a Mac.

      Macs are not stupid, they are made to be simple to use. That external simplicity hides a deep complexity underneath. I think people who don't understand that making something complex to be simple to use is one of the hardest things in Computer Science. A good size for desktop computers now is about 8GB of RAM or more. At any given time, 8GB will give you 2^(8*(2^23)) states, which of course will change in a nanosecond. Mac OS tries to, as much as possible, hide the states that don't mean anything to you. It's not that the MacOS guys don't know they exist. They just feel YOU don't need to know they exist. Maybe they're wrong, but it's a conscious decision where they know the states that exist and they feel that showing the states is less helpful than the confusion it would engender.. Not stupidity.

      The main issue (and where you have a point though you exaggerate it way past its validity) is sometimes things are complex, and if you hide that complexity, you actually cause a disservice. Apple hides a lot of its security notices. As Macs become more and more of a target, they really need to not hide the complexity as much so that people can make valid choices on how to prevent malware infections.

    7. Re: Quite useless article by DigiShaman · · Score: 3, Informative

      No, not really. By numbers and via common denominator, the Win32 is used by most home and businesses. One of the main factors that makes Windows so vulnerable is backwards compatibility cruft which introduces bugs and exploits. That, and a poor user security paradigm. OSX tends to break but refine with each release (more so than Windows at leas). Also, apps are signed. Unsigned apps won't run as they're untrusted. This can be overridden by the user in the security settings, but it takes a more conscious decision vs. blindingly clicking "YES, I want to run that thing".

      --
      Life is not for the lazy.
  3. Probably capable of more than Reddit by Karl+Cocknozzle · · Score: 2

    What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.

    It's a likely bet that it's been configured to find valid C&C IP addresses from other sites, too--Reddit is a high-volume user generated content site, with a lot of existing spam/troll fighting technology in place. So it's pretty likely this avenue will get blocked soon (if Reddit isn't working on it already) and the next large public-site gets rolled over to.

    It's devious and brilliant, to use a public site... More devious if they built it smart enough that Reddit can't block it programatically.

    --
    Who did what now?
  4. Oh noes .. Reality field collapses .. arrghh by OzPeter · · Score: 4, Insightful

    But then .. from TFA

    Unfortunately, the researchers didn't mention how the malware spreads, but they shared that it is unpacked into the /Library/Application Support/JavaW directory, poses as the application com.JavaW, and sets itself to autostart.

    So for all I know, this could either be a world shattering event where by zero day exploits are being used on OSX to leverage malware.

    OR it could be like the HK protesters where by you needed to J/B your phone first.

    So I am reserving my panic until I know more.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Oh noes .. Reality field collapses .. arrghh by BasilBrush · · Score: 2

      Given that most Macs can't run untrusted software, the mostly likely vector for malware is a trojan. Possibly attached to pirate versions of well known applications. Users of such pirate software would expect to have to explicitly give permission to untrusted software.

    2. Re:Oh noes .. Reality field collapses .. arrghh by hairyfeet · · Score: 4, Informative

      So...they get infected just like Windows does? Because at the shop the vast majority I see are either "user installs pirated shit, gets bug" and "Hey u want to see teh hot lezbos for free? Install 'Iz_not_Viruz_is_Codec.exe" so u can watch teh hot womens 4 free!" which it wouldn't surprise me is also being used for this attack....except you know replace lezbos with "oiled up muscle men" ;-)

      --
      ACs don't waste your time replying, your posts are never seen by me.
    3. Re:Oh noes .. Reality field collapses .. arrghh by BasilBrush · · Score: 3, Informative

      So...they get infected just like Windows does?

      Just like ANY OS that accepts 3rd party software does.

      Your homophobia is noted.

    4. Re:Oh noes .. Reality field collapses .. arrghh by gtall · · Score: 2, Insightful

      What's really weird is that you consider a sexual slur integral to your argument.

    5. Re:Oh noes .. Reality field collapses .. arrghh by amiga3D · · Score: 4, Insightful

      I run little snitch on my Macs and I'm constantly amazed at how many of my programs want to talk to some site or other. It's annoying because I have to research and see why they want to contact these places and what exactly is going on. I find that if I just block them it's almost never a problem though.

    6. Re:Oh noes .. Reality field collapses .. arrghh by BasilBrush · · Score: 2

      Non-App Store programs often check for software updates on a regular basis. Worst are those that autorun a daemon specifically for this: Adobe is one of the worst offenders (and indeed many other software crimes.)

      Have you spotted any other common categories of why they might do so?

    7. Re:Oh noes .. Reality field collapses .. arrghh by BasilBrush · · Score: 2

      Neither the fact that other people have repeated it extensively before, nor whines about "political correctness" excuse your homophobia.

    8. Re:Oh noes .. Reality field collapses .. arrghh by BasilBrush · · Score: 3

      File extensions are absolutely irrelevant. If your malware security relies in any way on users knowing what file extensions are it's broken.

      There's no confusing programs for data on Macs as any downloaded executable that isn't signed won't run without explicitly allowing it (individually or by changing the default security setting).

    9. Re:Oh noes .. Reality field collapses .. arrghh by BasilBrush · · Score: 2

      Showing your true lack of intelligence there hairyfeet.

  5. solution? by shortscruffydave · · Score: 2

    The backdoor applies the MD5 hash function to the value and sends a query to reddit.com. The query template is as follows: https://www.reddit.com/search?... Here MD5_hash_first8 is the value of the first 8 bytes of the MD5 hash value from the current date. The reddit.com search returns a web page containing the list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

    So...get Reddit to nix this query and deny the functionality to the botnet?

  6. I have seen some malware trying to infect my Mac by ruir · · Score: 5, Interesting

    And to get it you have to be fairly dumb. Fake sites for subtitles that just propagate your google query to "match" the name of the film you are search, and instead of giving you a zip with the subtitle, return a dmg file. But then, you have to click on it, click to install the binary, and give a password....So as I say you have to be pretty stupid to install the malware yourself.

  7. You're covered ... by CaptainDork · · Score: 3, Funny

    ,,, we're working on global worming.

    --
    It little behooves the best of us to comment on the rest of us.
  8. Re: I have seen some malware trying to infect my M by ruir · · Score: 3, Informative

    Viruses and malware are two different beasts altogether.

  9. To the hecklers... by Ronin+Developer · · Score: 4, Interesting

    There is a common believe that Macs don't get viruses or could, possible, be susceptible to malware. This week, we have seen several issues that first threaten the *nix community (which, OSX is built upon). The first was the bash bug. The second is a worm that is capable of infecting a Mac system. A few months ago, we had Heartbleed that again, was cross platform.

    Yes...the Bash Bug - affects *nix machines including Macs. That means the Linux user is just as exposed. It does mean, in this particular instance, that Windows users get a break.

    The Mac, link linux, has proven relatively immune to computer viruses. How many people do you know run anti-virus and/or anti-malware software on the linux desktops or servers? Exactly. The Mac is built on top of an *nix core, but is far more usable by the average user. However, when the built in safeguards are disabled, it's possible to install malware. And, it's very possible that the attack vector is an exploit of the bash bug. We don't know the method or attack vector used to infect those machines (in either of the two articles on Dr. Web). Likely, users downloaded and installed an unsigned OSX application which, unlike having to jailbreak your phone, is easy to do. That unsigned app carried and installed the worm. I say" likely", because we just don't know enough yet.

    For those who aren't aware, Apple has a app store for OSX apps in addition to the iOS app store. Like it's counterpart, apps are checked by Apple and are digitally signed. A developer must belong to the Macintosh Developer network to sign their apps and have them sold through the app store. You always have the option to install apps from other sources, but they are unchecked and unsigned. And, you take your chances, just as on other platforms, if you download and install unknown code.

    Apple has taken a beating these past couple of weeks on multiple fronts. The Apple haters are in full force. But, in this case, we don't know how the malware/worm was installed. So, is it fair to bust Apple's chops over it without knowing the root cause?

    1. Re:To the hecklers... by roballred7050 · · Score: 2

      Gatekeeper actually has three levels. Most restrictive only allows app store. Default allows App store and signed apps from known developers. To install unsigned apps, you have to disable Gatekeeper, with a warning about possible risk.

    2. Re:To the hecklers... by dgatwood · · Score: 2

      To install unsigned apps, you have to disable Gatekeeper, with a warning about possible risk.

      No, you don't. Just control-click in Finder, and choose "Open". That, unlike the normal double-click launch, bypasses Gatekeeper's prohibition on untrusted apps, instead presenting a security dialog that tells you that the app is untrusted, and asks you if you want to launch it anyway. If you tell it to do so, OS X computes a checksum for the app and adds hat signature to a list of trusted apps, ensuring that you won't be prompted about it in the future.

      You might have to be in the "Mac App Store and identified developers" mode—I'm not sure.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  10. Don't worry! by Anonymous Coward · · Score: 2, Informative

    > There is really no information here. How does it spread?

    You're using a Mac. You don't need to know *how* it works. It just works and is pretty! Cheer up!

  11. Quite useless article by Anonymous Coward · · Score: 2, Insightful

    Is this an article about how it's spread, or is this the website that it's spread from?

  12. Re: I have seen some malware trying to infect my M by mlts · · Score: 4, Informative

    OS9? When System 7 was out, MS-DOS was at 5.x, and Windows was at 3.1.

    Before OS X, MacOS was getting pretty shaky. It had no preemptive multitasking ability (well, except for A/UX and that was a completely different animal), which meant that any program that didn't use WaitNextEvent() often would hang the box, forcing one to reach for the debug/reset switch or power off button. It did show how relatively robust HFS (not HFS+, HFS) was because it handled dirty restarts quite well.

    In fact, at that era, restarts were a matter of course. If you had to get a project done, restart beforehand, restart afterwards, and maybe a restart every few hours on a prophylactic basis.

    OS X was a major upgrade. It didn't just fix problems with Macs that were issues since the MultiFinder days of System 6, but added real security and user separation which previously could only be put in place by third party software and various hacks (using PBSetCatInfo() to hide folders, etc.)

  13. Re:but but but.... by kthreadd · · Score: 2

    There are many types of malware.

  14. Re:I have seen some malware trying to infect my Ma by ruir · · Score: 2

    I see you are not used to download subtitles. While I agree entirely with you in the theory part, however thats how many prominent sites are delivering them nowadays. Maybe because they often put there extra file with credits, and more rarely, multi-language subtitles packs.

  15. They probably don't know how it spreads by FellowConspirator · · Score: 5, Insightful

    A regular user process is not going to be able to create the sub-directory in Application Support or install the launchd file to auto-start the service. For that, you'd need admin privilege, which has to be given explicitly by a member of the admin group. To get there, it has to trick an admin user to explicitly install it (in which case, it's not a worm/virus, it's a trojan), or it has to remotely trick an OS X application that runs as root or has admin privilege to do so -- but there's not much opportunity there as most services don't accept incoming connections, and those that do generally generally run as an unprivileged user. Looking at my Mac, the only service that can be connected to remotely and has sufficient privilege (if enabled) is SSH. Macs don't have that enabled by default.

  16. Odd... by DaCo · · Score: 2
    Okay, I was curious about this one. According to the article here, they:
    1. 1. Work out the number of days since January 1st, 1900 (it doesn't say that explicitely, but gives tm->tm_yday + 365 * tm->tm_year). Today, that would be 41883
    2. 2. Work out the md5 hash of that, which would be ffeac4e88ea3d3c65678fcd434a65f83 for today
    3. 3. Truncate it to eight bytes, so ffeac4e8
    4. 4. Search it on Reddit with https://www.reddit.com/search?...

    That gives no result, neither does the previous day (4cb43551) or even a couple of days ago (7b6461c8), so what gives?

    --
    DELETE MY ACCOUNT
  17. Re: I have seen some malware trying to infect my M by antdude · · Score: 2

    Aren't viruses parts of mal(icious)wares?

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  18. Re: I have seen some malware trying to infect my M by Anonymous Coward · · Score: 4, Informative

    It's good to note for the uninformed, though, that old MacOS is a completely different codebase from a completely different source than OS X. It's not like they went through some internal process and evolved MacOS into OS X and it's some sort of continuation. Steve Jobs left and founded NeXT computer, which sold graphical workstations with a totally new OS (NeXTStep), which was a Unix derivative in terms of design, API, etc based on a core from BSD. Later, when Steve returned to Apple, he brought NeXTStep back with him. They rebranded and rejiggered NeXTStep a bit and then started calling *that* OS X. The old Mac codebase died and was replaced; it did not evolve.

  19. I am one too by CasaVacas · · Score: 2

    I found out early this morning that i had the malware. Deleted the executable and the startup plist file. I had not updated my os in a few months. So I did that. I am now backing up vital files for a reinstall. Sigh. Right before Yosemite goes final. So installs, installs. Backups, backups. Etc. I had a pirated a copy of photoshop cc 2014 from pirate bay. (yeah i am utterly broke and unemployed, and i had launched it only once to export one file to a specific format). And as far as i can see right now that is the only app that has the same'ish timestamp (in my apps folder) as the javaW binary from the lib/app support/javaW/ folder. In my case 31st of aug. So i have been compromised for about a month. I had the security settings set to Mac apps and identified developers only. So not completely opted out of the sandbox. I am tech/dev savvy, but not hacker-good. Is there a command for terminal that can show me every binary that has been updated since that date? so i can see if i should kill processes whilst fixing my system? Could google it but thought why not ask the "nice people" at slashdot. I lurked here for years. Posted a few comments, got called a retard for my non-native drunken-english, and never posted again until now. If you wan't to make up for it. Help me out :)