New OS X Backdoor Malware Roping Macs Into Botnet

An anonymous reader writes New malware targeting Mac machines, opening backdoors on them and roping them into a botnet currently numbering around 17,000 zombies has been spotted. The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, Dr. Web researchers noted. What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.

Well

I'm sure the botnet just works and that its a great feature.....

I have seen some malware trying to infect my Mac

[ruir]

And to get it you have to be fairly dumb. Fake sites for subtitles that just propagate your google query to "match" the name of the film you are search, and instead of giving you a zip with the subtitle, return a dmg file. But then, you have to click on it, click to install the binary, and give a password....So as I say you have to be pretty stupid to install the malware yourself.

Re:Quite useless article

[smallfries]

Well I'm a mac user and I think that you'll find that I am quite superior to you in every way.

They probably don't know how it spreads

[FellowConspirator]

A regular user process is not going to be able to create the sub-directory in Application Support or install the launchd file to auto-start the service. For that, you'd need admin privilege, which has to be given explicitly by a member of the admin group. To get there, it has to trick an admin user to explicitly install it (in which case, it's not a worm/virus, it's a trojan), or it has to remotely trick an OS X application that runs as root or has admin privilege to do so -- but there's not much opportunity there as most services don't accept incoming connections, and those that do generally generally run as an unprivileged user. Looking at my Mac, the only service that can be connected to remotely and has sufficient privilege (if enabled) is SSH. Macs don't have that enabled by default.

Re:Quite useless article

[Anubis+IV]

The fact that they're referring to it as iWorm, suggesting it's self-propagating, yet not describing the method of propagation, seems incredibly irresponsible to me.

I read through both articles, and there's no mention of the following either:
1) Does the app use a registered Developer ID or not? If not, then the malware is only capable of running on Macs of individuals who have changed the default behavior of the system to allow apps from any source (default behavior is to either only allow apps from the Mac App Store or only allow apps from registered developers...can't remember which). If so, then Apple can revoke the Developer ID in a silent update to prevent it from executing on any machine using default settings.

2) Has Apple issued a malware definition update yet? OS X has had XProtect, a silent, built-in malware removal tool since 2011 or so, that pulls down malware definition updates on a daily basis in the background and both works to prevent malware installations as well as removes them if they are found. By the time malware gets widely reported enough that sites like Slashdot are reporting it, Apple has usually already issued an update to prevent further infections and eliminates the existing ones. Given that those articles are from a few days ago, Apple may have already done so in this case.

3) What systems does it infect? If it really is a worm that only has 17,000 computers, it may just be a case of exploiting a known bug in versions of the OS that haven't been supported for years. Or it may be that it's a brand new threat exploiting the latest version of the OS. We have no way of knowing, based on the shoddy reporting by the researchers.

4) Do users still get the default prompt that they're executing an app for the first time, or does it circumvent that somehow?

Basically, we know nothing about it or how dangerous is actually is, thanks to the researchers withholding everything about it.

Re:Quite useless article

[cant_get_a_good_nick]

Hmm, I've been on UNIX since SunOS days and Solaris was the new kid on the block. I've written a device driver that shipped in a commercial UNIX kernel. That said, I chose as my desktop a hybrid BSD/Microkernel architecture with POSIX compliance and a modern GUI. Or in other words, a Mac.

Macs are not stupid, they are made to be simple to use. That external simplicity hides a deep complexity underneath. I think people who don't understand that making something complex to be simple to use is one of the hardest things in Computer Science. A good size for desktop computers now is about 8GB of RAM or more. At any given time, 8GB will give you 2^(8*(2^23)) states, which of course will change in a nanosecond. Mac OS tries to, as much as possible, hide the states that don't mean anything to you. It's not that the MacOS guys don't know they exist. They just feel YOU don't need to know they exist. Maybe they're wrong, but it's a conscious decision where they know the states that exist and they feel that showing the states is less helpful than the confusion it would engender.. Not stupidity.

The main issue (and where you have a point though you exaggerate it way past its validity) is sometimes things are complex, and if you hide that complexity, you actually cause a disservice. Apple hides a lot of its security notices. As Macs become more and more of a target, they really need to not hide the complexity as much so that people can make valid choices on how to prevent malware infections.