Fri, 17 Apr 2009 First Mac OS X botnet activated
'iBotnet' created from trojan found in illegally downloaded Mac software
The first botnet created with Mac computers running OS X software has been activated, according to reports filtering out across the Internet.
Botnets are groups of computers, unwittingly linked together via the internet, that can be remotely controlled to perform tasks. Typically they send out spam email, perform DDoS attacks, and gather personal information.
Botnets are typically created through virus infection, or by installing malicious software (known as malware) on your machine. Malware can take many forms but on the version attacking Mac OS X is typically referred to as a 'trojan'. Named after the legendary Trojan horse, it is a piece of malicious code that hides inside another piece of software (in this instance illegally downloaded copies of software).
As you install the software, you also install the trojan program. Computers that are infected with this kind of malware are individually referred to as 'zombies', the network they create is called the botnet.
A typical botnet created from zombies (Credit: Cisco)
Macworld reported in January that illegal copies of iWork '09 and Photoshop CS4 – distributed via peer-to-peer networks – were infected with a trojan called iServices. It now appears that the botnet created from this trojan has been activated, marking this the first time a Mac OS X botnet has appeared.
An Australian blogger has reported: "I found bunch of processes chewing 100% CPU on my laptop (OS X 10.5.6). Upon examining the script for the process, it turned out to be a PHP script running a DDoS attack on a Web site.
The installer contains two files called OSX.Trojan.iServicesA and OSX.Trojan.iServicesB. These are installed alongside the full software package.
Two Security Researchers at Symantec, Mario Ballano Barcena and Alfredo Pesoli, wrote in Virus Bulletin (subscription required) that the malware has peer-to-peer communication, remote start-up, and encryption capabilities. They said: "The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it - and therefore we would not be surprised to see a new, modified variant in the near future." Interestingly, the two researchers also claim that the person who activated the botnet, was not the same as the person who created it.
Intego reported in January that 20,000 people had downloaded the infected installer.
After the trojans were first reported in January, most anti-virus software was updated to protect against the iServices trojan. According to some reports, removing the directories System/Library/StartupItems/DivX and/or /System/Library/StartupItems/iWorkServices should help.
SecureMac has an iServices Trojan Removal tool that can be used to check your Mac and see if it is infected. It will then remove the files. SecureMac has made this tool available for free to all users. Click here to download and install iServices Trojan Removal.
While this is likely to re-ignite any discussion regarding security on Mac OS X, we would repeat that you are extremely unlikely to be infected with the iServices trojan, and that the only way to have become infected is to have obtained an illegal copy of iWork '09 or Photoshop CS4 (typically through a peer-to-peer Web site), downloaded it, and installed it entering your administrator password.
Macworld's advice here is obvious: steer well clear of downloading illegal software from Web sites or torrents.
However, the wider debate surrounding this is only just beginning. There is no doubt that this is a unique event; it is the first such botnet created using Mac computers, whether more will follow is debatable. And if this type of malicious software is set to increasingly become a threat to Mac users, then should Mac owners become more amenable to the idea of investing in security software?
We will continue to investigate and make our recommendations as this story develops.
Check out our new Macworld Mobile site.
Follow Macworld UK on twitter: http://www.twitter.com/macworlduk
Contact Us
DiggEmail A Friend
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
Permalink This Article
This articles permalink is:
http://www.macworld.co.uk/business/news/index.cfm?newsid=25756
<<prev article | back to news index | next article>>
Do you share your creations online? % of Macworld readers agree with you What do you create and how do you share it? Follow the conversation at @TabletChat paintings & illustrations, mostly, which i upload to flickr.RT @fragmentedm I draw manga/anime characters. I also do graphic design and photography.RT @spialelo Yes. I usually put them up on my #deviantart account for feedback on how to improve.RT @spialeloQuestion of the day!
Latest News
- Apple intros Aperture 3, adds over 200 new features
- VIP iPhone app drops from millionaire priced £279.99 to under a tenner
- Play.com: Google Nexus One now available for pre-order
- Amazon's Kindle gets ready to battle Apple's iPad
- Apple Store is down, new Macs imminent?
- Canon intros EOS 550D 18-megapixel DSLR camera
- WSJ: Apple could slash iPad prices if sales disappoint
- Apple offers 'find out how' tutorials as podcasts
- Adobe says sorry for 16-month-old Flash bug
- Getty launches subscription stock image service, Thinkstock
- RouteBuddy intros RouteBuddy Atlas 1.3 for iPhone, iPod touch
- AppFund seeks Apple iPad developers, offers funding up to $500,000
iPhone 3G S Video Review
Related News
- Sharp, Samsung settle all outstanding LCD patent cases
- Nokia targeted in US class action suit, announces job cuts
- Vodafone looks to Apple iPhone, smartphones for increased revenue
- O2 celebrates 2 million Apple iPhone customers in the UK
- Apple iPad likely to come with mobile ads
- Sony returns to profit, cuts full-year loss forecast
- AOL posts modest profit but revenues decline
- Planned UK T-Mobile and Orange merger hit by OFT probe
- Analyst: Apple iPad could generate 57 million tablet sales a year
- Adobe, CU team-up, place value in legitimate creative software with new anti-piracy campaign
Mac Broadband?
Search news
Search Google
Newsletter signup
It's easy and free to get the latest news headlines, reviews and opinions straight to your email inbox. Sign up NOW to make sure you receive the latest Mac news, reviews and tutorials on your favourite topics.
Register now
Stay on top of the latest, breaking Mac news and chat with other Mac professionals and enthusiasts about the issues that matter to you. Register with Macworld today to join our forums and receive our twice-weekly email newsletter, Macworld Mainline.
RSS
Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.
MACWORLD MARKETPLACE
 |
Computer & Laptop |
 |
Are you a new customer? Are you doubtful? |
 |
50% off ebooks |
 |
Beat the Credit Crunch - Lease your Mac from Hardsoft. |
 |
Circus Ponies NoteBook - the easy way to get organized on the Mac |
Comments received
CFC said on Fri, 17 Apr 2009
"whether more will follow is debatable" dream on.
GlaDOS said on Fri, 17 Apr 2009
Er... I'm not quite sure whether you mean it is, or isn't likely....
I guess that's why it's debatable.
CFC said on Fri, 17 Apr 2009
It is very likely, if not immanent. Recent pawning of a fully patched Mac showed we are wipe open and a lot more vulnerable than people would like to think.
CFC said on Fri, 17 Apr 2009
typo. that should be "wide open"
Slinky said on Fri, 17 Apr 2009
Out of interest, CFC, do you run Mac anti virus software. And if so which one?
Drew said on Fri, 17 Apr 2009
I do, iAntiVirus (only on the machine i use of online backing thou) this may be the first but i wont be the last.
Drew said on Fri, 17 Apr 2009
I think i've lost the ability to spell :(
Tin said on Fri, 17 Apr 2009
Thou doest not needeth it round these parts mate...
I don't. I like to live dangerously. Interesting story though.
Michael said on Fri, 17 Apr 2009
No virus. This is malware distributed on stolen software by stupid people. They are smart enough to own a Mac but that's about it. No need to run out and by antivirus software. Just do not download from sites you know you cannot trust. That would be port or free anything! Simple!
Michael said on Fri, 17 Apr 2009
I can't spell either. That would be porn, not "port."
CFC said on Fri, 17 Apr 2009
VirusBarrier X5, littlesnitch for firewall and a few other lock downs. I work in IT security and trust no OS vendor when they say everything is secure.
iTrojan said on Fri, 17 Apr 2009
Seriously? These guys built a botnet with install files named "Trojan" on them? Why didn't they include their website and email addresses?
BB said on Fri, 17 Apr 2009
They still got installed.
Jaded said on Fri, 17 Apr 2009
At least we'll know who downloaded fraudulent copies of iWork09
NtroP said on Fri, 17 Apr 2009
Currently, these are only threats to people who deliberately steal software. There are vulnerabilities that can be exploited, but have not been - in large part because the default OS X configuration provides little remote surface area but also because market share is limited and most malware these days is for-profit.
This is why I'm loving the new MS ads. The kind of people who decide to not buy a Mac because of them are precisely the people we don't need on OS X. They need to stay with MS as they aren't discerning or savvy enough to see the benefits of a Mac. At least with Linux, simply making the decision to install it instead of Windows shows a level of computer thought-process that makes the user inherently more resistant to the types of malware pitfalls that beset the rest of the idiocracy.
I would argue that Windows 7 is/will be "more secure" than OS X for some time to come, but it will not be "safer" to use and will surely not be "more usable".
WelshDog said on Fri, 17 Apr 2009
I bet this botnet was created by one of the virus software companies.
Reality Check said on Fri, 17 Apr 2009
Be honest, only a real fool still thinks anti-virus companies write viruses.
The truth is Mac's are as wide open (pawned in 2 seconds is not security) as Windows, only there is no one using it.
lantzn said on Fri, 17 Apr 2009
This Trojan can only be installed on your Mac if you go to the P2P file transfer site, download the illegal pirated software, install it and give it your user name and password.
Wouldn't it be funny if the Botnet sent an email out to everyone in your address book, Apple and the authorities letting them know you're running the pirated software. Haha what a wakeup call that would be.
Mr P said on Fri, 17 Apr 2009
I'm more cynical than you guys. I believe this is yet another scare story, put about by software companies, to sell more anti-virus software. Oldest trick in the software book. Shame on you naughty wags.
Dragonfly said on Sat, 18 Apr 2009
Of course it's possible to write and install something malicious on OS X. I could write something that deleted my user folder. I could email it to someone else, they could then install it and wipe their user folder as well. The thing is, if you install software from an unknown or illegal source you run the risk that that software could do damage. That's always been the case.
You wouldn't accept headache pills from a stranger in the street, so don't download dodgy software off strange sites :).
eddie said on Sat, 18 Apr 2009
This has to be some sort of windup - what self-respecting "Botmaster" would call his malious payload 'OSX.Trojan.iServicesA and OSX.Trojan.iServicesB.'
Off the top of my head I'd call them OSX.Core.KernalA or OSX.Printer.DriverB.
Something for April 1st no doubt.
Brian B said on Sat, 18 Apr 2009
I'm surprised that they are only using the virus as a botnet. I would have figured that they would have made it go through your address book and add it as an attachment to your emails. Now that Macs are increasing their market share, it's only a matter of time before anti-virus software is a required installation.
Jaded said on Sat, 18 Apr 2009
@Brian B
"Now that Macs are increasing their market share, it's only a matter of time before anti-virus software is a required installation."
No idea why you think market share is linked to infections. Infections are down to how easy it is to infect a system.
gregorsamsa said on Sat, 18 Apr 2009
@Brian B,
Mind that pre-OS X, when the Mac user-base was much smaller, (AFAIK) Macs had proper viruses (not just trojans). Since OS X came out circa 2001, there have been no known viruses for Macs.
MacWorld Reader said on Sat, 18 Apr 2009
Windows users choose the platform with an abundance of viruses because it has a large market share - crazy.
Keith T said on Sat, 18 Apr 2009
"Windows users choose the platform" becuase it has the biggest market, more (bigger, better and recent)games, biggest coverage of software available and as long as to update and protect there is not a problem.
My mac has firewall and anti-virus software, you would be stupid in the head not to.
Jaded said on Sun, 19 Apr 2009
@Keith T
What viruses are you protecting your system against?
There's no patch in the world that will prevent user stupidities such as downloading stolen software or putting your password in for things you don't know are 100% safe.
@Jaded said on Sun, 19 Apr 2009
If you are stupid enough to believe any system is above viruses then you have a lot to loose.
Mac's have exploits, viruses and plenty of ignorant users believing they are untouchable.
Dream on.
kerala said on Sun, 19 Apr 2009
Just install software from sources you trust.
chitta said on Sun, 19 Apr 2009
Conspiracy theory: Mac released this botnet so people would only buy from the Apple Store! :P
Jaded said on Sun, 19 Apr 2009
To whoever it is that is unable to put a username up.
You said this:
"If you are stupid enough to believe any system is above viruses then you have a lot to loose.
Mac's have exploits, viruses and plenty of ignorant users believing they are untouchable.
Dream on."
This does not follow on from what I posted. Why are you so excited? Have you a hidden agenda?
Richie said on Mon, 20 Apr 2009
Remember this is not a real true botnet like on Windows, as it required the user to install it, relying on a complete idiot were the ones for Windows prity much install their selfs without the user knowing.
No OS is 100% safe but I put right a lot of Window machines for a living and compaired to the Mac, Windows is not just wide open but zero protection on it's files, try delete or change a system file on Mac, ask for a password every time and some require root access that is disabled by default and all ports closed that are not one of the common one used like 80, 8080 etc...
Jim said on Mon, 20 Apr 2009
It makes me laugh how this is just chalked up to stupid people downloading illegal software and installing it. I can't wait until something like this is attached to a fake "Adobe Flash Update" and distributed via Myspace and the like. What say you then, Macfans?
@Jim said on Mon, 20 Apr 2009
So let me get this right. You just can't wait for the day that Macs are as vulnerable to virus attacks as PCs?
Strange thing to want in life...
Why? So you can say "welcome to the gutter with the rest of us? Make yourself at home"
Personally I hope this is a one off that only affects those users who've installed pirate software and it never goes any further.
Rick said on Tue, 21 Apr 2009
Need to set some things right...
- The 2 second pawn of Safari, read the original article, he worked several days before to be able to exploit a browser vulnerability also used thru Firefox.
- Any Mac reseller or support person worth their weight should not mislead customers that the Mac OS is invulnerable. One of the first things to do is NOT use a simple or trivial password. The second is to realize that web sites can be compromised and be ready with an anti-virus, a good one, not some of the junk freeware.
- Lastly, as with everything, good times can end abruptly. Be prepared. The precursor to this botnet thing was a trojan one had to download when trying to see some videos - users were informed that an activeX codec was needed. Come on, on a Mac! This was a DNS redirector, inserted some DNS numbers that became noticed when one's internet slowed down.
Daniel said on Wed, 22 Apr 2009
Want to know if you're infected?
Go to applications > utilities > terminal
type: sudo launchctl list | grep service
If you see OSX.Iservice and OSX.Iservice.B then you got it
To disable:
sudo launchctl unload -w /System/Library/LaunchDaemons/*
[where * is the complete line that appeared for the OSX.Iservice
Disclaimer
Opinions expressed here are those of the writers and do not reflect those of Macworld. Macworld accepts no responsibility legal or otherwise for their accuracy of content.
Click here to read the house rules.
Click here for the latest reader comments