Iwork '09 Trojan Horse Turning Macs Into Zombies?


Recommended Posts

iWork '09 Trojan horse turning Macs into zombies?

The botnet stems from a Trojan horse embedded in a trial version of iWork '09

By Dan Moren

"April 17, 2009 (Macworld)

"Over the years, Mac users have been lucky enough that the word "zombie" only conjures up the shambling brain-craving hordes of the undead in movies like Shaun of the Dead. But Windows users have long been dealing with the menace of zombie botnets--networks of PCs corrupted by malware into vectors for malicious attacks.

Now, two researchers who claim to have discovered the first Mac zombie botnet in existence have published a paper in Virus Bulletin (subscription required).

The botnet stems from a Trojan horse embedded in an iWork '09 trial version that was making the rounds on file-sharing networks. The risk first came to light in January when security firm Intego warned of the potential threat hidden in the files.

Two researchers, Mario Ballano Barcena and Alfredo Pesoli, have now discovered two separate variants of the malware, each using distinct techniques to compromise users' machines. They also conclude that the author of the malware was not the same person using it to launch the denial-of-service (DoS) attacks on Web sites, including according to the Washington Post's Brian Krebs, a site called "dollarcardmarketing.com." The infected package has apparently been downloaded several thousand times, though it also needs to be installed in order to do its dirty work."

Computerworld for full article: http://tinyurl.com/cokrag

Link to post
Share on other sites
The botnet stems from a Trojan horse embedded in an iWork '09 trial version that was making the rounds on file-sharing networks. The risk first came to light in January when security firm Intego warned of the potential threat hidden in the files.

If you're stupid enough to install untrusted software from a file sharing network onto your system then you deserve to get rooted. I'm sure that a boxed version of iWorks 09 is just fine.

Link to post
Share on other sites

Why are people so surpised when Apple OS' get viruses? Their OS is highly insecure... the myth that they are more secure than Windows is highly inaccurate. :blink:

Link to post
Share on other sites

I think people are surprised because there are no viruses for Mac in the wild. There have been proof of concept trojans and a DNS changer. Most, like this new trojan has to be downloaded and installed by user with a admin password.

I believe this trojan can also be found in pirated copies of iLife 09 and Photoshop. And Hitest is correct the box version is fine.

Link to post
Share on other sites
I think people are surprised because there are no viruses for Mac in the wild. There have been proof of concept trojans and a DNS changer. Most, like this new trojan has to be downloaded and installed by user with a admin password.

I believe this trojan can also be found in pirated copies of iLife 09 and Photoshop. And Hitest is correct the box version is fine.

Something like 99.9999% of viruses/trojans/spyware/adware/worms/etc require user interaction...

Link to post
Share on other sites
Something like 99.9999% of viruses/trojans/spyware/adware/worms/etc require user interaction...

Viruses and worms are pretty much self-propagating by definition.

Link to post
Share on other sites
Something like 99.9999% of viruses/trojans/spyware/adware/worms/etc require user interaction...

Viruses and worms are pretty much self-propagating by definition.

Not sure what your "Self-Propagating" was refering too, the user's "self" or the Virus's "self"?

Link to post
Share on other sites
Not sure what your "Self-Propagating" was refering too, the user's "self" or the Virus's "self"?

The virus's.

They still require user interaction of some sort ;3

Link to post
Share on other sites

So for those in the Mac community who believe the Mac is invulnerable, there's this simple message: You're living in the past.

Researchers: Macs are less secure than Windows PCs[/b]

"For years, Apple fans have claimed that Macs are invulnerable to attack, while belittling Windows as being full of security holes. Now the tables are turned --- not only has a Trojan infected Macs and created a botnet, but several well-known researchers warn that Mac OS X is less secure than either Windows or Linux.

In the last few days, there's been a great deal of publicity about the discovery of the world's first Mac botnet. When Mac users downloaded a pirated copy of iLife, their machines were taken over by a Trojan. At that point, according to Symantec experts Andy Cianciotto and Angela Thigpen:

When the Trojanized installer is executed, it also runs the malicious program iworkservices. The Trojan, OSX.Iservice, targets the Mac OS and is compiled as a Mach-O multi-architecture binary. This allows the Trojan to run natively on both PowerPC and x86 architectures.

...

The Trojan acts as a back door and opens a port on the local host for connections. It then attempts to connect to the following remote hosts:

69.92.177.146:59201

qwfojzlk.freehostia.com:1024. "

Computerworld for full article: http://tinyurl.com/dcgdsr

>>>>>>>>>>>>>>

Mac/PC/Linux? It doesn't matter, and here's why...

Submitted by Mike91163 on April 18, 2009 - 8:41 A.M.

Y'all are missing the BIGGER point: The HUMAN factor, and it applies across the board, regardless of the OS. Us "geeks" see the world through our "tech-colored" glasses, with tunnel vision, and we miss the whole picture.

Software of any kind, be it an operating system or an application, is written by HUMANS. Humans make mistakes; humans miss seeing things; that's what makes us who we are. Humans also tend to be a trusting bunch, and that's what gets us into trouble as well. Social engineering has been going on for millenia; you don't believe me, look up the definition of "Trojan horse".

Whether OSX's latest security breach requires human interaction doesn't matter; the fact that it exists shoots a huge hole into the Mac fanboi's argument that "Macs don't get viruses." Whatever your opinion of Windows and Microsoft is, the superiority complex of the Mac brigade is annoying and getting quite old. And, the *Nix boys aren't that far off from their Mac conterparts either; sure, you are constantly hassled for a root password, but what IF an "amateur" downloads and installs a Linux Trojan (and, before you say they don't exist, it's not a question of IF, but rather WHEN), and they type that root pwd, it's GAME OVER. That's what I mean by the human factor.

Until such time as we humans become perfect(which you'll be waiting a LOOOOONG time), these issues will crop up.

Skynet anyone????

computerworld - http://tinyurl.com/dcgdsr

Link to post
Share on other sites
When Mac users downloaded a pirated copy of iLife, their machines were taken over by a Trojan. At that point, according to Symantec experts Andy Cianciotto and Angela Thigpen:

I'm not saying that there are no mac viruses out there. You still need to install this virus to get it to activate on a mac. My initial point still stands. If you are a complete moron who is willing to install a pirated version of software that you've downloaded from a file sharing site you deserve to get owned. To activate this mac virus you need to give the installer root access to your system. So you are installing the virus. That isn't exactly on par with the drive by shootings that occur with windows.

It is a good practice to only install software from a trusted source.

Link to post
Share on other sites
When Mac users downloaded a pirated copy of iLife, their machines were taken over by a Trojan. At that point, according to Symantec experts Andy Cianciotto and Angela Thigpen:

I'm not saying that there are no mac viruses out there. You still need to install this virus to get it to activate on a mac. My initial point still stands. If you are a complete moron who is willing to install a pirated version of software that you've downloaded from a file sharing site you deserve to get owned. To activate this mac virus you need to give the installer root access to your system. So you are installing the virus. That isn't exactly on par with the drive by shootings that occur with windows.

It is a good practice to only install software from a trusted source.

That point isn't really valid, considering you'd have to be a novice to get any type of virus/worm/trojan etc. Generally when I get such things I know the risk involved before I click the link, or initiate the file.

A virus is without question something that requires a user to initiate, like most any other malicious intended programs. But I suggest you read the month of the apple bugs website before making claims that the Apple OS is secure.

We all know it has very little viruses, but this isn't due to good programming by Apple, this is due to it not being an appropriate target by hackers. Speaking from my personal views on apple, apple products are overpriced and suck...

Edited by mewi
Link to post
Share on other sites
But I suggest you read the month of the apple bugs website before making claims that the Apple OS is secure.

I don't think I claimed that Apple OS is secure. No operating system is perfectly secure. Some hardened versions of BSD like OpenBSD are quite secure. I do like the way that OS X functions. I enjoy administering my daughter's macbook.

Link to post
Share on other sites
But I suggest you read the month of the apple bugs website before making claims that the Apple OS is secure.

No operating system is perfectly secure. Some hardened versions of BSD like OpenBSD are quite secure.

Lets say we reversed the popularity of windows and OSX, something tells me, OSX would have far more viruses than windows XP does in reality today.

But who knows, you also have to calculate the difference in income, of course more money = more staff. So maybe, maybe not. But as it stands, there is no possible way that OSX is more secure than windows XP

and I do love Windows XP ( nlited of course ;3 ) :thumbsup:

Link to post
Share on other sites

In theory if your running windows Vista with all it's updates and have good spyware, antivirus running. You would be just as safe using os x (with updates) out of the box. Unless on either machine you download something bad and install it. Same with Linux.

In the next week or so os x 10.5.7 will be out with a lot of bug fixes and this summer 10.6 will be available. 10.6 is a new os written just for intel Macs that should mean old security bugs fixed and new ones to find.

If anyone has the os x botnet trojan (estimated at less then a 1000 machines) you can get a free removal tool at Secure Mac.

Link to post
Share on other sites
But I suggest you read the month of the apple bugs website before making claims that the Apple OS is secure.

No operating system is perfectly secure. Some hardened versions of BSD like OpenBSD are quite secure.

Lets say we reversed the popularity of windows and OSX, something tells me, OSX would have far more viruses than windows XP does in reality today.

But who knows, you also have to calculate the difference in income, of course more money = more staff. So maybe, maybe not. But as it stands, there is no possible way that OSX is more secure than windows XP

and I do love Windows XP ( nlited of course ;3 ) :thumbsup:

hmm,

I love ignorance..

first name how OSX is not secure and what features it is missing (I can by the way)

also name the ways to hack a Vista machine (hint they are the same in most ways )

name the 2 things that will put XP even on a even start?

I will start

OSX is missing no exaction bit and OS memory randomisation (next release fixes both of these)

Vista and XP still give its first user full system privileges..

On a OSX machine the user uses SUDO (through a nice gui) to gain privlages

what does this little difrence mean

you are serfing the web and a pop up that is correctly written to install software on Mac OSX comes up. This is easy to do in both Mozilla and safari. the user than is confronted with the system asking for the Admin password.. Most users, but not all would click cancel on the password part because it is not normal for things on the web to ask for your admin account password

on Vista and XP the same situation, the user is presented a prompt (pop up written in active X). at which time the user selects cancel on the pop up (but its coded the same as ok) and on xp the program is installed since the user is admin on 99% of all windows systems shipped out. on Vista a OK prompt comes up but most users have been found to just hit ok because they are used to windows vista asking for a OK prompt for a lot of things that don't make sence to them.

now to make XP and or Vista even close to this on security feature, make all users limited users accounts.. problem 88% of software will not run in this mode..

and yes with Internet explorer just going to a website and running a java script can install a virus with no user interaction as agian to make it simple most users have INTERNET security set to minimum, so the user did nothing but click a link on a web page.. and if for some reason you do not believe it, please pick up a few books. We do it all the time to government sites as this is what I do for a living, I get paid to secure and show security issues to our customers.

on OSX a user just going to a site could not install software, but you can attack it using a buffer overrun (the guy who hacked safari in 5 min worked on that exploit for over a year)

so what can fix both of these issues, firefox with noscript running.. but again how many normal people know about this..

so while OSX is missing two major security options that windows has, the entire user structure of windows makes its features moot.

also since you need to get root access, a virus on mac would have a issues spreading

now for this case, some people downloaded a piece of software and installed it, and when asked gave the software their password.. This would work on any system.. any, in windows vista if you are a limited user even and you install a piece of software there is a bug that gives the installation program system privlages.. so even a limited user on vista can do this..

how do you stop this kind of attack

use roles and sandboxing.. but as of yet only solaris and SELinux support this. while winows has roles in windows domain the policy is tricky to get right (not impossable) but sand boxing is implemented by applications not the OS in windows (they call it siloing )

so the point, anytime anyone says this SO is more secure than that OS, ask why and show me.. if they can't they are giving opinion not fact.

also popularity is a joke answer and a excuse.. OSX is based on UNIX (bsd as a matter of fact) and UNIX system make up more than 55% of the installed market (just not desktop). UNIX and Linux systems run more publicly accessed systems than any other. a virus written to attack UNIX or Linux would most likely be able to affect all of them, so they are a bigger target and can effect more people. if google was taken down or infected it would case a loot more trouble then infecting th ewindows desktops.. so hackers do try and are trying to hack Unix systems just as much or more. but I guess it sounds good, until you think about it for more than 5 min

Link to post
Share on other sites
In theory if your running windows Vista with all it's updates and have good spyware, antivirus running. You would be just as safe using os x (with updates) out of the box. Unless on either machine you download something bad and install it. Same with Linux.

In the next week or so os x 10.5.7 will be out with a lot of bug fixes and this summer 10.6 will be available. 10.6 is a new os written just for intel Macs that should mean old security bugs fixed and new ones to find.

If anyone has the os x botnet trojan (estimated at less then a 1000 machines) you can get a free removal tool at Secure Mac.

this version will include memory randomization and no exe bit (as those are intel specific programmings..)

which means OSX will not be susceptible to the hack that won Charlie Miller $10,000 this year. .

Also they are talking about adding application sandboxing, which would give you what solaris can do with zones for linux/bsd with jails.

Link to post
Share on other sites

Cool didn't know they were adding the sandboxing. I think most people think apple os engineers only work on pretty interfaces.

Does anyone know if Apple has decided to use ZFS on all the mac lineup or just the servers?

Hey, apple just now distributed their one billionth app on the app store.

Link to post
Share on other sites

zfs is going to stay server by default..

ZFS would be awesome as its features are well worth the fact that it is not 100% yet.

I use it on my solaris systems and my Linux systems.

When LVM get the ability to do snap backups .. well it will be the only other filesystem that comes close to the usefulness of ZFS

Link to post
Share on other sites
this version will include memory randomization and no exe bit (as those are intel specific programmings..)

which means OSX will not be susceptible to the hack that won Charlie Miller $10,000 this year. .

Also they are talking about adding application sandboxing, which would give you what solaris can do with zones for linux/bsd with jails.

That is very cool. :matrix:

Link to post
Share on other sites
But I suggest you read the month of the apple bugs website before making claims that the Apple OS is secure.

No operating system is perfectly secure. Some hardened versions of BSD like OpenBSD are quite secure.

Lets say we reversed the popularity of windows and OSX, something tells me, OSX would have far more viruses than windows XP does in reality today.

But who knows, you also have to calculate the difference in income, of course more money = more staff. So maybe, maybe not. But as it stands, there is no possible way that OSX is more secure than windows XP

and I do love Windows XP ( nlited of course ;3 ) :thumbsup:

hmm,

I love ignorance..

I love how a staff member of BT is calling me ignorant which is disrespectful and I do not appreciate it.

Then asking me to prove something I never even stated before hand. I was speaking entirely about Apple OS security, I did not even mention any of alot of things you typed about. Whether it be from performance or otherwise.

I like windows XP, who cares? That makes me ignorant? I hate apple products, who cares? That makes me ignorant?

Edit: And just because it's Unix, doesn't mean that the people building from it are not interfering with the stability of Unix. Do I need to direct anyone to Apple's previous OS's?

Edited by mewi
Link to post
Share on other sites
And just because it's Unix, doesn't mean that the people building from it are not interfering with the stability of Unix. Do I need to direct anyone to Apple's previous OS's?

First of all, welcome to besttechie.net, mewl. I am pleased that you are posting here! iccaros is an expert in many operating systems, I have known him for many years. I trust his advice as do the members of our forum. To be frank some of your comments are a bit confusing.

Link to post
Share on other sites
also popularity is a joke answer and a excuse.. OSX is based on UNIX (bsd as a matter of fact) and UNIX system make up more than 55% of the installed market (just not desktop).

No way. Unix has maybe 15% of the PC market. The server market's something like 1/25th the size of the PC market, so that's at most another few percent.

a virus written to attack UNIX or Linux would most likely be able to affect all of them, so they are a bigger target and can effect more people.

The near-complete lack of binary compatibility presents a bit of a problem. Source compatibility, too, for that matter; I don't think autoconf is an option for a virus.

Link to post
Share on other sites
And just because it's Unix, doesn't mean that the people building from it are not interfering with the stability of Unix. Do I need to direct anyone to Apple's previous OS's?

First of all, welcome to besttechie.net, mewl. I am pleased that you are posting here! iccaros is an expert in many operating systems, I have known him for many years. I trust his advice as do the members of our forum. To be frank some of your comments are a bit confusing.

I apologize for any confusion I may have caused, if you have a question you wish to ask me, about my previous posts, please do so and I will try to make my post(s) less confusing =3

Link to post
Share on other sites
Guest
This topic is now closed to further replies.