RealTime IT News

Symantec Warns: Mac Botnet Could Strike Again

Symantec, the company that discovered the first Macintosh worm in 1998, announced the discovery of the first Macintosh botnet.

If you have not pirated software, you're likely fine, the company said. That's because the bot spreads through a software package that purports to be a pirated version of Apple's iWork application, a productivity software collection similar to Microsoft Office. The product, which retails on the Apple Store Web site for $79, even touts compatibility with Microsoft Office as a key feature.

But if you decide to try to avoid paying $79 for it and instead decide to download a "free" version from a file sharing network, you may get infected, said Andy Cianciotto, senior security response manager of Symantec's Security Response team in a blog post in January.

The bad version of the software looks like the real thing but delivers a Trojan called iWorkServices.pkg, which can easily go unnoticed, as it is only 492KB in size in a 450MB ZIP file. The Trojan downloads malware, opens a back door to the computer and seeks to connect to remote hosts.

"Symantec recommends that users who wish to try the trial version of iWork '09 should download it directly from Apple at http://www.apple.com/iwork/," wrote Cianciotto.

The issue received new attention this month with a writeup by Symantec in Virus Bulletin magazine, with the provocative headline The new iBotnet.

"We wanted to educate people," said Gerry Egan, director of product marketing for Symantec Security Response. "We wanted to tell people that although you're more secure on a Macintosh, you're not invincible."

In fact, the Trojan uses social engineering, he noted. It does not exploit a flaw in Apple's operating system. "It's the old style con or hustle," Egan said. "For someone who's just downloaded free software, they want to use the software now. They'll let it run."

Instead, he advised people to be more cautious, especially if they're venturing into the Internet's side streets and back alleys. "Our recommendation is: be careful where you surf," he said.

He noted that malware authors are releasing many worms at once. Symantec has already identified a second version that masquerades as Adobe Photoshop CS4 11.0 Extended version, with a 1.011 GB file, that the company calls OSX.Iservice.B. Egan said that malware authors can easily manipulate code to release many versions of their work, each targeted at a different category of victim, a strategy he called a "shotgun approach."

Finally, he warned that the software is flexible and adaptable, and that more versions may be on the way. The exploit is well-written, he said, and can be controlled both through direct call home and through P2P pathways, making it a malware platform whose use could be sold in the underground economy. "Whoever did this invested a lot of up front work in it," he said. "Who knows? Maybe they'll try again."