Symantec Researchers Find ‘First Real Attempt to Create a Mac Botnet’

| News

The latest edition of Symantec's subscription-only Virus Bulletin features a piece from researchers Mario Ballano Barcena and Alfredo Pesoli, who say they have uncovered "the first real attempt to create a Mac botnet," or network of "zombie" Macs that could do a remote user's bidding. Long a problem in the Windows world, this is the first time such a problem has faced the Mac community.

The malware -- known as OSX.Iservice and OSX.Iservice.B -- was found in pirated copies of Apple's iWork 09 software and Adobe's Photoshop CS4, cracked versions of which have been shared on peer-to-peer file-sharing networks. Mac owners who downloaded and installed the infected software could number in the thousands, ZDNet estimates.

ZDNet obtained a copy of the Virus Bulletin article and said it "goes into detail on the botnet's peer-to-peer engine, startup and encryption capabilities and configuration file structure and concludes that the person who wrote the malware is not the same as the person who actually 'used' it."

ZDNet quoted the researchers as saying: "The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it – and therefore we would not be surprised to see a new, modified variant in the near future."



Sounds like a good reason not to pirate software.  It still doesn’t make we want to buy virus software.


Key words:


Downloaded and installed.

Still requires bad behavior on the part of the user, it’s not an automatic infiltration of bot by itself.


Still requires bad behavior on the part of the user, it?s not an automatic infiltration of bot by itself.

Very true.
But how many users just click through the install warning as a reflex without thinking.

Also at the moment it is embedded in pirated software, but it just as easily could be stuck to a printer driver, or shareware game and uploaded to the net. This is a significant concern for the future. OTOH I’m not running out to get security software just yet, but it’s in the back of my mind….


Just reinforces the mantra

“Only install programs downloaded from sources you trust!”

File trading networks are NOT to be trusted.  If you’ve installed the Trojan on your system, then you deserve what you get.  Doesn’t mean we should ignore it, just that Karma’s a B!tch.

Also, this is not the first time the Mac community has had to deal with botnets.  We all get the Spam in our mailboxes.  It’s just the first time that Mac’s have been PART of the botnet.  A subtle distinction, but important.


But how many users just click through the install warning as a reflex without thinking.

Reflex, yes. That legitimately applies only for those who’ve acquired the software legally, either through purchase or the free 30-day trial.

Maybe someone like my sweet old Aunt Mary Ellen might Google “iWork” and unknowingly go to a pirate download without knowing the difference. But I’d bet that 95% of downloaders knew exactly what they were doing.



my sweet old Aunt Mary Ellen wouldn?t know how to configure Vuze even if her life would depend on it

Nah, Mary Ellen’s not that savvy. Remember, she WOULD go unknowingly to the temple of e-doom. And some of the genes back a couple of generations that went to her also found their way to me, because I thought Vuze were what you get when you open your eyes.

(seriously, though, I have no clue. Or Cluz.)

Right, it’ll continue to evolve. It’s a never-ending digital arms race. Ten years from now threats will be disguised even more vividly and imaginatively, when my new 800 TB iHolograph will show my smarmy Cousin Eddie literally hiding Trojans in—well, it’s a holograph, you figure it out.


Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account