MAC BOTNET uses REDDIT comments for directions A zombie network that feasts on the computer brains of infected Macs has press-ganged 17,000 compromised machines into its ranks, Russian anti-virus firm Dr Web warns. The iWorm creates a backdoor on machines running OS X. Miscreants are using messages posted on Reddit as a navigational aid which points infected machines …
Merely searching for and blocking access to the server list wouldn't help disinfect the computers though. Better to mod edit the existing list to point at a machine controlled by white hats. Then take the CnC servers down. Now all the bots go looking for a new CnC server and connect to the white hat one, rendering them harmless and identifiable.
Taking down gateways is the stupidest method of trying to solve a problem, much like curing a disease by just treating the symptoms.
For something like this, they should have just kept the service running and allowed the machines to communicate with the CnC server while the police investigated and observed until they gathered enough information to capture everyone involved at once and dismantle the bot-net in one fell swoop. Taking down these posts only encourages the controllers to move things deeper and deeper until it becomes impossible to track and trace.
Two minutes checking the source reveals that this software installs into the /Library/LaunchDeamons folder. This is a system-protected folder that cannot be written to without the user entering an admin password when prompted. OS X is no different than any other platform in this respect. If a user authenticates a piece of software to go ahead and install itself, then all bets are off. There are idiot users on all platforms.
And how often do users (of any OS) click on something, see a 'looking for permission' and click 'OK' without thinking?
Geeks may well think about it and get suspicious, as well as partners of geeks, but the average user doesn't. They see an annoying box and click on the OK button to get it out of the way.
It's not OS specific (as much as fanboys of each OS would like it to be), and it isn't about teaching users either (that just isn't going to happen). It's about making sure that the OS has enough security built in from the ground up to see when something wrong is happenning (ie built in anti-virus / anti-spyware). I say built in as most anti-virus / anti-spyware is just so bloated that it makes even the best machines crawl when installed.
OK, so Mac OS X is exactly like all recent Windows releases. You have to type a password and then hit the OK (or YES or whetever it is) button. Username+Password is merely splitting the password into two fields - no increased security compared to a password with the combined length, And if users had any sense at all they wouldn't do that unless they were very sure it was safe. I reckon the proportion of Mac users with any sense at all is probably a bit smaller than the proportion of Windows users: tne Windows users must have more sense because they dont pay Apple prices and because way back when Apple was using built-in-decay-to-ugliness instead of rempant overpricing to acquire lots of shekels the fanbois got nice white PCs which turned into ugly yellow PCs in less than two years but stuck with Apple, while the Windows Nuts didn't get anything quite that horrid..
@Matt,
That fanboi was almost certainly correct. Strictly speaking, no virus has ever been found running on a Mac.
As for other types of malware like trojans and worms, OS X can never be immune to these. Potentially, any piece of software that a user installs – or allows to be installed – could be malware.
If you allow unsolicited malware to be installed by entering an admin password when prompted, you are in trouble. Historically, flaws in Adobe Flash and Java have been exploited to fool users into doing this, one reason I don't install Flash or Java on my Macs.
As for this particular strain, the precise attack vector is still unknown. I read somewhere that it prompts for an admin password but can still do limited damage regardless – the truth of that would be very interesting to establish.
You can never fully protect against user error and any machine can become infected by malware that the user is determined to install.
Recent macs (and those updated to the latest free versions of OS X which is most of them) do come equipped with Gatekeeper by default which prevents the user from installing anything from an untrusted developer - again it can be circumvented by choice but it's another layer of protection for the unwise.
"......That fanboi was almost certainly correct....." That fanboi, like many others, is under the delusion that virii are the only security threat. They are only as correct as a fat man that stands next to a pride of hungry lions and says "I'm too fat to starve."
> That fanboi was almost certainly correct. Strictly speaking, no virus has ever been found running on a Mac.
Since you're going for the pedant angle I thought I'd mention that there has indeed been viruses developped for the Mac; including the first virus ever to be described as such, actually. So, strictly speaking as you would say, viruses were born on a Mac.
Now please by all means do carry on flaming each other over how such or such OS is totally foolproof, I don't really care about OS wars.
Yeah okay - they've no idea (or don't want to say) how this spreads or how any of these machines have become infected, but let's call it a "worm" and crank up the macs-need-antivirus-too mantra once again. Oh noes loser fanboys etc ad infinitum.
Tell me how this can happen and I might believe I need AV to stop it. If you don't know, shush, because the simplest answer (user error) is probably correct.
".....Tell me how this can happen and I might believe I need AV to stop it....." Which is the actual problem - far too many Mac users think viruses are the only security threat, and, since they are told (repeatedly by fanbois) that viruses only happen to Windows users, they assume their Mac magically is immune to all threats.
No, that's not the actual problem because there is no actual problem - this is all complete FUD. This is a Trojan, just like many other Trojans. ANY machine can fall foul to a Trojan if the user is determined to install it. That is not a weakness in the system or an argument for AV, it is simply what computers do, they run the software that their users ask them to run, end of story.
I use a Mac. It does not have this or any other malware. I don't have a problem and I don't need antivirus or any other crapware hogging my resources to tell me that. Sorry if this disappoints you.
This post has been deleted by its author
I found a YouTube downloading website yesterday that was delivering downloads to Macs as an executable file looking for permission to install itself.
The risk with a Mac is definitely lower unless the user's stupid enough to authenticate with their system password and install malware which is totally possible.
"...unless the user's stupid enough to authenticate with their system password and install malware which is totally possible."
Lower than what? A similarly set up Windows PC? More nonsense iKerrap. If you use Windows correctly, and know what you are doing, you will be in very little danger.
If you are either an iFool or M$fool or Fool-ux, then you can do damage and be damaged.
The Bell-end fallacy that there has never been a VIRUS on the Mac platform is completely untrue. Less malware definitely, but that is also due to proportion of each OS users, and damage potential of each OS in terms of number and type of users.
Watch this space as mobile malware lifts off. iOS will be right up there with Android.
Blocking REDDIT means the C&C server list cannot be obtained.
I just added REDDIT to my botnet filter so I can see if there are any hits. This way if a family member did allow the program to be installed, it won't be going out. The botnet filter would block C&C access once the servers are located and added to the botnet filter automatically anyway.
Looking like this happened by users installing pirated software. Silly, silly people.
Apple have now updated their malware definitions to protect users from themselves.
Yes, as suspected, just another Trojan. Which begs the question why "Dr Web" saw fit to dub this an "iworm" and send all the tech blogs into paroxysms of glee at the thought of an OS X security flaw. Unless of course - and this surely couldn't be so - they just wanted a bit of attention..
What if the baddies spell 'Install' as "Cancel", and spell 'Cancel' as "Install"?
No matter what the OS tries to do, there's got to be a thousand ways to make even the most informed user click the 'wrong' button. Overlays, offset pointers, transparent buttons, zillions more...
Personally, I typically close the entire window or app. And I pray (not really) that the baddies didn't spell 'Install' as "X".
Except that the box that pops up is generated by the system, not the app that's trying to be installed, so there's no capability for the app to tinker with the dialog box contents to spoof the user. As previously stated here, in order for this malware to be installed the user needs to open System Preferences and disable "Gatekeeper" and then enter their admin password when prompted by the system dialog box. It's hard to see what else OS X can do without completely banning users from installing any apps that are unsigned or unrecognized, which would certainly cause a shitstorm of protest.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
