Symantec, maker of popular antivirus and security software products, recently announced that two of its researchers discovered the first botnet running on Mac OSX systems. The Mac BotNet, a network of infected Mac computers that can be controlled by a remote attacker was spawned by a Trojan that had infected the computers. The Trojan was originally identified in January of 2009 when it was found hidden in pirated copies of Apple Computer’s iWork ’09 and Adobe Photoshop CS4 software posted on some Bit Torrent and peer-to-peer networks and downloaded by unsuspecting users.
The infected versions of the software look like the real product but deliver a Trojan to the computer that the downloaded software is installed on. The Trojan can easily go unnoticed as it is relatively small, but once installed and active it begins to download other malware, opens a back door to the now infected computer and begins to connect to remote hosts for further instructions and potentially additional malicious software.
In an article in the latest edition of “Virus Bulletin”, the Symantec researchers dubbed the network of computers “iBotnet” and stated it was used to launch a denial-of-service attack against a Web site in January. According to the Symantec researchers, “The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it and therefore we would not be surprised to see a new, modified variant in the near future.”
Scope of the Mac BotNet
Current estimates of how many Mac computers may be infected are hard to gauge and seem to vary widely with most sources estimating an infection rate in the thousands. Intego, a leading security and privacy software developer for the Mac platform, said in January that more than 20,000 Mac users were infected with the malicious installers.
The rise of the Mac botnet drew a high level of attention because historically malware has not been a significant problem on the Mac. Opinions vary on whether this is due to smaller market share – market research firm Gartner estimates Apple controlled about 7.4 percent of the market in the first quarter of 2009 – or better default security, as many Mac users believe.
iBotNet and Mac Security
In response to questions about the security of the Mac platform Symantec stated that, “Users of Macintosh computers continue to have little to fear from viruses, Trojans and worms so long as they take reasonable precautions. However, users who download files from third party sites and from P2P networks such as BitTorrent are at risk. More generally, anyone who surfs the internet should be aware of the threat of fake web sites, called phishing sites, that steal passwords, identity information and credit card numbers.”
In explaining the basic functioning of the Trojans that first infect the systems Symantec stated, “The two versions of the Trojan, called OSX.Iservice and OSX.Iservice.B both create a network of computers (a “botnet”) that can used by cyber criminals to attack web sites, send junk email, steal passwords (SPAM) and other malicious activities. This network has been called by some, ‘iBotnet’.”
Longer Term Mac iBotNet Security Effects
Most security experts indicate that the actual immediate damage caused by the iBotNet will be relatively small. The larger concern is that this Mac BotNet will be used as a model for other malicious software developers in exploiting the Mac platform in the future.
