Evidence suggests first zombie Mac botnet is active

[sandbox]

QUOTE

If you let yourself get tempted into installing the pirated versions of iWork or Photoshop CS4 that circulated on Bit Torrent earlier this year, you may have unwittingly turned your Mac into a zombie. Security researchers for Symantec have turned up evidence that these zombie machines are being used to create a Mac-based botnet.Botnets are used to perform DDoS attacks on systems, gather sensitive personal information, and send out a majority of the spam that clogs up the 'Net. While commonly made out of infected Windows computers, this is the first known attempt to create one from Macs.

http://arstechnica.com/apple/news/2009/04/...t-is-active.ars

QUOTE

When Macs AttackA story I wrote this week about "Shadowserver" -- a group of security volunteers who hunt down botnet operators online -- got picked up by "news-for-nerds" blog Slashdot, and since then a few readers and bloggers have been asking for more details on a botnet I mentioned that was made up entirely of computers powered by Linux and Apple Mac OS X operating systems.The subject came up in the following paragraph of the story, which addressed how botnet hunting is such a time-consuming and often small-reward effort that some people find it easy to get burnt out doing it after a short time:"David Taylor, a senior information security specialist at the University of Pennsylvania, knows all too well what botnet-hunting burnout feels like. ... A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems. Working a week straight, Taylor located nearly all of the infected machines and had some success notifying the owners of those systems, but the Taiwanese ISP the hackers used to host their control center repeatedly ignored his requests to shutter the site."

http://voices.washingtonpost.com/securityf...acs_attack.html

[Xairbusdriver]

Could I suggest that the following quote from that last article is of slightly more importance?

QUOTE

Taylor said he's surprised that so many Mac users discount the security threats from third-party applications.

"Why does everyone get all hot and bothered when someone mentions Mac OS X being in a botnet?" Taylor asked. "Maybe I should have said I was tracking several PHP-enabled computer systems. I think it is time to quit focusing on just the ... operating system and think about the applications that are installed on it and how the security of the system can be compromised by [them]."

Indeed, the attacks documented above fit a trend security experts have seen for some time now. As Microsoft moves to tighten security on its operating system, and as more users adopt firewalls, anti-virus software and other defenses, attackers have shifted their focus to attacking flaws in applications that run on top of the operating system.

That was, in part, the premise for the creation of this whole blog: that Internet users can no longer simply install a couple of pieces of security software and call themselves protected. Security is a process, and for better or for worse it requires vigilance, some common sense, and staying on top of the latest threats, regardless of the operating system you are using.

This is, in no way a fault of OS X any more than it is a fault of Vista/Windows/Linux/Amiga/etc. It is a PHP/Perl script that is installed by third-party, contaminated apps. Therefore, the use of "first zombie Mac botnet" is somewhat misleading, not to mention less than current info. However, I totally agree that it is important security information and something every Mac user should be aware of.

[sandbox]

Thee botnet is news and Macs can be carriers of the bots, old or new-news the same bots that are visiting the Whitehouse could be sent by a Mac that has downloaded pirate software or some other software. It may be masked, but so are 99% of the bots that infect other computers. They may not feel the affects, but it's a carrier just the same. if it can be in pirate software undetected, why couldn't it be in any number of items that are downloaded to Macs everyday? Pirates don't have a corner on the bot market, and bots don't need to be harmful.

If bots can be carried by a Mac and Mac users do not use security software because they are convinced that they are secure, then a Mac can be more harmful than a PC. At least the PC folks will have anti-virus software that will detect the bot once identified, a mac will never identify the bot because it has no detection software.
http://www.sophos.com/blogs/gc/g/2009/05/0...il-worm-mac-os/

[Xairbusdriver]

Macs have been capable of passing on more than bots for a very long time, so that's not news. The fact that this was brought to everyone's attention when the new iWork was released back at the first of the year verifies where the bots came from, but that's not recent news, either, and the gentleman stated that in his response to the blog editor. Of more concern to me, is the statement that "bots," themselves, are still not listed in several anti-virus protection software, for any OS. As stated in this quote from the blog:

QUOTE

Taylor shared with me a copy of the code he saw being installed on the systems in the botnet -- a simple Perl script. He discovered the code last fall, and while it is clear from examining text strings within it that the program installs attack tools, the script itself still is not detected as malicious by any of the two dozen anti-virus programs in use by VirusTotal, a free online virus-scanning service

The main reason I don't think his is just a Mac problem comes from another quote:

QUOTE

The botnet Taylor had tracked was created using a known security hole not in Linux or OS X, but in something that runs on top of the operating system. This is PHP, a development programming language built specifically for Web sites. By leveraging this PHP flaw, the attackers were able to seed the Mac systems with several tools designed to turn them into drones...

But this creates even more of a problem for individual computer users, PHP runs on a server, not on 'client' machines. Only a minute number of Mac users run a server on their machines, at least one connected to the interweb. So, about the only thing any individual computer user can do is to scan for the code that will then be inserted into the PHP on some server.

Seems the real problem is with the PHP and server community, not the 'messengers.'

But none of that negates the fact that this is an important topic and threat to all computers. The problem with Macs being that there are too many users still living in the cocoon of "Macs are invulnerable" myth. So, I still say, "Thanks for pointing out the comments from some experts!"

[sandbox]

Nothing here suggests that bots or the botnet is exclusive to an OS, it does however expose the fact that trojans can and do operate on the web, embedded in the fabric of delivery code that all computers using html, p2p, and so on can be exposed to. The bots aren't OS specific, they crawl through ports that everyone uses. They can come through email or through a download manager or other port entries. My point in making this post was not to claim that Macs are just as bad, or approaching the level of, or anything to do with the platform wars....who's on first...what's on second.....if you have the h1n1 virus does it really matter that you caught it wearing Nike's.

My point is that like the young and bulletproof there is a segment of the computer world that believes they live in a virus free world, and as time passes by that idea is becoming less likely. Having antivirus software on a mac may seem ridiculas because it hasn't happened, but logic tells us it's coming, so why be a part of the problem when it does?

I've had Sophos software ever since a client made it conditional, and like so many at that time i thought that the idea was a waste of time, i used Clamxav i told him and myself, but he was right and worked for cisco who required a level of security from him. I have a network of computers but only 2 are online and only one is wifi'd. I have a linux box wifi'd but not networked. There are people at ASO that use Macs, that how i started with them to begin with, because Tim Dorr was a Mac guy, so who'sto say that the computer that infected the servers was not a Mac? It can't be said that it is imposable that a mac can not harbor and then upload a trojan bot, that has already been proven. A guy could spend a lifetime following this stuff, looking over his shoulder for the next shoe to fall or not.

[tacit]

QUOTE(Xairbusdriver @ Jul 11 2009, 08:29 PM) <{POST_SNAPBACK}>

Of more concern to me, is the statement that "bots," themselves, are still not listed in several anti-virus protection software, for any OS.

A "bot" is a virus-infected computer. You don't have an antivirus program detect "bots"; antivirus programs detect viruses.

QUOTE(Xairbusdriver @ Jul 11 2009, 08:29 PM) <{POST_SNAPBACK}>

The main reason I don't think his is just a Mac problem comes from another quote:

QUOTE

The botnet Taylor had tracked was created using a known security hole not in Linux or OS X, but in something that runs on top of the operating system. This is PHP, a development programming language built specifically for Web sites. By leveraging this PHP flaw, the attackers were able to seed the Mac systems with several tools designed to turn them into drones...

But this creates even more of a problem for individual computer users, PHP runs on a server, not on 'client' machines. Only a minute number of Mac users run a server on their machines, at least one connected to the interweb. So, about the only thing any individual computer user can do is to scan for the code that will then be inserted into the PHP on some server.

All Mac OS X computers are running PHP servers. It comes with your computer. You are running a PHP server, I am running a PHP server; most Mac users simply have no idea that that's the case, that's all.

Your PHP server software that comes with Mac OS X is turned off when you get your computer. This virus turns it on, and bam, you're a server.

QUOTE(Xairbusdriver @ Jul 11 2009, 08:29 PM) <{POST_SNAPBACK}>

Seems the real problem is with the PHP and server community, not the 'messengers.'

I think you may have some misunderstanding about what is happening here.

This is not about Macs 'passing on' a virus or malware. This is about home Mac machines becoming INFECTED with malware. The malware infects your Mac, turns on your PHP server software, and turns control of your home Mac over to the hackers. Once your Mac is infected, your Mac becomes a bot, a slave to the hackers and part of a botnet.

[Xairbusdriver]

I am fully aware that all OSX Macs have PHP installed (as well as Apache). However, I beg to differ with your statement that "all Macs are running a PHP server." You, yourself, say as much by explaining that the 'bot is what enables that software on our Macs. So, unless one enables PHP/Apache intentionally or ones Mac gets 'selected' by the bot, the vast majority of Mac users are not running/using PHP. But you have cleared up what the 'bots' are doing. My point remains that the 'security flaw' is, as stated, in PHP, not in any OS. If that is correct, and it can enable all PHP systems in new Macs, it is even more serious that these flaws be corrected. The only thing I see that is related to any OS involvement in this is that it should be made more difficult to get PHP running on any specific OS, without user knowledge. OTOH, how many users simply click the "OK" button or enter they asked for user password? Too many, of course.

And I'll be glad to rephrase my "passing on" terminology to indicate, more clearly, that Macs have been used long before this episode to further the growth of malware. Of course, it has usually been a completely passive action, unlike what you are describing. While I may be far from understanding the majority of these reports, I would like some clarification as to who is actually at risk and how ones Mac becomes 'bot.' Does the 'infection' require the use of the pirated software or not?

BTW, to show my incompetence, I gave up trying to get MySQL installed on my Mac, even though Apache and PHP were relatively simple.

[sandbox]

QUOTE

OTOH, how many users simply click the "OK" button or enter they asked for user password? Too many, of course.

Mac sells simple, secure computers to a population that doesn't want to be bothered with the issues related to PC's. In an example tacit wrote, he points to a file (adobeflashplayer.dmg) as a virus carrying files. I don't think that 90% of the Mac population would suspect that file contained a virus, so click away. Its not just people who are ill-informed, the hackers who are attacking are undermining the sanctity of the Mac community by using words like adobe and flashplayer.

I recently needed to download a flash upgrade at myspace and his point gave me pause. Myspace did link me too the adobe site to acquire the file, but how did I know, really, it wasn't an HTTPS address, so it could have been elsewhere downloading the file he mentioned and it would have appeared authentic. I didn't load it in the traditional way, it hand loaded it into the plug-in folder rather than going through the automated motion. I could have by-passed the point where it asked for a password and loaded an effected file. I was jolted by the thought and had to look at the file that was downloaded to make sure the name didn't match and it didn't (install_flash_player_9.dmg) was the actual name, but who would think to ask with either name?