Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

munkery

macrumors 68020
Original poster
Dec 18, 2006
2,217
1
An actual news worthy Mac malware story:

http://m.krebsonsecurity.com/2011/05/weyland-yutani-crime-kit-targets-macs-for-bots/

Apparently, this malware toolkit, referred to as "Weyland-Yutani Bot" (WYB), is capable of aiding the production of malware to turn Macs into bots. But, this is not the most dangerous aspect of this toolkit. WYB also facilitates form grabbing, using a man-in-the-browser technique, to collect usernames and passwords during Firefox or Chrome browser sessions. This is basically the Mac version of the Zeus toolkit.

This is a more significant threat than MACDefender, a recent rogue AV malware, because WYB collects data from browser sessions rather than by tricking the user to give up their credit card number. Also, WYB allows more rapid development of malware variants so the amount of malware for Macs will increase at a faster pace as this toolkit and others like it that target Macs become more prevalent.

Malware derived from WYB needs to be installed with elevated privileges to be able to collect sensitive data. The malware uses social engineering to trick users into authenticating installation. As with any malware, suitable exploits could be used to facilitate installation if found.

Privilege escalation exploits are rare in Mac OS X so exploitation is unlikely to be used to completely install WYB based malware. Some degree of social engineering will be part of the installation process. This is also true for Windows malware generated from similar toolkits. But, Windows does have more privilege escalation vulnerabilities so exploitation is more likely to negate the need for social engineering to install malware even in properly configured Windows systems.

The developer of WYB is selling this toolkit for $1000 via internet forums. Let's hope the malware made using this toolkit is not profitable for those that purchase WYB so that developers of such toolkits are not able to maintain a market for their product. The only means to guarantee the lack of success of such malware that relies on social engineering is user knowledge given that AV software is never a complete solution.

For more Mac security information, check out the links found below.
 
It's still just a trojan, however. It's certainly malicious enough to be a worry, but easily prevented. Now, more than ever, though, is the time to remind Mac users not to go searching for and downloading anti-virus software because of paranoia; chances are tools like this will be used to produce lots of fake anti-virus software intent on trapping people who are paranoid about exactly this time of problem. Make sure anything you download comes from a reputable source (the Mac App Store should remain free from any of these types of apps, I'd imagine), and don't give you password unless you know what is requesting it and why.

jW
 
The malware uses social engineering to trick users into authenticating installation.
This can't be stressed too strongly. As we've said repeatedly, the malware that exists for Mac OS X can be avoided/thwarted by a user exercising common sense and having some education. The primary weakness of any computer is not the OS being used, but the user. Prudent computer users can't simply install some anti-virus app and think they're protected against any threat. Anti-virus isn't the solution. A Mac user who is aware of what kinds of malware exist and what kind of behaviors expose them to risk can operate malware-free without the need for anti-virus software.

  • Learn about malware, understanding the differences between a virus, worm, trojan, etc.
  • Learn about social engineering methods being employed and how to avoid them.
  • Keep yourself informed as new threats are discovered. Stay vigilant.
  • Don't engage in activities that are known to increase the risk of exposure to threats, such as pirating software or downloading and installing software from disreputable sites.
  • Don't blindly proceed with app installations that you didn't initiate.
  • Don't enter your admin password without understanding what is asking for it, and why.
  • Don't give personal, financial or computer information unless you are certain who you are giving it to.
  • Be cautious and even suspicious of anything you encounter online that involves a change in your computer or a transfer of any computer or personal information.
This is not a complete list, but the message is, "Be informed, be aware and be smart" when using any computer, regardless of the brand or OS involved.
 
I suspect the success of Zeus and other botnets that target Windows is due to Windows XP admin accounts being used for day to day computing and possibly, on a much more limited scale, users turning off UAC in admin accounts in Windows Vista/7.

If this new Mac botnet modelled after Zeus does not become as problematic as its Windows counterparts albiet in terms of percentage of user base infected, this will show that much of the malware problems out in the wild are due to users running with elevated privileges and that utilizing an authentication mechanism by default is effective at inhibiting malware. Basically, it will show that the average user is not as helpless as AV software vendors try to make users feel.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.