First Mac Botnet Stems From iWork, Photoshop Trojans
The Mac botnet, a network of infected computers controlled by an attacker usually for malicious purposes, gained traction after attackers launched malicious software attached to pirated versions of the Mac productivity suite iWork '09, and Adobe Photoshop CS4 for Mac. The Mac malware spread on BitTorrent trackers and other peer-to-peer sites that contain links to pirated software.
Symantec researchers Mario Ballano Barcena and Alfredo Fesoli discovered that the two separate variants of the Mac malware have now developed into a full-fledged Mac botnet, complete with information-stealing code.
While the unlicensed iWork '09 software was completely functional, the installer contained a Trojan, known as OSX.Trojan.iServices.A, which was launched when iWork '09 was installed, according to a security advisory issued in January by Mac security company Intego.
Another Mac Trojan variant, OSX.Trojan.iServices.B, was found in a crack application attached to copies of Adobe Photoshop C54 for Mac, also spread through peer-to-peer file sharing sites.
The Trojan embedded itself into a crack in the application that serialized the program, Intego said. When users downloaded the pirated version of Photoshop, the application extracted an executable from its data, and then installed a backdoor with root privileges in a file directory.
The application then opened a disk image hidden in its resource folder and proceeded to crack the Photoshop program, allowing it to be used as a vehicle to spread the malware and further incorporate machines into a botnet.
Both Trojan variants connect to a remote server via the Web, which alerts the attackers when a machine is infected, enabling them to remotely connect to the affected computers in order to steal or view information for identity theft and other malicious purposes.
Intego said in January that more than 20,000 users were infected with the malicious installers.
Apple released the latest '09 version of iWork in January during the Apple MacWorld Conference & Expo in San Francisco, where it showcased changes to its word processor and spreadsheet applications.
Meanwhile, security experts maintain that Mac malware will continue to rise as Apple's market share grows. Intego said in its security advisory that users should avoid downloading Mac installers from sites that promote pirated software, as well as untrusted sources or suspicious Web sites.
"The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users," Intego's advisory warned.