A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.
KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.
Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.
The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.
The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.
The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.
ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.
Fans of the movie series “Alien” will recognize the name Weyland-Yutani as the fictional corporation that was sent ahead to establish habitable bases and dwellings on extrasolar planets in advance of the arrival of new human colonies. If this crimekit takes hold, or is an indicator of a broader interest in attacking Mac users, we could soon witness cyber crooks starting to colonize the Mac user community as well. The author of this Mac crimekit said he knows of several other independent coders who are working on Mac malcode projects that aren’t quite ready for prime-time, although he declined to elaborate on that claim.
Each time this subject comes up, I am struck by how fervently the Mac community denies that Mac users might ever have to deal with anywhere near the level of malware that currently besieges the Windows world. The Mac, these apologists explain, is far more secure than Windows, and that is why we have not seen malware writers attack the platform with the same vigor and interest. As one commenter on this blog reasoned, OS X simply doesn’t allow programs to be installed without user permission. My response is, assuming for the moment that the above statement about the Mac’s superior security is true, the operating system does nothing to stop the user from being tricked or cajoled into installing malware. What’s more, social engineering attacks are one of the primary ways that Windows users get infected today, so why would it be any different for Mac users?
Consider the scourge of rogue anti-virus attacks: Each day, thousands of Windows users are tricked into running and installing a bogus security “scanner” foisted on them by some hacked Web site. The attackers’ goal with these “scareware” muggings is to not only trick the user into installing malicious software, but also paying for it with their credit cards!
Earlier today, MacRumors.com carried a story about a new threat discovered by Mac security software vendor Intego that uses social engineering in a bid to install scareware known as “MACDefender.”
The nice thing about social engineering attacks is that defending against them doesn’t require buying or installing some type of security software. As I noted in a column last week, it merely requires the user to accept the notion that “security-by-obscurity is no substitute for good security practices and common sense: If you’ve installed a program, update it regularly; if you didn’t go looking for a program, add-on or download, don’t install it; if you no longer need a program, remove it.”