Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple’s Mac OS X operating system has appeared.
The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that’s quite similar to the Zeus construction and has the ability to steal forms from Firefox.
“The Danish IT-security company CSIS Security Group has just yesterday
observed a new advanced Form grabber designed for the Mac OS X operating
system being advertised on several closed underground forums. In the
same way as several other DIY crimeware kits designed for PCs, this tool
consists of a builder, an admin panel and supports encryption,” Peter Kruse of CSIS said in a blog post.
“The
kit is being sold under the name Weyland-Yutani BOT and it is the first
of its kind to hit the Mac OS platform. Apparently, a dedicated iPad
and Linux release are under preparation as well. The
Weyland-Yutani BOT supports web injects and form grabbing in Firefox;
however both Chrome and Safari will soon follow. The webinjects
templates are identical to the ones used in Zeus and Spyeye.”
In an email exchange, Kruse said that the builder component of the kit runs on Windows machines and the user has the option of specifying that he wants the malware to run on OS X. The builder will then create a Mac binary.
Malware authors and professional attack crews have steered clear of the OS X platform for the most part, for a variety of reasons. One of the main things holding up the development of Mac-specific attack tools, experts say, is the small market share Apple has, particularly in the enterprise. However, that is gradually changing and the attackers are beginning to follow.
In addition to the new crimeware kit, a Mac-specific scareware attack also popped up on Monday, targeting users who searched for some popular terms on Google. The MACDefenderscareware is appearing in search results for images of Osama bin Laden as well as in other places.
“In it’s current incarnation, MACDefender shows up in the installed
applications list, so can be uninstalled. If you have accidentally
installed this, go ahead and uninstall it. I would not expect this ‘uninstall’ option to be a good long term protection strategy. I’d
suggest that OSX users disable ‘Open safe files after downloading’, and
also invest in a reasonable anti-malware suite. Installing a real
anti-malware package is also a good idea,” Rob VandenBrink of the SANS Internet Storm Center wrote in an analysis of the scareware.