Crimeware Kit Emerges for Mac OS X

Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple’s Mac OS X operating system has appeared.

Apple crimewareCrimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple’s Mac OS X operating system has appeared.

The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that’s quite similar to the Zeus construction and has the ability to steal forms from  Firefox.

“The Danish IT-security company CSIS Security Group has just yesterday
observed a new advanced Form grabber designed for the Mac OS X operating
system being advertised on several closed underground forums. In the
same way as several other DIY crimeware kits designed for PCs, this tool
consists of a builder, an admin panel and supports encryption,” Peter Kruse of CSIS said in a blog post.
“The
kit is being sold under the name Weyland-Yutani BOT and it is the first
of its kind to hit the Mac OS platform. Apparently, a dedicated iPad
and Linux release are under preparation as well. The
Weyland-Yutani BOT supports web injects and form grabbing in Firefox;
however both Chrome and Safari will soon follow. The webinjects
templates are identical to the ones used in Zeus and Spyeye.”

In an email exchange, Kruse said that the builder component of the kit runs on Windows machines and the user has the option of specifying that he wants the malware to run on OS X. The builder will then create a Mac binary.

Malware authors and professional attack crews have steered clear of the OS X platform for the most part, for a variety of reasons. One of the main things holding up the development of Mac-specific attack tools, experts say, is the small market share Apple has, particularly in the enterprise. However, that is gradually changing and the attackers are beginning to follow.

In addition to the new crimeware kit, a Mac-specific scareware attack also popped up on Monday, targeting users who searched for some popular terms on Google. The MACDefenderscareware is appearing in search results for images of Osama bin Laden as well as in other places.

“In it’s current incarnation, MACDefender shows up in the installed
applications list, so can be uninstalled. If you have accidentally
installed this, go ahead and uninstall it.  I would not expect this ‘uninstall’ option to be a good long term protection strategy. I’d
suggest that OSX users disable ‘Open safe files after downloading’, and
also invest in a reasonable anti-malware suite. Installing a real
anti-malware package is also a good idea,” Rob VandenBrink of the SANS Internet Storm Center wrote in an analysis of the scareware.

Suggested articles

Discussion

  • Anthony on

    Thought you would like to see this.

  • Nally The Lion on

    Uh-oh. Looks like people are starting to notice Apple.
  • Anonymous on

    Journalists love to keep repeating that Mac OS X hasn't seen viruses because of it's "relatively low market share," but they never explain how that squares with the fact that the Classic Mac OS (7, 8, and 9), which had practically zero market share, had viruses up the wazoo.  Meanwhile, Mac OS X is in its 11th year with a handful of simple trojans and no other malware in the wild, and Apple just surpassed Microsoft in revenues.  Hm.

  • Anon E. Maus on

    Good point about shares A-mous.  

    It is also worth noting that this exploit uses Firefox for its entrance point, and not apparently some underlying fault of the OS.  You know, like Universal Plug and Play, etc.

  • Bob on

    Anonymous - that's because OSX is a modern multiuser OS and thus has privellege levels and other client-side security. It's not implemented very well, as shown by apple's dire record on time taken to patch security holes / even admitting that they exist, the fact that they always fall first at pwn2own and the continued lack of good ASLR, but it is at least there. This presents an additional barrier that has dissuaded malware authors from bothering to target it in a big way ... until recently. Classic MacOS all the way up to 9 lacked even the most basic measures like protected memory(!) thus it was pretty trivial for any executed code to take over the computer.

  • Linux user on

    "One of the main things holding up the development of Mac-specific attack tools, experts say, is the small market share Apple has, particularly in the enterprise. However, that is gradually changing and the attackers are beginning to follow."

    We've been hearing this same nonsense for a decade.

    "In it's current incarnation, MACDefender shows up in the installed applications list, so can be uninstalled. If you have accidentally installed this, go ahead and uninstall it."

    Um... "installed applications list"? Are we sure he's talking about Mac OS X? Because that sounds a lot more like Windows...

     

  • Anonymous on

    The installed application list is part of the System Profiler. like any list on OSX you can set it by date or alphabetically. Makes things like MACDefender really easy to locate.

    Also get an anti-virus app like Sophos. 

  • Chester on

    Don't presume that Apple beating Microsoft in revenue equates to OS X not having a small market share.  While Apple may have surpassed Microsoft in revenues, it's not due to the Mac sales.  It's their iPod, iPhone, iPad, etc that is winning it for them.  To quote their own report:

    "Apple sold 3.76 million Macs during the quarter, a 28 percent unit increase over the year-ago quarter. The Company sold 18.65 million iPhones in the quarter, representing 113 percent unit growth over the year-ago quarter. Apple sold 9.02 million iPods during the quarter, representing a 17 percent unit decline from the year-ago quarter. The Company also sold 4.69 million iPads during the quarter. "

    Now at the prices they are charging for Macs, I can see that making up a decent part of their revenue, but Windows 7 sales hit 240 million in the first year it was released.  I'd dare say that we Microsoft enthusiasts much beloved, but very much flawed, OS is still taking a lion's share of the market.  I will note that I've seen Mac's gaining ground.  However, the fact is that OS X still does have a comparitively small market share itself.  Apple just happens to be rocking the mobile market hard enough though to beat out Microsoft revenue wise. 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.