Zombie Macs Launch DoS Attack

Cludge writes "ZDNet has a story (and several related articles) about how Symantec has discovered evidence of an all-Mac based botnet that is actively involved in a DOS attack. Apparently, security on the exploited Macs (call them iBots?) was compromised when unwary users bit-torrented pirated copies of iWork 09 and Photoshop CS4 that contained malware. From the article: 'They describe this as the "first real attempt to create a Mac botnet" and note that the zombie Macs are already being used for nefarious purposes.'"

A matter of time

[Fwipp]

I always wondered when those pirated copies of software would be become malware vectors. Maybe the quickest way to stop software piracy is through evil copies of legitimate software.

Re:May I be the first to laugh

[jamie]

From what we know so far, apparently the botnet was created by a trojan and does not spread.

I'm a Mac user who doesn't run applications downloaded from completely untrustworthy sources like pirate p2p networks and you're correct -- I don't need a virus or malware checker.

Re:Sigh

[Drakino]

Why only desktops? Unix servers have sat on the internet open to the world since well before Windows even had a TCP/IP stack built in. And there are still plenty of them out there sitting on very fat pipes just ripe for bot nets. So why is it that Windows has had far more security hardships then any Unix based OS?

It's not just market share that plays a factor. There have been plenty of exploits for IIS, MSSQL and Windows Server even though those products don't command a 50% market share.

Re:Sigh

[coryking]

Culture. Windows grew up on the desktop and moved into the server. Unix grew up on the server and is trying to make inroads on the desktop. "Normal users" will force unix systems to compromise some of their security to make life easier. Windows has had to compromise by removing the "everybody is an admin--free love for all" that existed all the way up to XP. By default, Vista users aren't running as root and the only way to become root is either a UAC dialog or a privilege escalation exploit.

That doesn't account for the server-end though. And why earlier versions of said products had so many holes I will attribute to culture.

Of course, Linux grew out of a culture that detested any kind of authority. Thus you find gems like this in early Linux documentation [freebsd.org]:

Why GNU su does not support the wheel group (by Richard Stallman)
Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keep- ing it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

Re:I've got your denial right here.

[Sancho]

That post also included:

If the operating system was as safe as the crazy fanboys claim, it wouldnt have been able to install malware in the first place.

Which is disingenuous.

Furthermore, the activex part is true only if the user did, in fact, allow them. IE has had many, many vulnerabilities which allowed a malicious site to install ActiveX controls without user intervention (just like Safari has had remote execution flaws which allowed it to be compromised.)

Re:I've got your denial right here.

[Anonymous Coward]

Your reasoning is very flawed. The user downloaded the software and when the malware asked them for a password they gave it and boom.

No OS can protect you from that except not to give the owner "admin" rights at all. I don't see that happening, at all.

Re:Sigh

[ianezz]

Whenever a trojan hits Windows, people are talking about how poorly designed Windows security is and how the user usually always runs as "administrator". People bring up how on Ubuntu and OS X, you have to sudo or login to do administrative things. Apparently that only works to a certain extend

Well, I'd say there is a difference between a software package that is a trojan from the very start and one that, by running with administrative privileges all the time, can also be exploited later at runtime into installing malware on your system.

There's a lot less software on Unix systems that requires to be run with admin privileges all the time. Call it bad practice on third-party Windows software developers (by often ignoring the principle of the least privilege), but it's not that the system really encourages developers in dropping privileges.

Re:Instant Karma...

[couchslug]

"No, the funny part is that the users who torrented and installed pirated copies of iWork 09 and Photoshop CS4 got exactly what they deserved. Instant karma."

So if I steal (OK, "bit-for-bit copy") a car and it steers into a pedestrian through a deliberate alteration in the vehicle that I copied, that's Instant Karma.

re: Macs and claims of "no viruses"

[King_TJ]

As a long-time Mac (and PC) user myself, I've been known to give someone a "simplified version" of the truth, telling them "you won't have any virus or spyware problems on a Mac".

It's not that I'm some clueless user who doesn't know better. It's that I have a pretty good idea of what the individual does with and expects from their computer. Judging by that, and knowing they're not a very "technical" user to begin with, I know that practically speaking, they really aren't going to need to worry about infections on their Mac.

(So far, just about all of the trojan horses and viruses people mentioned for OS X involved downloading files of unknown origins, or running something you received in an unsolicited email. When you have a user who is already scared to open any email at all from people he/she doesn't know, they're hopefully in good shape there. They're certainly not savvy enough to fire up bittorrent and start seeking out pirated software, either.)

Re:Sigh

[fractoid]

By your argument, Vista is more secure because it's such a PITA installing things on it. ;) But yeah, social engineering is generally the easiest vector of attack these days, since humans are by far the weakest link in any secure system.

That's one reason I love the new Die Hard movie - other movies have the whiz kid "hack the network" using a subnotebook running Movie OS with a big "hack it NAOW" button. In this one he triggers the car's emergency phone and bullshits the lady who answers into remotely starting the car... a perfect example of how you WOULD do it.

Re:It should be noted

[AnalPerfume]

This is very true, and the software itself is a double edged sword for Linux. Applications like Photoshop and Dreamweaver are not natively available for Linux although they do work for the most part with WINE. This does turn some off from making the switch to Linux, as they've gotten addicted to some of the features or the workflow in these applications. With the prices of these applications, most users on Windows and Macs WILL install pirated versions, so they are always taking the chance to get a clean, cracked version. Companies like Adobe know most of their user base is pirated versions, but they also know that professionals have no choice but to pay BIG on licenses of face HEAVY consequences. When you are the professional tool of choice, you become the most sought after, even if the user can't afford it.

Linux does have very good alternatives which work great for most people, which tend to be free in both cost and freedom. If an application is free of cost it rules out the desire to risk downloading it from anywhere other than your distro's repos or the official site of the application; after all the whole point of finding and installing cracked versions is to get something which should be paid for.....for free.

Many say they want popular applications like Photoshop and Dreamweaver ported officially to Linux, I'd rather they weren't in their current (closed and expensive) form. If they are, some Linux users will be tempted by the same goodies as Windows and Mac users. I'd much rather see the FOSS alternatives mature to a state where they rival those applications fully in features, and stay open source in the process.

Re:Sigh

[fractoid]

The same could be applied to Windows users. In general, by their purchase, they've proven that they're willing to spend small amounts of cash to make themselves feel like they're different or better than Linux users.

In my experience it tends to be the other way around; historically Linux users have spent more time to make themselves feel better or different than Mac *and* Windows users. This is changing fast, though - I run Linux at home simply because it's cheaper and easier than Windows.

The same can be said about OS X vs Windows. Whether that functionality matters to you is a different matter -- like I said, I use Gimp -- but to pretend that Windows (or even Linux) is always just as good as OS X is just as ignorant as claiming that Gimp is always just as good as Photoshop.

Agreed. By the same token, though, you can't claim that OS X is 'always just as good' as either Linux or Windows. Different tools for different jobs. And more to the point - most Apple users (and I use the term 'most' in the sense of 'all but one of the Apple users that I know') don't need Photoshop, or even MS Paint. They buy Macs purely because they're so desperate to differentiate themselves that they'll spend any amount (the more the better, making Macs an example of a Veblen good [wikipedia.org]).

I suspect that's why you're at home coding, rather than at work coding.

Communication is at least as important, even as necessary, as "actually coding", for anything beyond a one-man project.

Actually, I'm at work trolling /., because it's more fun than the busywork I have left for this week. If real, useful communication that's what actually ends up taking place at these conferences (rather than just a lot of grant-money-funded boozing, as happened at the only one I attended) then that's awesome. But unless this was literally a 'team meeting' for all the contributors, I can't see it being quite that important. And I still maintain that people who spend more on their computers as a form of conspicuous consumption are more likely to spend more on attending conferences (and again this isn't all Apple users, just the annoying ones).

[...] Then I got into the real world.

HTML/CSS has a few messy implementations, but it's a fine technology in its own right. Javascript is an excellent language. And communication is as important as code -- indeed, I would cite communication skills above coding skills on my resume.

I went through a similar learning curve when I left university - it was a shock to realise that not only was my boss telling me that it doesn't MATTER how batfuck ugly the code is, if it does what the customer wants and the customer is happy, then that's fine... but that he was right. Aesthetics and clean implementation are for us, the engineers, not something that matters a jot for the end user as long as it fills their needs. The communication you're espousing is the only way to actually achieve that.

Now, frankly, you are just a troll, and probably not worth all that effort. But I see a bit of myself in you. Maybe you'll learn something today. Maybe someone else will.

Well, hopefully my reply justifies your effort somewhat. All my (admittedly somewhat trollish) post was aiming at was that people who buy Macs to try and make themselves feel special are the same kind of people that would go to a conference for the same reason, so their presence at a conference doesn't automatically imply tech savviness.

You're ALL missing the point

[Sir Holo]

Symantec is just trying to drum up more sales.

The more people fear their computers might be "infected," the more antivirus software they sell.

Re:It should be noted

[GF678]

So you know what to do? You do a search for what you're after (eg. Office) and sort by number of seeders. You then examine the first torrent that matches what you want and contains the highest number of seeders, and read the comments. You then download it, scan it via anti-virus or whatever, then install and run it. Private trackers have an even higher level of scrutiny with such things, so odds are that things which exist on private trackers are clean too.

In MOST cases this is enough. Sure that's not 100% of the time, but once you get used to doing this enough you develop an ability to pick out the jewels from the crud. Plus of course, once you've obtained all the software you need, you don't really need to seek it out anymore so once you know it's a good torrent, you're worries are over, and you've your nice and shiny software that runs rings around Open Source in terms of presentation and functionality.

You make it sound as though pirated software cannot be obtained securely. Whatever.

Re:Sigh

[bsDaemon]

You totally left out the best, most susinct part:

This program does not support a "wheel group" that restricts who can su to super-user accounts, because that can help fascist system administrators hold unwarranted power over other users.

... I bet RMS loves RATM. Seriously... what the hell kind of crap is that to put into system documentation, and then wonder why the rest of the world has a /very/ hard time taking you seriously?

Re:Instant Karma...

[Mista2]

The easiest system to hack is the meatware at the desk. Want a password for a company, call their helpdesk and say you just locked yourself out. Many wont try and verify who you are. Want to steel a credit card number, ask for the number to prove you are over 18 before signing up for a "free" service or download.
(Bye bye, Mobile Me, you're not getting me with that porn website trick 8))
Most hacks in a company will eventually come from employees or someone who has legitimate access to the systems they are supposed to maintain.
We have just gone through and moved all of our servers into a firewall DMZ, and the clients can only talk to the servers they need. Multiple VLANs and subnets segregate client traffic, and most of the client VLANs won't route to each other. If you have to share it, it will be on a server 8).
I use torrents a lot, but vever for anything that would requre admin rights to install. If they've stolen someones software, why do you think they wont try and steel your computer too?

An Ounce of Prevention

[Lord Flipper]

Why guys insist on downloading questionable things without some preventive measures in place, first, is beyond the scope of my tired head. But dumping Apple's default 5-minute "grace period" on sudo (or admin passwords, in other words) will kill third-party attempts to piggyback on any password that is being used by the legit user for privilege escalation.

In a console (Terminal):

sudo visudo

[hit return, enter password]

scroll to: #Defaults specification, hit the letter 'o' to get a new line, and type:

Defaults:ALL timestamp_timeout=0

then hit [Escape] to end the editing session, then ':w' plus [Enter] to write the file to disk, and finally ':q' plus [Enter] to quit visudo.

Done. I get tired of vi, of course, and will usually use BBEdit to open /private/etc/sudoers and enter the admin password once to 'unlock' sudoers, then scroll down and add the new default line, and save the file. Done, quicker.

A nefarious app or script can poll the system asking if there's escalation until kingdom come and it will never get an affirmative. End of story; end of file