10:16 AM

Create A Mac Zombie Army, Cheap: Hacker Emptor

NetWeird malware toolkit promises to convert Macs into zombies ready to do botnet bidding. But some security experts say this is a case of criminals trying to out-scam each other.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Going once, going twice: The new NetWeird toolkit can be used to infect Apple OS X systems, converting Macs into zombies ready to do your botnet bidding, with prices starting at just $60.

That's the pitch for cross-platform malware that's been recently spotted for sale on underground forums by information security researchers at Mac antivirus software maker Intego.

All told, remote-access and data-pilfering malware "can monitor running processes, send shell commands, take screenshots, download and run files, and identify front-most window titles," according to an analysis of NetWeird (a.k.a. NetWrdRC) published by Sophos. In addition, it said, the malware can "harvest stored and encrypted usernames and passwords from Opera, Firefox, SeaMonkey, and Thunderbird browsers and mail clients." It's able to infect Apple OS X (versions 10.6 and newer), Linux, Solaris, and Windows systems.

[ For more on Apple's iOS security efforts, read Apple Security Talk Suggests iOS Limits. ]

Security researchers have yet to recover the dropper, or installer, used to get the malware onto targeted systems, but once there, the Mac version application has a miniscule footprint--just 77K. Once installed, it attempts to phone home to a command-and-control server in the Netherlands.

But while malware's price point--relative to more established players such as the Zeus financial toolkit or Crisis malware--makes it a bargain, the attack code comes with a catch: it's riddled with amateur errors, making it less a threat to targeted operating systems than your wallet.

Focusing only on the Mac version, the developer's ineptitude includes the placement of the malware application itself, titled "," which shows up in an Apple user's home folder. Next to "Downloads," "Desktop," "Music," and other essential folders, the malware sticks out like a sore thumb.

The malware also lacks any state-of-the-art obfuscation techniques, although "the website for the developers of NetWeirdRC also lists the undetected nature of this tool as a selling point," said Lysa Myers, a security researcher at Intego, in a blog post. But "security through obscurity" is an unreliable proposition, and in the case of the publicity now enjoyed by NetWeird, it's obviously no longer a valid selling point.

NetWeird also has a persistence problem, since thanks to a coding error, malware infections on Macs seem incapable of surviving a reboot. "It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory."

The malware also chokes in the face of new Apple OS X security controls. On any Mac running the latest operating system, Mountain Lion (a.k.a. 10.8), set to default security settings, the malware won't be able to install itself, "because it's not from the App Store and isn't digitally signed by an Apple-endorsed developer," said Ducklin.

"It seems that the crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that's worked on Windows for years: making money out of next to nothing," he said.

NetWeird also highlights how not every bent developer can double as a botnet-designing whiz kid. "It's interesting to compare and contrast Crisis and NetWeirdRC, as they are both commercially available products. While Crisis is an advanced threat which hides itself reasonably well, NetWeirdRC has a number of glaring issues," said Intego's Myers. "Perhaps the price tag tells us all we need to know: Crisis sells for $250,000, and NetWeirdRC starts at $60."

In another light, NetWeird simply represents criminals trying to out-scam each other. Just as scammers use scareware to socially engineer consumers into paying for products that pretend to rid their PCs of viruses they don't have, some malware developers are now selling bargain-rate, busted Mac botnet toolkits to unsuspecting buyers.

"It would seem that you get what you pay for, even in the malware world," said Myers.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
8/25/2012 | 2:19:22 AM
re: Create A Mac Zombie Army, Cheap: Hacker Emptor
Wow with a price tag of $250,000 I hope that there are some major differences between Crisis and NetWeirdRC. It is interesting to know that it is only effecting older versions of os X. maybe if you were one of the tech savvy kids the author refers to you could tweak the code and make NetWeirdRC more potentially dangerous than the $60 version that is sold. Has anyone used this product and what were the results on the hosts side of things?

Paul Sprague
InformationWeek Contributor
User Rank: Apprentice
8/27/2012 | 3:58:28 PM
re: Create A Mac Zombie Army, Cheap: Hacker Emptor
Why do the legal authorities allow this type of transaction to take place? This is a product that is being sold to harvest and destroy computers? or to test I.T. infrustructers? Unless I am completely mistaken, that is an Illegal activity, and these people should be thrown in jail. If this is legitamate software for testing I.T. environments, then Extremely tight regulation should be made so the bad guys do not get ahold of it. There should be tight monitoring with software I.D.s, encrypted licenses, locked down code, that identify the owner so the attacker can be found if actually used for Malice.
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
What Israel's Elite Defense Force Unit 8200 Can Teach Security about Diversity
Lital Asher-Dotan, Senior Director, Security Research and Content, Cybereason,  5/21/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-05-24
A vulnerability in DB Manager version and previous and PerformA version and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corrup...
PUBLISHED: 2018-05-24
A vulnerability in ReadA version and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in loss or corruption of data.
PUBLISHED: 2018-05-24
Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php f...
PUBLISHED: 2018-05-24
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
PUBLISHED: 2018-05-24
Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...