10:16 AM

Create A Mac Zombie Army, Cheap: Hacker Emptor

NetWeird malware toolkit promises to convert Macs into zombies ready to do botnet bidding. But some security experts say this is a case of criminals trying to out-scam each other.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Going once, going twice: The new NetWeird toolkit can be used to infect Apple OS X systems, converting Macs into zombies ready to do your botnet bidding, with prices starting at just $60.

That's the pitch for cross-platform malware that's been recently spotted for sale on underground forums by information security researchers at Mac antivirus software maker Intego.

All told, remote-access and data-pilfering malware "can monitor running processes, send shell commands, take screenshots, download and run files, and identify front-most window titles," according to an analysis of NetWeird (a.k.a. NetWrdRC) published by Sophos. In addition, it said, the malware can "harvest stored and encrypted usernames and passwords from Opera, Firefox, SeaMonkey, and Thunderbird browsers and mail clients." It's able to infect Apple OS X (versions 10.6 and newer), Linux, Solaris, and Windows systems.

[ For more on Apple's iOS security efforts, read Apple Security Talk Suggests iOS Limits. ]

Security researchers have yet to recover the dropper, or installer, used to get the malware onto targeted systems, but once there, the Mac version application has a miniscule footprint--just 77K. Once installed, it attempts to phone home to a command-and-control server in the Netherlands.

But while malware's price point--relative to more established players such as the Zeus financial toolkit or Crisis malware--makes it a bargain, the attack code comes with a catch: it's riddled with amateur errors, making it less a threat to targeted operating systems than your wallet.

Focusing only on the Mac version, the developer's ineptitude includes the placement of the malware application itself, titled "," which shows up in an Apple user's home folder. Next to "Downloads," "Desktop," "Music," and other essential folders, the malware sticks out like a sore thumb.

The malware also lacks any state-of-the-art obfuscation techniques, although "the website for the developers of NetWeirdRC also lists the undetected nature of this tool as a selling point," said Lysa Myers, a security researcher at Intego, in a blog post. But "security through obscurity" is an unreliable proposition, and in the case of the publicity now enjoyed by NetWeird, it's obviously no longer a valid selling point.

NetWeird also has a persistence problem, since thanks to a coding error, malware infections on Macs seem incapable of surviving a reboot. "It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory."

The malware also chokes in the face of new Apple OS X security controls. On any Mac running the latest operating system, Mountain Lion (a.k.a. 10.8), set to default security settings, the malware won't be able to install itself, "because it's not from the App Store and isn't digitally signed by an Apple-endorsed developer," said Ducklin.

"It seems that the crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that's worked on Windows for years: making money out of next to nothing," he said.

NetWeird also highlights how not every bent developer can double as a botnet-designing whiz kid. "It's interesting to compare and contrast Crisis and NetWeirdRC, as they are both commercially available products. While Crisis is an advanced threat which hides itself reasonably well, NetWeirdRC has a number of glaring issues," said Intego's Myers. "Perhaps the price tag tells us all we need to know: Crisis sells for $250,000, and NetWeirdRC starts at $60."

In another light, NetWeird simply represents criminals trying to out-scam each other. Just as scammers use scareware to socially engineer consumers into paying for products that pretend to rid their PCs of viruses they don't have, some malware developers are now selling bargain-rate, busted Mac botnet toolkits to unsuspecting buyers.

"It would seem that you get what you pay for, even in the malware world," said Myers.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
8/25/2012 | 2:19:22 AM
re: Create A Mac Zombie Army, Cheap: Hacker Emptor
Wow with a price tag of $250,000 I hope that there are some major differences between Crisis and NetWeirdRC. It is interesting to know that it is only effecting older versions of os X. maybe if you were one of the tech savvy kids the author refers to you could tweak the code and make NetWeirdRC more potentially dangerous than the $60 version that is sold. Has anyone used this product and what were the results on the hosts side of things?

Paul Sprague
InformationWeek Contributor
User Rank: Apprentice
8/27/2012 | 3:58:28 PM
re: Create A Mac Zombie Army, Cheap: Hacker Emptor
Why do the legal authorities allow this type of transaction to take place? This is a product that is being sold to harvest and destroy computers? or to test I.T. infrustructers? Unless I am completely mistaken, that is an Illegal activity, and these people should be thrown in jail. If this is legitamate software for testing I.T. environments, then Extremely tight regulation should be made so the bad guys do not get ahold of it. There should be tight monitoring with software I.D.s, encrypted licenses, locked down code, that identify the owner so the attacker can be found if actually used for Malice.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.