Attacks/Breaches
8/24/2012
10:16 AM
50%
50%

Create A Mac Zombie Army, Cheap: Hacker Emptor

NetWeird malware toolkit promises to convert Macs into zombies ready to do botnet bidding. But some security experts say this is a case of criminals trying to out-scam each other.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Going once, going twice: The new NetWeird toolkit can be used to infect Apple OS X systems, converting Macs into zombies ready to do your botnet bidding, with prices starting at just $60.

That's the pitch for cross-platform malware that's been recently spotted for sale on underground forums by information security researchers at Mac antivirus software maker Intego.

All told, remote-access and data-pilfering malware "can monitor running processes, send shell commands, take screenshots, download and run files, and identify front-most window titles," according to an analysis of NetWeird (a.k.a. NetWrdRC) published by Sophos. In addition, it said, the malware can "harvest stored and encrypted usernames and passwords from Opera, Firefox, SeaMonkey, and Thunderbird browsers and mail clients." It's able to infect Apple OS X (versions 10.6 and newer), Linux, Solaris, and Windows systems.

[ For more on Apple's iOS security efforts, read Apple Security Talk Suggests iOS Limits. ]

Security researchers have yet to recover the dropper, or installer, used to get the malware onto targeted systems, but once there, the Mac version application has a miniscule footprint--just 77K. Once installed, it attempts to phone home to a command-and-control server in the Netherlands.

But while malware's price point--relative to more established players such as the Zeus financial toolkit or Crisis malware--makes it a bargain, the attack code comes with a catch: it's riddled with amateur errors, making it less a threat to targeted operating systems than your wallet.

Focusing only on the Mac version, the developer's ineptitude includes the placement of the malware application itself, titled "WIFIADAPT.app.app," which shows up in an Apple user's home folder. Next to "Downloads," "Desktop," "Music," and other essential folders, the malware sticks out like a sore thumb.

The malware also lacks any state-of-the-art obfuscation techniques, although "the website for the developers of NetWeirdRC also lists the undetected nature of this tool as a selling point," said Lysa Myers, a security researcher at Intego, in a blog post. But "security through obscurity" is an unreliable proposition, and in the case of the publicity now enjoyed by NetWeird, it's obviously no longer a valid selling point.

NetWeird also has a persistence problem, since thanks to a coding error, malware infections on Macs seem incapable of surviving a reboot. "It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory."

The malware also chokes in the face of new Apple OS X security controls. On any Mac running the latest operating system, Mountain Lion (a.k.a. 10.8), set to default security settings, the malware won't be able to install itself, "because it's not from the App Store and isn't digitally signed by an Apple-endorsed developer," said Ducklin.

"It seems that the crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that's worked on Windows for years: making money out of next to nothing," he said.

NetWeird also highlights how not every bent developer can double as a botnet-designing whiz kid. "It's interesting to compare and contrast Crisis and NetWeirdRC, as they are both commercially available products. While Crisis is an advanced threat which hides itself reasonably well, NetWeirdRC has a number of glaring issues," said Intego's Myers. "Perhaps the price tag tells us all we need to know: Crisis sells for $250,000, and NetWeirdRC starts at $60."

In another light, NetWeird simply represents criminals trying to out-scam each other. Just as scammers use scareware to socially engineer consumers into paying for products that pretend to rid their PCs of viruses they don't have, some malware developers are now selling bargain-rate, busted Mac botnet toolkits to unsuspecting buyers.

"It would seem that you get what you pay for, even in the malware world," said Myers.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
8/25/2012 | 2:19:22 AM
re: Create A Mac Zombie Army, Cheap: Hacker Emptor
Wow with a price tag of $250,000 I hope that there are some major differences between Crisis and NetWeirdRC. It is interesting to know that it is only effecting older versions of os X. maybe if you were one of the tech savvy kids the author refers to you could tweak the code and make NetWeirdRC more potentially dangerous than the $60 version that is sold. Has anyone used this product and what were the results on the hosts side of things?

Paul Sprague
InformationWeek Contributor
proberts551
50%
50%
proberts551,
User Rank: Apprentice
8/27/2012 | 3:58:28 PM
re: Create A Mac Zombie Army, Cheap: Hacker Emptor
Why do the legal authorities allow this type of transaction to take place? This is a product that is being sold to harvest and destroy computers? or to test I.T. infrustructers? Unless I am completely mistaken, that is an Illegal activity, and these people should be thrown in jail. If this is legitamate software for testing I.T. environments, then Extremely tight regulation should be made so the bad guys do not get ahold of it. There should be tight monitoring with software I.D.s, encrypted licenses, locked down code, that identify the owner so the attacker can be found if actually used for Malice.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report