Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Create A Mac Zombie Army, Cheap: Hacker Emptor

NetWeird malware toolkit promises to convert Macs into zombies ready to do botnet bidding. But some security experts say this is a case of criminals trying to out-scam each other.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Going once, going twice: The new NetWeird toolkit can be used to infect Apple OS X systems, converting Macs into zombies ready to do your botnet bidding, with prices starting at just $60.

That's the pitch for cross-platform malware that's been recently spotted for sale on underground forums by information security researchers at Mac antivirus software maker Intego.

All told, remote-access and data-pilfering malware "can monitor running processes, send shell commands, take screenshots, download and run files, and identify front-most window titles," according to an analysis of NetWeird (a.k.a. NetWrdRC) published by Sophos. In addition, it said, the malware can "harvest stored and encrypted usernames and passwords from Opera, Firefox, SeaMonkey, and Thunderbird browsers and mail clients." It's able to infect Apple OS X (versions 10.6 and newer), Linux, Solaris, and Windows systems.

[ For more on Apple's iOS security efforts, read Apple Security Talk Suggests iOS Limits. ]

Security researchers have yet to recover the dropper, or installer, used to get the malware onto targeted systems, but once there, the Mac version application has a miniscule footprint--just 77K. Once installed, it attempts to phone home to a command-and-control server in the Netherlands.

But while malware's price point--relative to more established players such as the Zeus financial toolkit or Crisis malware--makes it a bargain, the attack code comes with a catch: it's riddled with amateur errors, making it less a threat to targeted operating systems than your wallet.

Focusing only on the Mac version, the developer's ineptitude includes the placement of the malware application itself, titled "WIFIADAPT.app.app," which shows up in an Apple user's home folder. Next to "Downloads," "Desktop," "Music," and other essential folders, the malware sticks out like a sore thumb.

The malware also lacks any state-of-the-art obfuscation techniques, although "the website for the developers of NetWeirdRC also lists the undetected nature of this tool as a selling point," said Lysa Myers, a security researcher at Intego, in a blog post. But "security through obscurity" is an unreliable proposition, and in the case of the publicity now enjoyed by NetWeird, it's obviously no longer a valid selling point.

NetWeird also has a persistence problem, since thanks to a coding error, malware infections on Macs seem incapable of surviving a reboot. "It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory."

The malware also chokes in the face of new Apple OS X security controls. On any Mac running the latest operating system, Mountain Lion (a.k.a. 10.8), set to default security settings, the malware won't be able to install itself, "because it's not from the App Store and isn't digitally signed by an Apple-endorsed developer," said Ducklin.

"It seems that the crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that's worked on Windows for years: making money out of next to nothing," he said.

NetWeird also highlights how not every bent developer can double as a botnet-designing whiz kid. "It's interesting to compare and contrast Crisis and NetWeirdRC, as they are both commercially available products. While Crisis is an advanced threat which hides itself reasonably well, NetWeirdRC has a number of glaring issues," said Intego's Myers. "Perhaps the price tag tells us all we need to know: Crisis sells for $250,000, and NetWeirdRC starts at $60."

In another light, NetWeird simply represents criminals trying to out-scam each other. Just as scammers use scareware to socially engineer consumers into paying for products that pretend to rid their PCs of viruses they don't have, some malware developers are now selling bargain-rate, busted Mac botnet toolkits to unsuspecting buyers.

"It would seem that you get what you pay for, even in the malware world," said Myers.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/27/2012 | 3:58:28 PM
re: Create A Mac Zombie Army, Cheap: Hacker Emptor
Why do the legal authorities allow this type of transaction to take place? This is a product that is being sold to harvest and destroy computers? or to test I.T. infrustructers? Unless I am completely mistaken, that is an Illegal activity, and these people should be thrown in jail. If this is legitamate software for testing I.T. environments, then Extremely tight regulation should be made so the bad guys do not get ahold of it. There should be tight monitoring with software I.D.s, encrypted licenses, locked down code, that identify the owner so the attacker can be found if actually used for Malice.
User Rank: Ninja
8/25/2012 | 2:19:22 AM
re: Create A Mac Zombie Army, Cheap: Hacker Emptor
Wow with a price tag of $250,000 I hope that there are some major differences between Crisis and NetWeirdRC. It is interesting to know that it is only effecting older versions of os X. maybe if you were one of the tech savvy kids the author refers to you could tweak the code and make NetWeirdRC more potentially dangerous than the $60 version that is sold. Has anyone used this product and what were the results on the hosts side of things?

Paul Sprague
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.