The first botnet created with Mac computers running OS X software has been activated, according to reports filtering out across the Internet.
Botnets are groups of computers, unwittingly linked together via the internet, that can be remotely controlled to perform tasks. Typically they send out spam e-mail, perform DDoS attacks, and gather personal information.
Botnets are typically created through virus infection, or by installing malicious software (known as malware) on your machine. Malware can take many forms but on the version attacking Mac OS X is typically referred to as a 'trojan'. Named after the legendary Trojan horse, it is a piece of malicious code that hides inside another piece of software (in this instance illegally downloaded copies of software).
As you install the software, you also install the trojan program. Computers that are infected with this kind of malware are individually referred to as 'zombies', the network they create is called the botnet.
A typical botnet created from zombies (Credit: Cisco)
Macworld reported in January that illegal copies of iWork '09 and Photoshop CS4 -- distributed via peer-to-peer networks -- were infected with a trojan called iServices. It now appears that the botnet created from this trojan has been activated, marking this the first time a Mac OS X botnet has appeared.
An Australian blogger has reported: "I found bunch of processes chewing 100% CPU on my laptop (OS X 10.5.6). Upon examining the script for the process, it turned out to be a PHP script running a DDoS attack on a Web site.
The installer contains two files called OSX.Trojan.iServicesA and OSX.Trojan.iServicesB. These are installed alongside the full software package.
Two Security Researchers at Symantec, Mario Ballano Barcena and Alfredo Pesoli, wrote in Virus Bulletin (subscription required) that the malware has peer-to-peer communication, remote start-up, and encryption capabilities. They said: "The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it - and therefore we would not be surprised to see a new, modified variant in the near future." Interestingly, the two researchers also claim that the person who activated the botnet, was not the same as the person who created it.
Intego reported in January that 20,000 people had downloaded the infected installer.
After the trojans were first reported in January, most anti-virus software was updated to protect against the iServices trojan. According to some reports, removing the directories System/Library/StartupItems/DivX and/or /System/Library/StartupItems/iWorkServices should help.
SecureMac has an iServices Trojan Removal tool that can be used to check your Mac and see if it is infected. It will then remove the files. SecureMac has made this tool available for free to all users. Click here to download and install iServices Trojan Removal.
While this is likely to re-ignite any discussion regarding security on Mac OS X, we would repeat that you are extremely unlikely to be infected with the iServices trojan, and that the only way to have become infected is to have obtained an illegal copy of iWork '09 or Photoshop CS4 (typically through a peer-to-peer Web site), downloaded it, and installed it entering your administrator password.
Macworld's advice here is obvious: steer well clear of downloading illegal software from Web sites or torrents.
However, the wider debate surrounding this is only just beginning. There is no doubt that this is a unique event; it is the first such botnet created using Mac computers, whether more will follow is debatable. And if this type of malicious software is set to increasingly become a threat to Mac users, then should Mac owners become more amenable to the idea of investing in security software?
We will continue to investigate and make our recommendations as this story develops.
This story, "First Mac OS X botnet activated" was originally published by Macworld U.K..