tech-090415-tp-cp-steve-jobs-apple-imac

Traditionally, botnets have spread through PCs running Windows, and not Macs, in part because of the low market share worldwide of computers like the iMac, shown here behind Apple CEO Steve Jobs in a 2006 photo. ((Paul Sakuma/Associated Press))

A piece of malicious software unwittingly shared over a peer-to-peer network in January was the key tool in what security researchers are saying was the first known attempt to create a botnet of Mac computers.

Researchers at Symantec say the Trojan, called OSX.Iservice, hid itself in pirated versions of the Apple application iWork '09 and the Mac version of Adobe Photoshop CS4 that were shared on a popular peer-to-peer bittorrent network.

Once downloaded, the applications themselves worked normally, but the Trojan opens a "back door" on the compromised computer that allows it to begin contacting other hosts in its peer-to-peer network for commands.

Researchers Mario Barcena and Alfredo Pesoli of Symantec Ireland, writing in the April 2009 issue of the Virus Bulletin, say the network of infected computers attempted to initiate a denial of service attack on a website in January.

"OSX.Iservice is an interesting piece of malware — not only does it make use of Mac OS internals, but it is also the first Mac botnet that we are aware of," they wrote.

A botnet, or robot network, is a group of linked computers — sometimes called zombies — that have been commandeered, in some instances by criminals, to perform a host of actions, from connecting and infecting other computers to sending out spam or launching distributed denial of service attacks to bring down websites or web servers.

But traditionally, botnets have spread through PCs running Windows, and not Macs, in part because of the low market share of Macs worldwide.

Apple had 7.2 per cent of personal computer market share in the United States in the fourth quarter of 2008, according to technology analyst IDC, but was not among the top five PC makers worldwide, as ranked by shipments.

Kevin Haley, director of Symantec Security Response, said cybercriminals who want to create a botnet of computers traditionally attack machines running Microsoft's Windows operating system because the goal is to have the biggest network possible.

"It's a numbers game," said Haley. "If you're going to go after the largest market, you have to go after the largest target."

An example of a particularly successful botnet is the one created by the Conficker worm, which by some estimates is believed to have spread to as many as 12 million machines.

By comparison, the iBotnet, as the Symantec researchers have dubbed it, spread to only a few thousand computers before it was identified. A number of security firms say removal of the Trojan is simple once it has been identified.

The method used to infiltrate the computers — tricking users to install a Trojan hiding in a free version of software — is also a fairly basic way to access a computer, said Haley, and is not a technique exclusive to Macs or any particular vulnerability inherent in the computer's operating system.

Haley said downloading any file from an unknown source is a potentially dangerous practice, no matter what computer a person uses.

The malicious software, or malware, is unique, however in that it only clearly targeted Mac users and also included a variation — found in the corrupted Adobe Photoshop CS4 file — that used some of the functions on the Mac OS that relate to its own authorization services interface, according to the Symantec Ireland authors.

"With malware authors showing an increasing interest in the Mac platform, we believe that more advanced [user interface] spoofing tricks may be seen in the future," they wrote.

Ryan Naraine, the security evangelist at Kaspersky Lab, said that while a Mac botnet may not be practical for criminals, the discovery of the Trojan is proof that no operating system is inherently safe.