On The Insider: Mew Moon Pulls $140.7 Million
BNET Business Network:
BNET
TechRepublic
ZDNet

May 7th, 2009

New Mac OS X email worm discovered

Posted by Dancho Danchev @ 1:14 pm

Categories: Anti Virus, Apple, Botnets, Browsers, Hackers, Malware, Passwords, Viruses and Worms

Tags: Security, Mac OS X, Apple, Tored, Email Worm, Dancho Danchev

A newly discovered email worm dubbed OSX/Tored-A once again puts the spotlight on the potential worm-ability, and malware spreading tactics targeting Apple’s OS X.

The worm propagates through emails harvested from infected hosts, and has a backdoor functionality allowing its author to perform the following actions if a successful remote connection is established - attempts to create a botnet, has keylogging functionality, and can also perform DDoS attacks as well as send spam,

Despite the similarities of its features with the ones of OSX.Trojan.iServices.A (the iBotnet OS X malware), Tored is not currently spreading in the wild, in fact some vendors are calling it lame and state that it will never spread successfully due to the bugs in its code, next to the the spelling mistakes within the messages it uses for email spreading:

“OSX/Tored is different, however, because it is an email-aware worm which attempts to scoop up email addresses from your infected Mac computer and forward it to others. Its intended purpose, and presumed origin, is revealed in the opening comments of its RealBasic source code:

/ First Mac OS X Botnet
/Backdoor.OSX.Raedbot.C ,Reconnaissance worm/bot
/(c) Ag_Raed , Tunisia

Bugs in the worm’s code, however, mean it is unlikely that you will ever encounter it, even if the author had taken the time to correct the many spelling mistakes in the emails it tries to send. So don’t lose too much sleep.”

Excluding such notable OS X pieces of malware such as last year’s ARDAgent-based trojan exploiting a local root escalation vulnerability in Mac OS X 10.4 and 10.5, the rest of the newly discovered OS X malware continues relying on social engineering tactics (fake codecs such as CodecUpdate.v1.18.dmg; License.v.3.411.dmg etc.) in order to spread.

For instance, OSX.RSPlug.D, OSX.RSPlug.E and OSX.Trojan.PokerStealer all pretend to be harmless applications, and OSX.TrojanKit.Malez requires that the attacker must already have access to the host in order to backdoor it.

Recently, Jon Oltsik speculated thatWithin the next 18 months, Apple will begin recommending that Macintosh users install Internet security software on all systems.

What do you think? Talkback.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 303 Talkback(s)
RE: New Mac OS X email worm discovered
I have been working in the industry since 1984 and am constantly
amazed that so many people responding to these articles have no factual
knowledge of what happened in the 1980s. MS started out... (Read the rest)
Posted by: john_gillespie@... Posted on: 05/26/09 You are currently: a Guest | | Terms of Use
I think...  daMan25 | 05/07/09
Linux is fine  T1Oracle | 05/07/09
A bit naive  NoFunDon | 05/07/09
But there comes a point...  storm14k | 05/08/09
Fortunately this can be prevented....  Sephoroth | 05/11/09
You hit on the problem  baileysc | 05/08/09
re: You hit on the problem  rtk | 05/08/09
uhm, i would  mojorison67@... | 05/11/09
You and very few others  rtk | 05/12/09
Pretty much correct for the most part  Cayble | 05/11/09
Both OSX & Linux are based on UNIX.  ashdude | 05/07/09
Yeah, thats why the Mac is always the first to drop  baileysc | 05/08/09
Linux is not UNIX.  Erroneous | 05/08/09
It's close enough for conversational purposes though...nt  US Is ! Europe-ThankGod! | 05/11/09
And Windows isn't even close of resembling Unix  Mikael_z | 05/08/09
Skyrocketing Expenses to keep Windows Safe?  Rob Oakes | 05/08/09
Expensive platform indeed  Mikael_z | 05/09/09
Apparently he does.  ye | 05/09/09
The report was published March 6, 2008 by the Secretary-General of the OECD  Mikael_z | 05/09/09
@Mikael_z: Apparently you missed where I said:  ye | 05/09/09
The Conficker worm works with Vista too  Mikael_z | 05/09/09
@Mikael_z: Only if you took steps to weaken Vista's default configuration.  ye | 05/09/09
@ye: Prove it!  Mikael_z | 05/09/09
@Mikael_z: Conficker spread by connecting to the Server service.  ye | 05/09/09
Firewall exceptions invites the worm  Mikael_z | 05/09/09
@Mikael_z: As I said: "Only if you took steps to weaken Vista's default...  ye | 05/09/09
Hilarious  Mikael_z | 05/10/09
@Mikael_z: I don't think it's nearly as common as you think.  ye | 05/10/09
The severe and expensive consequences are unique for Windows, fortunately  Mikael_z | 05/11/09
I love all these people...  Spiritusindomit@... | 05/11/09
Buy it now  don@... | 05/11/09
That was no accident. You are HILARIOUS...  xuniL_z | 05/09/09
Revisionist History  Jkirk3279 | 05/10/09
You said yourself they saw a market nobody else was feeding...  xuniL_z | 05/20/09
You obviously weren't there  paulzag | 05/11/09
Wrong.  xuniL_z | 05/20/09
Re: And Windows isn't even close of resembling Unix  bb_apptix | 05/12/09
OSX AND Windows are based on Mach3  bklooste | 05/08/09
Wrong  honeymonster | 05/09/09
Problem being...  Spiritusindomit@... | 05/11/09
What Linux users aren't running as root, or with root authority?  jgwinner | 05/07/09
(sigh) John, John, John, when will you learn?  MGP2 | 05/07/09
Sorry,,  cashaww | 05/08/09
Linux has not gotten beyond geekdom yet.  xuniL_z | 05/08/09
No  epcraig | 05/11/09
You make a fatal assumption  alaniane@... | 05/11/09
Sorry...  compudog | 05/11/09
Are you talking about yourself?  Rude Union | 05/08/09
You must be talking about XP  wolf_z | 05/08/09
That's right. UAC nanny screens  UAC nanny screen | 05/08/09
Use OS X lately?  boberuski | 05/12/09
I'm a Linux user  UAC nanny screen | 05/12/09
What are you talking about, dood..  xuniL_z | 05/08/09
The next Ubuntu Botnet?  joe.smetona@... | 05/09/09
The point is.....  xuniL_z | 05/09/09
@xunil_Z  joe.smetona@... | 05/13/09
Well  jdbukis@... | 05/10/09
Who's fault is that?  boberuski | 05/12/09
re:What Linux users aren't running as root, or with root authority?  EmperorDarius | 05/08/09
Slight Correction:  Jkirk3279 | 05/09/09
???  storm14k | 05/08/09
I sure don't  UAC nanny screen | 05/08/09
.... good point  kkalinux | 05/08/09
Ignorance  honeymonster | 05/07/09
Okay..  cashaww | 05/08/09
So they keep claiming. However they never prove.  ye | 05/08/09
re:So they keep claiming. However they never prove.  EmperorDarius | 05/08/09
The claim was OS X was less vulnerable. The data does not support that.  ye | 05/08/09
PWN2OWN showed nothing of the sort  DeusExMachina | 05/08/09
How many....  Erroneous | 05/08/09
re: PWN2OWN showed nothing of the sort  rtk | 05/08/09
Notice I said "Preferred attack platform".  ye | 05/09/09
@RTK  Spiritusindomit@... | 05/11/09
Speaking of idiots,  compudog | 05/11/09
@Spiritusindomit  rtk | 05/12/09
Do you wear a bulletproof vest every day?  dkawalec | 05/08/09
The war appears to be coming to OS X.  ye | 05/08/09
GOOD POST!  compudog | 05/11/09
Who cares how...  arminw | 05/08/09
Likelyhood of infection is low for Windows  ye | 05/08/09
@ye  Axsimulate | 05/08/09
Ahem Ye  daengbo | 05/08/09
@daengbo: Name one drive by download that will infect...  ye | 05/09/09
@ye  Axsimulate | 05/08/09
They're worth more because there are more systems. nt  ye | 05/08/09
The more money...  Erroneous | 05/08/09
Proof of Vulnerabilities  gjsherr | 05/08/09
Windows has two modes of execution just like UNIX.  ye | 05/09/09
Tell that to my Linux Masquerade server  LiquidLearner | 05/07/09
Exactly.....  daMan25 | 05/07/09
i didn't see zdnet write about this one...  brokndodge@... | 05/07/09
I don't think that anyone would  xXSpeedzXx | 05/08/09
Why Should they ?The News is Enough!  Dogteams1 | 05/08/09
Thanks for the info.  joe.smetona@... | 05/09/09
IMAGINE IF SMBs and HOME USERS USED LINUX.  xuniL_z | 05/09/09
IMAGINE IF SMBs and HOME USERS USED LINUX.  xuniL_z | 05/09/09
I don't think anyone said anything is impervious...  storm14k | 05/08/09
just like Windows Vista  qmlscycrajg | 05/08/09
@qmlscycrajg  Axsimulate | 05/08/09
It depends  wolf_z | 05/08/09
Vista is not like Linux  xXSpeedzXx | 05/08/09
Vista asks for a password too.  ye | 05/08/09
Yes but,  xXSpeedzXx | 05/08/09
Perhaps you missed where I wrote:  ye | 05/08/09
xXSpeedzXx "Vista is not like Linux" Yes, that is a GOOD thing...ever hear  xuniL_z | 05/09/09
And...  Jkirk3279 | 05/11/09
UAC is not security  rag@... | 05/08/09
UAC just like the prompt for ROOT in linux  waldenasta | 05/08/09
I'm hypothesizing people are confusing other prompts for UAC prompts.  ye | 05/08/09
You don't know what you're talking about  UAC nanny screen | 05/08/09
You can also bypass going through the repository in Linux  alaniane@... | 05/08/09
You can also bypass going through the repository in Linux  UAC nanny screen | 05/09/09
I'm not saying anything is out there  alaniane@... | 05/11/09
You're not saying anything new  UAC nanny screen | 05/11/09
Same,  cashaww | 05/08/09
Hello Mr Pot  wolf_z | 05/08/09
And how many home users are on a domain?  UAC nanny screen | 05/08/09
What part of "especially"...  wolf_z | 05/11/09
Which is "especially" totally irrelevant...  UAC nanny screen | 05/11/09
No, you do not.  ye | 05/08/09
Well that depends  jred | 05/08/09
Naive you are  Crestview | 05/11/09
As well as in a Mac...  gmureddu@... | 05/11/09
I've said that too. Hasn't stopped me from becoming one.  HypnoToad72 | 05/07/09
Thanks......  daMan25 | 05/07/09
Go with it  John Zern | 05/07/09
Re: I think...  quizzed | 05/07/09
that attitude is not limited to mac users.  lostarchitect | 05/07/09
There's a difference  LiquidLearner | 05/07/09
Really?  zkiwi | 05/07/09
Percentages......  daMan25 | 05/08/09
re: Really?  Badgered | 05/08/09
@LiquidLearner  Axsimulate | 05/08/09
Every piece of...  Erroneous | 05/08/09
@Erroneous  Axsimulate | 05/11/09
so what you are saying is:  lostarchitect | 05/08/09
Users are/aren't the problem  dwdanny | 05/08/09
@dwdanny  Axsimulate | 05/08/09
For now  eMJayy | 05/08/09
8 Years And Counting  rag@... | 05/08/09
Is That a big Problem with you?  Dogteams1 | 05/08/09
Not sure I understand what you say....  daMan25 | 05/08/09
This is truth  Crestview | 05/11/09
Great news!!  HypnoToad72 | 05/07/09
Rightly so?  daMan25 | 05/07/09
Remember Disinfectant  lundp@... | 05/07/09
I remember when MacAddict published a virus.  ashdude | 05/07/09
Oh man  honeymonster | 05/07/09
If cracking OSX was easy...  ashdude | 05/07/09
Seriously  honeymonster | 05/07/09
Maybe I misread...  MGP2 | 05/07/09
They called this worm, "lame".  ashdude | 05/07/09
Gee, ashdude...  MGP2 | 05/07/09
Sorry.  ashdude | 05/07/09
@ashdude...apology accepted...  MGP2 | 05/07/09
I'm suggesting...  ashdude | 05/07/09
Oh  honeymonster | 05/07/09
@honeymonster  Len Rooney | 05/08/09
I never had anything compromise any of my computers, ever  honeymonster | 05/08/09
Once again.......Watch what you wish for.....  daMan25 | 05/08/09
We're just fine, thanks.  Len Rooney | 05/08/09
@Len Rooney: Come join us in the present.  ye | 05/08/09
Naive  Len Rooney | 05/08/09
@Len Rooney: There's no question OS X is safer.  ye | 05/08/09
@Lee Rooney, give me a break......  daMan25 | 05/08/09
Gee, you mean the scare-mongering FUD honeymonster puts out  UAC nanny screen | 05/08/09
I already did tout that....  daMan25 | 05/08/09
Utter complete FUD  UAC nanny screen | 05/08/09
@ honeymonster Better proof.  ashdude | 05/08/09
@daMan25  Len Rooney | 05/09/09
Secunia and army spin  honeymonster | 05/09/09
@ honeymonster Who's doing the spin???  ashdude | 05/09/09
Wow.....  daMan25 | 05/09/09
Wow is right, daMan  UAC nanny screen | 05/09/09
@ deMan25 Microsoft's disclosure practices.  ashdude | 05/09/09
Funny......  daMan25 | 05/09/09
Well, nothing you've presented...  UAC nanny screen | 05/09/09
@ deMan25 Then post IBM's full report!  ashdude | 05/09/09
Cracking Windows is impossible  rtk | 05/07/09
Amazing article, as always, time to move on.  joe.smetona@... | 05/08/09
Move on, but.......  daMan25 | 05/09/09
Same here  UAC nanny screen | 05/09/09
You only wish......  daMan25 | 05/09/09
realy?  jdbukis@... | 05/10/09
I only wished...  UAC nanny screen | 05/11/09
AS/400 is completely secure  slaskoske | 05/12/09
re:AS/400 is completely secure  rtk | 05/12/09
OH REALLY????? WINDOWS IS UNHACKABLE???  KGameLover1 | 05/13/09
You REALLY need to read  rtk | 05/13/09
And I guess.....  daMan25 | 05/07/09
Then he should have cracked root...  ashdude | 05/07/09
I am just stating....  daMan25 | 05/07/09
No - he was only required  honeymonster | 05/07/09
He should've cracked Linux as well  UAC nanny screen | 05/08/09
We know that the can  honeymonster | 05/09/09
See, there's your key weakness right there  UAC nanny screen | 05/09/09
A license!?  compudog | 05/07/09
Sure, as if....  Erroneous | 05/08/09
What worries me about this story....  MGP2 | 05/07/09
Virus Barrier Works Great  Carrie Johnson | 05/07/09
or...  lostarchitect | 05/07/09
At last...  levinson | 05/07/09
Amen! Brother..  akaralia | 05/07/09
Redefining terms  slylabs13 | 05/07/09
you're right....  JoeMama_z | 05/07/09
Thank Goodness For OS X Malware/Virus Writers  Timpraetor | 05/07/09
How about a Story about the tens of 1000's of Win Malware that DO work?  Davewrite | 05/07/09
Missing the point?  John Zern | 05/07/09
point: "lame, not in the wild, will never spread, "  Davewrite | 05/07/09
don't listen to the far off clouds do you?  JoeMama_z | 05/07/09
point: why hysteria over a non working mac worm when 1000's of PC viruses?  Davewrite | 05/08/09
So the beginning....  JoeMama_z | 05/08/09
Point well taken...  fixmedoc | 05/08/09
How about comparing the market share of Mac and Windows?  Gladiatorcn | 05/08/09
Mac Myth #42  rag@... | 05/08/09
So does that mean...  wolf_z | 05/08/09
Ridiculous  Gladiatorcn | 05/08/09
Oh yeah...  rag@... | 05/08/09
If that's true then Macs safer, better talk about vast PC dangers nt  Davewrite | 05/08/09
So you admit...  Gladiatorcn | 05/08/09
Macs gaining & new Osx like Snow Leo with adv. ASLR will be out  Davewrite | 05/08/09
Well...  Gladiatorcn | 05/09/09
I've avoided this in the past but I'm gonna throw this out there  LiquidLearner | 05/07/09
I have a lot of AVs on my laptop: French's,Japanese's,American's ....  Dealing | 05/07/09
Vyatta ClamAV =  JoeMama_z | 05/07/09
ISA was good  LiquidLearner | 05/08/09
Can't say I am a fan of SonicWall....  JoeMama_z | 05/08/09
RE: New Mac OS X email worm discovered  XArt | 05/07/09
So Apple is 'malware-proof' huh.......  Lerianis | 05/07/09
And comments aren't idiot-proof  JoeBob_z | 05/07/09
Infected Mac  Stuart Austwick | 05/14/09
Of course they are wrong...  Gladiatorcn | 05/07/09
ZD's need for anti-Mac hysteria is tired  JoeBob_z | 05/07/09
So are many computer users  John Zern | 05/07/09
Cool  shellcodes_coder | 05/07/09
I agree.  JoeMama_z | 05/07/09
RE: New Mac OS X email worm discovered  creep144 | 05/07/09
ZeusTracker  gfeier | 05/08/09
RE: New Mac OS X email worm discovered  krid007 | 05/08/09
What would you recommend?  ye | 05/08/09
but i thought that Macs were imune!!!!  wargammer2005 | 05/08/09
No platform is immune.  HypnoToad72 | 05/09/09
RE: New Mac OS X email worm discovered  Carlost1900 | 05/08/09
RE: New Mac OS X email worm discovered  pritchet1 | 05/08/09
Um, no, it doesn't  wolf_z | 05/08/09
Fat lady has sung...  Narg | 05/08/09
RE: New Mac OS X email worm discovered  MyMac | 05/08/09
RE: New Mac OS X email worm discovered  carlco | 05/08/09
RE: New Mac OS X email worm discovered  rpolunsky@... | 05/08/09
RE: New Mac OS X email worm discovered  carlco | 05/08/09
RE: New Mac OS X email worm discovered  MyMac | 05/08/09
Whats with the FUD?  NKX | 05/08/09
Hackers better do it fast.  ashdude | 05/09/09
RE: New Mac OS X email worm discovered  fixmedoc | 05/08/09
Why?  blacksheepxlch | 05/08/09
LOL  gnesterenko | 05/08/09
RE: New Mac OS X email worm discovered  Gis Bun | 05/08/09
major infection? Article says"not in the wild, will never spread"  Davewrite | 05/08/09
RE: New Mac OS X email worm discovered  fixmedoc | 05/08/09
RE: New Mac OS X email worm discovered  fixmedoc | 05/08/09
And now for something completely different  the_doge | 05/08/09
Good luck, friend  gnesterenko | 05/08/09
RE: New Mac OS X email worm discovered  john_gillespie@... | 05/08/09
Doesn't matter  gnesterenko | 05/08/09
RE: New Mac OS X email worm discovered  phatkat | 05/08/09
Too many mac users are missing the point  eMJayy | 05/08/09
Apple just have to make OSX as flawed as Windows  Mikael_z | 05/08/09
It is already 3 times as flawed.(nt)  honeymonster | 05/10/09
OSX & OSX Server flaws are gouped together, Vista & Win Server's are not.  ashdude | 05/11/09
It really isn't too difficult  honeymonster | 05/11/09
IBM's report is vague...  ashdude | 05/11/09
On the other hand  DannyO_0x98 | 05/08/09
A lot of us Mac users do run virus checkers.  ashdude | 05/09/09
RE: New Mac OS X email worm discovered  Dogteams1 | 05/08/09
RE: New Mac OS X email worm discovered  Bilmekanikeren | 05/08/09
So that explains the lack of OS X exploits  jpr75_z | 05/08/09
RE: New Mac OS X email worm discovered  Solid Jedi Knight | 05/09/09
More False Reporting  wellduh | 05/09/09
Neutral reaction  wellduh | 05/09/09
Neutral Reaction??  Jacobus7 | 05/10/09
spoken like a true socialist  lalogos | 05/11/09
This was a response to message 122 "Remember Disinfectant"  lalogos | 05/11/09
These articles relevent  lweight@... | 05/11/09
"That you'll probably never encounter"  3dtodd | 05/11/09
no worries  rtk | 05/12/09
Linux conversations - great entertainment -  US Is ! Europe-ThankGod! | 05/11/09
Refusing to read or listen to anything  compudog | 05/11/09
WOW! I think I can actually end the debate!  compudog | 05/11/09
RE: New Mac OS X email worm discovered  the_ghost2006 | 05/11/09
RE: New Mac OS X email worm discovered  badkid32 | 05/11/09
I think this is one of the most poorly written tech articles I've ever read  Eric Diamond | 05/11/09
Re: I think this is one of the most poorly written tech articles I've ever  bb_apptix | 05/12/09
RE: New Mac OS X email worm discovered  waestrem | 05/11/09
Who made the worm - Microsoft?  estonijaan | 05/11/09
sorry, but  rtk | 05/12/09
Why has this been headlined twice in your email newsletter?  paron | 05/12/09
Not a worm, a trojan  aristotle_z | 05/12/09
RE:New Mac OS X email worm discovered  richdave | 05/12/09
RE: New Mac OS X email worm discovered  erik01764 | 05/12/09
RE: New Mac OS X email worm discovered  MKleinpaste | 05/13/09
RE: New Mac OS X email TROJAN HORSE discovered  derekcurrie | 05/15/09
RE: New Mac OS X email worm discovered  tomtyi1 | 05/16/09
RE: New Mac OS X email worm discovered  john_gillespie@... | 05/26/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
Reduce risk. Reduce complexity. Increase reliability.
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
Learn more >>
Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
Learn more about the free, six-month trial offer>>
The more you simplify, the more you save
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
Learn more >>
The best support in the Linux business
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
Learn more >>
Keep Up With The Latest In Document Management with The DocuMentor.
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
Learn more >>
Learn more about tools to grow your business
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
Save time with the UPS Business Essentials Guide
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here