Network News

X My Profile
View More Activity

When Macs Attack

A story I wrote this week about "Shadowserver" -- a group of security volunteers who hunt down botnet operators online -- got picked up by "news-for-nerds" blog Slashdot, and since then a few readers and bloggers have been asking for more details on a botnet I mentioned that was made up entirely of computers powered by Linux and Apple Mac OS X operating systems.

The subject came up in the following paragraph of the story, which addressed how botnet hunting is such a time-consuming and often small-reward effort that some people find it easy to get burnt out doing it after a short time:

"David Taylor, a senior information security specialist at the University of Pennsylvania, knows all too well what botnet-hunting burnout feels like. ... A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems. Working a week straight, Taylor located nearly all of the infected machines and had some success notifying the owners of those systems, but the Taiwanese ISP the hackers used to host their control center repeatedly ignored his requests to shutter the site."

Several readers wrote in to say they were officially calling "baloney" (my euphemism), saying they could find no mention of OS X botnets on Shadowserver's news archives and demanding proof. I followed up with Taylor, who said the botnet in question wasn't being followed by Shadowserver at the time.

The botnet Taylor had tracked was created using a known security hole not in Linux or OS X, but in something that runs on top of the operating system. This is PHP, a development programming language built specifically for Web sites. By leveraging this PHP flaw, the attackers were able to seed the Mac systems with several tools designed to turn them into drones for use in waging destructive "distributed denial of service" attacks, wherein attackers use the combined power of hundreds or sometimes thousands of hacked machines to overwhelm a Web site with so much bogus Web traffic that it can no longer accommodate legitimate visitors.

A side note is order here: Taylor shared with me a copy of the code he saw being installed on the systems in the botnet -- a simple Perl script. He discovered the code last fall, and while it is clear from examining text strings within it that the program installs attack tools, the script itself still is not detected as malicious by any of the two dozen anti-virus programs in use by VirusTotal, a free online virus-scanning service.

The script Taylor discovered would hardly be remarkable if it were an isolated incident. But the fact is that there are dozens of pieces of malicious code circulating online that will happily infect OS X systems if their users are running vulnerable third-party applications. In some cases, the impact on the user may be little more than public embarassment. A large number of Web sites running vulnerable PHP applications on OS X systems are regularly defaced by hacker groups who replace the sites' home pages with hacker screeds or even some political statements.

In some situations -- depending on how the Web site operator has set up his system -- flaws in those third-party applications can be leveraged to install malicious code on the victim's system that could allow bad guys to access files or run programs. Take the "Lupper" worm, which spreads to Web servers through known PHP flaws and opens a "back door" on the affected system that hackers can use to install malware later.

Shadowserver founder Nicholas Albright said he and his crew have found at least 20 variants of the same Perl script that can be used to open back doors on OS X systems running vulnerable Web applications. He also pointed to research on the apparent success of "Kaiten," an old worm with new tricks that takes advantage of PHP security flaws present in a variety of blogging software and Web applications -- including PostNuke, Drupal, b2Evolution, Xoops, WordPress, PHPGroupWare and TikiWiki.

Taylor said he's surprised that so many Mac users discount the security threats from third-party applications.

"Why does everyone get all hot and bothered when someone mentions Mac OS X being in a botnet?" Taylor asked. "Maybe I should have said I was tracking several PHP-enabled computer systems. I think it is time to quit focusing on just the ... operating system and think about the applications that are installed on it and how the security of the system can be compromised by [them]."

Indeed, the attacks documented above fit a trend security experts have seen for some time now. As Microsoft moves to tighten security on its operating system, and as more users adopt firewalls, anti-virus software and other defenses, attackers have shifted their focus to attacking flaws in applications that run on top of the operating system.

That was, in part, the premise for the creation of this whole blog: that Internet users can no longer simply install a couple of pieces of security software and call themselves protected. Security is a process, and for better or for worse it requires vigilance, some common sense, and staying on top of the latest threats, regardless of the operating system you are using.

By Brian Krebs  |  March 24, 2006; 9:22 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Exploit(s) Released for Unpatched IE Flaw
Next: Happy Birthday Security Fix


I couldn't agree more with your last paragraph. Unfortunately, too many users still look to one or two pieces of software as a security panacea.

Posted by: tabdelgawad | March 24, 2006 10:48 AM | Report abuse

I just want to say that I find this stuff fascinating, and I really appreciate the commitment from the Post, a general-interest publication, to discussions at this sophisticated a level of detail.

Posted by: Jay | March 24, 2006 11:34 AM | Report abuse

Thanks for the interesting follow-up piece. When I read the original article, I also tried and failed to find any reference to such a botnet. With all the crowing by Mac users about the airtight security provided by OS X, hacking Macs will be a more appealing challenge. I'm sure the commercial botnets will stick to picking of stragglers from the Windows herd. Some hunters will want to bag the big game.

Posted by: Paul L | March 24, 2006 12:09 PM | Report abuse

What is a hacker screed?

Posted by: wantaknow | March 24, 2006 12:19 PM | Report abuse


1. A long monotonous speech or piece of writing.

2. harangue, rant, ranting - a loud bombastic declamation expressed with strong emotion

Posted by: meh | March 24, 2006 12:24 PM | Report abuse

Ditto. This is a great informative and balanced resource. Thanks Brian!

Posted by: Bobby | March 24, 2006 12:28 PM | Report abuse

Is there a way to have the ability to email these articles to other interested parties?

Thank you

Eric Sigman

Posted by: Email Articles | March 24, 2006 12:29 PM | Report abuse


Thanks for reading and for the question: We're working on that. It's a feature that should be rolled out to the blogs in a short time. I believe it's the top priority at this point, in addition to a "print this" link for each entry.

Posted by: Bk | March 24, 2006 12:33 PM | Report abuse

I do believe that Taylor should have stated that the bots were on PHP enabled systems. I have a Mac OS X and PHP can only be accessed if I have activated Web Sharing or if someone has shell access to my computer. I also run PHP on Windows 2000, Solaris and a PowerPC Box with Linux leaving all of these

"A large number of Web sites running vulnerable PHP applications on OS X systems are regularly defaced by hacker groups"
and a larger number of users running IIS on Windows NT without removing the default site which has major flaws in it.

Use that link and total the Windows defacements (remember to add up the Win 2000 and Windows 2000 entries)

I think that if you are going to run any application which can be accessed from remote you should keep it up to date. PHP on my Mac and PowerPC are out-of-date but they are never used or activated. My Windows and Solaris version are up to date.

Posted by: John | March 24, 2006 1:54 PM | Report abuse

Mr. Krebs,

I am a long time Mac user and I had, up until the past month or so, felt quite confident in my computer's invulnerability to hackers. Because of this I have no idea how to protect myself. Can you please comment or write a more lengthy piece detailing what programs do a good job at protecting Macs? My computer's native firewall is turned on, I almost never use Internet Explorer (preferring Safari), and I've disabled some (but not all) cookies, but I don't know what else to do. Antivirus software is not a subject that I or, presumably, most Mac users, know much about, so an informative post would be very helpful. Thanks.

Posted by: Max, | March 24, 2006 1:56 PM | Report abuse

John, you're missing the point of the article. Its not PHP or webservices alone that make you vulnerable. How about an email attachment called taylor_lying_about_mac_security.pbf

Now, you click on it mistaking the pbf for pdf. The file is actually just a shell script that downloads two files to your system, and excutes both of them. A nicely crafted pdf file and a nicely crafted trojan. You see what you expected to see, and you're now invited to join a drone network. Thinking the article was amazing, you forward that email to other mac users, who do the same thing.

The OS isn't whats broken, its the keyboard to user interface.

Posted by: Anonymous | March 24, 2006 2:22 PM | Report abuse

Re Taylor's Q "Why does everyone get all hot and bothered when someone mentions Mac OS X being in a botnet?" Taylor asked. "Maybe I should have said I was tracking several PHP-enabled computer systems."

Well, duh... The initial report got a response because it was incomplete, giving the impression there were OS X botnets. Turns out, false alarm. If anything, these would be PHP botnets, which have the "feature" to be crossplatform...

Good thing he provides the answer to his Q in his next sentence ...

Posted by: cbum | March 24, 2006 3:46 PM | Report abuse

Thanks for the update Brian, it's valuable information. While I believe the problem isn't nearly as widespread as it sounds at first impression, keeping informed regarding potential land mines in "mounted" third party software is always beneficial. I personally don't like .php and consequently rarely use it, but it's good to be reminded that there are potential problems with it which need to be watched.

Posted by: Robert In West Hollywood | March 24, 2006 4:41 PM | Report abuse

RE: cbum and false alarm

What 'impression' are we talking about? I had said I was tracking a botnet that contained *nix and Mac OS X systems. How you interpret that is up to you. This is a fact and not a false alarm. We had a Mac OS X system that WAS a botnet member. Most of the time we see Windows systems. Most of those are from 'Windows' vulnerabilities but some end up there from vulnerabilities from Dameware, Veritas, IIS, etc. We don't differentiate with Windows systems based on operating system. People need to realize that vulnerabilities exist that can give unauthorized access to ANY system no matter what the OS is. In this case it was a PHP application. I totally agree with the general consensus that Mac systems are more secure by design AND by default. But they are drawing a lot of attention and there are a lot of coders focusing on Mac right now. So, instead of simply writing Mac OS X ans totally secure think about the ways someone can break into it and respond accordingly.

Just my thoughts. I love my Macbook Pro, btw. :)

Posted by: David Taylor | March 24, 2006 5:27 PM | Report abuse

What sounds fishy about the story, and still sounds fishy is the way that the botnet was reported to ONLY consist of Unix and Mac OS X systems. PHP can reside on any number of platforms and why would a group chose only two type of platforms when they could just as easily choose any machine that has an exploitable version of PHP running. It doesn't make sense. Now you post that "We had a Mac OS X system that WAS a botnet member." That sounds almost like the claim is now that there was only 1 Mac OS X system in the botnet. So what is it? Everybody wants to find THE security flaw within OS X that we are getting to the point that obvious - server side software running on an OS X system can be vulnerable; or the disingenious - a botnet comprised solely of Unix and MacOS X platforms which turns out not to be the case and, by the way the vulnerability is really with PHP and not the operating systems. Then, instead of owning up to the fact that the report was exagerrated, you and Mr. Krebs slightly backtrack and scream out like Chicken Little that "Mac OS X can be vulnerable, too." Both you and Mr. Krebs, unless I'm greatly over exagerrating either of your capabilities, know the difference between PHP and an inherent security problem within the operating system itself. Be honest - don't go for sensationalism.

david reese

Posted by: David Reese | March 24, 2006 5:59 PM | Report abuse

Will this never die? Why is it so hard for everyone to believe that Mac doesn't run with GOD MODE protections?

The attack vector is what mac users are so worried about? Lets all say it: "Security by obscurity is for the simple minded"

> "inherent security problem within the operating system itself."

Now, if you go back and actually READ what was pasted above, you'll see NO where did David or Brian attack the "inherent security of the operating system" Instead they correctly pointed out that the OPERATING SYSTEM can't make up for proper security procedures.

The fact of the matter is MACs can and have been used as drones. Its not impossible, its not stupid, or crazy. Attack vectors could include mail links, malicious downloads, social engineering, and many more that you simply have not thought of, because you're worried about the attacks on the kernel.

HOW the malware ended up on the system should not effect Davids TRUETHFUL, NON HYPED statement that he was watching a botnet which contained MAC AND LINUX systems.

Dont believe it? go download Kaiten and compile it for yourself.

Posted by: Anonymous | March 24, 2006 6:42 PM | Report abuse

Thanks for the article. Like one of the other commenters, I would appreciate a little more depth on what steps can be taken to protect against this particular attack.

Posted by: Viacondotti | March 24, 2006 9:02 PM | Report abuse

RedRod and Viacondotti -- I can understand why you would be concerned after reading this article, but I'm afraid you may have missed the whole point of the blog post. It was not to point out new/unknown security flaws in the OS X operating system, but rather to say that if you are running third party, web-facing applications like Web servers and the like, you had better make sure those apps are patched just like everything else, otherwise your machine can get owned by the bad guys.

The last graph of the story is the most important: the security we are talking about goes beyond just installing some application to protect you: Those things are nice and useful and often necessary, but being secure online requires considering the other avenues of exposure you may have (i.e. Web servers ,etc.).

Posted by: Bk | March 24, 2006 11:40 PM | Report abuse

I'm concerned. Just purchased a Mac about a month ago. Love it. Always wanted one (since I was a little girl). I live and breathe this thing. Always thought that Mac's were protected from the "bad guys". Now you tell me they are not? Please explain how I can guarantee that my Mac is safe from the "bad guys". Is it just alternate non-Mac servers that these "botnets" attack? Concerned. D. P.S. Thanks for the "heads up". I would have never in a thousand years suspected that this could happen to my Mac.

Posted by: Dess | March 25, 2006 12:37 AM | Report abuse

Is anyone working on fixing these "known PHP flaws" to make whatever systems less vulnerable?

Posted by: Tom Beck | March 25, 2006 3:28 AM | Report abuse

Dess -- this hack depends on 2 things:

-- You have Personal Web Sharing enabled in system preferences. Most users don't ever need to turn this on.

-- You have PHP installed and running in the internal web server (again, 99% of users don't have this).

So don't worry about this one unless you're administering your own website hosted on your mac.

Otherwise, just the usual things -- be careful about attachments that look suspicious, don't use IE, don't give out personal info to any old website. If something comes to your inbox and it looks suspicious, it probably is! Delete it and move on.

Posted by: hjh | March 25, 2006 10:13 AM | Report abuse

So is one lesson to take away here that as long as I don't activate sharing in my Mac I really don't have to worry about php botnets?

As long as I don't download unfamiliar documents I'm safe on any system from installing malware?

I understand that security is a process, and its increasingly a part of computing life, but even if Macs had just as many vulnerabilities as Windows, I'd still prefer a Mac - the operating system, easability, usability, and applications are so much better than what you get from Microsoft.

Posted by: MCarroll | March 25, 2006 10:59 AM | Report abuse

Oh great, soon we will be able to email these columns ...

(Sorry BK, couldn't resist)

Posted by: GTexas | March 25, 2006 1:05 PM | Report abuse

HTTP is a matter of GET first, ask questions later which is why I personally never was too fond of either PHP or ASP -- although they have their uses for data base interfaces. The point is though that you can always validate a markup language transfer first.

If you need binary files learn to use FTP.

Posted by: GTexas | March 25, 2006 1:25 PM | Report abuse

This entire story originated to mainly focus on those that spend their free uncompensated time chasing down botnets in hopes of helping to protect those victims that may end up being harmed by them. When it was mentioned that a Mac OS X system was involved in a botnet it caused a rucus to say the least. This was not intentional. The Mac systems that ended up in the botnet were running vulnerable versions of PHPAdsNew which had a serious vulnerability rated "Extremely Critical" by Secunia. This software runs on POSIX systems so from what I understand this means *nix (linux or unix) as well as Mac OS X.

I just wanted to clear this up for folks. An average Mac OS X user would not have had this application installed and would not have been vulnerable.

No matter what operating system you use please make sure that you are also updating third-party applications.

Posted by: David Taylor | March 25, 2006 2:21 PM | Report abuse

Late to this discussion, but for the vast majority of Mac users this is a non-issue, since php is NOT ENABLED by default, even if you do have web sharing enabled.

By default the Apache httpd.conf file comments out the php module declarations.

This is a hazard for many geekish Mac users playing with the Unix side of things, but your average Mom&Pop are never going to be affected by this.

Posted by: Bruce Johnson | March 29, 2006 7:12 PM | Report abuse

Just a little FYI, there was a rather major set of attacks on systems running awstats. I know some people hiy by it a while ago.

The important thing to remember is that "security experts" are just as likely to have personal bias as anyone. I mention this because AWstats, which you link to twice in your statement 'Take the "Lupper" worm, which spreads to Web servers through known PHP flaws and opens a "back door" on the affected system that hackers can use to install malware later.', is written in PERL! :)

So "PHP security flaws" is a complete misnomer. This is security flaws in applications written in PHP, as well as other languages. In fact, the 'New worm with old tricks' hits many vulnerable scripts not written in PHP.


Posted by: Reverend B. Squeeze | March 29, 2006 7:51 PM | Report abuse

Thanks, Rev, for some clear information.

I do have a web server running (for testing purposes), and I happened to PHP active to try it out. It eased my mind greatly to know which application within PHP was the problem.

My comment is only that of course Macs aren't invulnerable. Cross-platform apps == cross-platform problems. And it really wouldn't be hard to compile and conceal an existing rootkit in a Trojan. (Thanks to Anon for his 'pbf' example.) It's even been done before. (Macintouch had a thread on someone who thought his 500k Word download from a P2P site was a 'demo'. Ok... He got owned.)

Social engineering can't really be stopped; activating a web server, enabling PHP, opening a firewall then installing AWStats is much different, tho, than say looking at a jpeg on a web site.

As far as anyone 'crowing', I'd suggest not paying too much attention to the newbies. Some of us remember floppy-based Mac viruses, and we don't believe in any magical immunity.

Posted by: Dead Nancy | March 29, 2006 9:23 PM | Report abuse

Technically, Kaiten isn't a worm - it's merely an old bot. There *is* a worm which is installing Kaiten on servers it compromises - the controllers appear to be mainly Romanian, and typically hang out on certain large irc networks (though they've been spotted on small networks, and even on single - probably compromised - servers, too).

Posted by: PinkFreud | March 29, 2006 10:39 PM | Report abuse

one statement: Security in my mind is a
Social Responsibility for our own protection !!!

Posted by: linuxuser | March 30, 2006 8:28 AM | Report abuse

Some simple truths:

1. *ANY* computer connected to the Internet is vulnerable should someone with enough knowledge and skill want to compromise your computer.

2. The vulnerability of your system is based on the services (OS specific or third-party) whose TCP or UDP ports are open to the Internet and not firewalled off.

3. There is NOTHING you can do to stop someone that really wants something on or out of your Internet attached systems short of unplugging it from the Internet or filtering out IPs in a router given the parameters of #1 above.

Bottom line, no one is safe, but there are ways (processes) to protect yourself:

1. Keep your OS patched with latest security and related patches/updates (check weekly or daily depending on criticality of system operation)

2. Keep your third-party Internet services patched/updated (check weekly or daily depending on criticality of system operation)

3. Use secure, yet memorable passwords. Weak passwords are often the main reason a machine gets compromised. Start using numbers and special characters like, "$, #, @, !, etc." in your passwords. It's not hard to make up a secure password like, 'C0nf3$$10n!'. It's a word, 'confession', with some characters substituted and mixed with upper and lower case letters.

4. Don't live in a box with blinders on thinking 'they can't get me.' They can, and will if they want.

I am an IT professional and have been for more than 15 years. I work in an environment (university campus of 26,000 students and about 50,000 computers) where a computer is probed for vulnerabilities on average every 6 seconds. I administer Windows, Linux, IRIX, Solaris, and Mac OS X desktop and server systems and have only been compromised twice in my career [knock on wood]. Why? Because, I plug the holes that are vulnerable within days of their discovery and give hackers as few openings as possible.

There is no such thing as a secure system as long as you are connected to the public Internet. Look on any DI's desk at the CIA, NSA, or other security agency and you'll find two computers (and two phones). One is connected to the outside world, and nothing classified is ever on those systems. The other computer is on a separate, secure network that never touches the Internet. That's the only way to secure sensitive data. Period.

Doesn't matter what OS you're running, what anti-virus software you have, nor how you connect to the Internet your machine is vulnerable. Live with it.

As for the article, it would have been nice if the writer included some more details like the specific version of PHP that is vulnerable, whether or not a patch was available, etc. It would also have been nice to balance the article a little better by explaining some of the things I mentioned above that could be used to thwart such vulnerabilities rather than writing a rather lopsided article focusing only on the negative. I think having done that, there would have been less of a brouhaha over this article's content.



Posted by: Jason Lockhart | March 30, 2006 11:58 AM | Report abuse

So essentially if you're dumb enough to download and execute malicious code, your Mac will get sick. Would that be a correct interpretation? It sounds like the problem lies with PHP and inept users, not Mac OS X. Rule number one of network and computer security, if you’re not using it, turn it off. I don’t use PHP on my Mac and have likewise changed the permissions so that it cannot be executed. I will admit that OS X can be compromised if an idiot lets bad code on to the system, ANY OS is vulnerable in that regard. This report is about like saying if you let robbers into your house you could get robbed.

Posted by: Terry | March 30, 2006 12:10 PM | Report abuse

While the general idea of this story is true, it's completely blown out of proportion in the way it's described. It's NOT a Mac OS X flaw... it's a flaw in a third party module included with the system that isn't even turned on by default. If it affects PHP then that means that ANY system _that_runs_a_PHP_web_server_application_ is affected whether it's Debian, Mac, Windows, Solaris, or FreeBSD. Those running PHP webapps are likely not even 0.1% of the total Mac OS X users out in the population. Even if 10% of the existing mac users flipped on the "Personal Web Sharing" button on their computer, I bet only a handful of them are actually running PHP web apps. If you want to cast any blame, point your finger at the PHP guys and make sure they have a fix and then blame Apple if they don't release an updated PHP binary in the next security patch.

Until then, this is probably a non-issue for about 99.9% of the Mac users on planet Earth.

Posted by: Glenn | March 30, 2006 1:02 PM | Report abuse


Just a short note... the password example that you gave is not much more secure then the word it's based on, as there are dictionaries available that contain words in every language, including variations using symbols instead of characters. I'm sure you realize this, but a better policy would be to make up passwords that are pronounceable, but not actually words, such as R3sF4L1&t (pronounce it res-fal-and-t). Just a thought :)

Posted by: Anonymous Coward | March 30, 2006 2:18 PM | Report abuse

"While the general idea of this story is true, it's completely blown out of proportion in the way it's described. It's NOT a Mac OS X flaw..."

and the article never described it as an OS X flaw...nor was the article about OS security - if you had RTFA you may have gleaned that.
the only thing overblown is your Mac fanboy pride

"Security through Obscurity (and poor maketshare" - it's the Mac way!

Posted by: WhirlyDude | March 30, 2006 4:56 PM | Report abuse

Thanks for original article and the followup. As a sysadmin for hire to small companies, one of my challenges is security. I have Win, Mac and Linux systems in use. All can be setup with adequate security as far as the system goes. However, there is no replacement for user awareness. The only time I have problems is when a user clicks on something, had they taken the time to look at, would not have done so. I'm in the process of redoing a system right now which was root-kited because an unauthorized employee offspring user, with admin access on a company workstation, went looking for trouble using an unauthorized application because he believed he had the knowledge to thwart any intrusions. Not. How do you defend against security vulnerabilities which have nothing to do with the os? In fact, nothing to do with the computer at all?

Posted by: Nets2u | March 30, 2006 5:38 PM | Report abuse

Xin chao, Minh den tu HL, minh mong muon duoc lam quen voi tat ca cac ban. Thanks you

Posted by: phuong | April 5, 2006 11:49 PM | Report abuse

Very good site, congratulations! horse art

Posted by: art | April 20, 2006 9:43 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company