Network News

X My Profile
View More Activity

World's First Mac Botnet? Not Quite.

This morning, as I scrolled down the list of security Web sites I normally check via my RSS reader, I noticed several items referencing news about the "world's first Mac botnet." As I read on, it became clear this was neither news nor a first.

Ryan Naraine from writes about a paper released via Virus Bulletin (subscription required) by a pair of Symantec researchers who found what was described as "the first Mac OS X botnet launching denial-of-service attacks."

The story goes on to describe how the researchers traced the botnet back to Mac users who had installed pirated copies of Apple's iWork 2009 software. Back in January, many tech outlets wrote about a Trojan that was being distributed with copies of iWork 2009, that was available on Bittorrent and other file-sharing services.

In my own coverage of that Trojan, I interviewed Pete Yandell, a software developer from Australia and curator of, whose Mac was infected with this malware. Yandell informed me that as a result of his installing this modified iWork software, his Mac was ensnared in a botnet that was attacking a Web site called

In that story, I also interviewed the owner of dollarcardmarketing, who said his site was hit with a distributed denial of service (DDoS) attack that generated more than 600Gb worth of Web traffic more than the usual monthly amount, suggesting that whatever botnet hit his site was fairly sizable.

As Yandell posted on his site back in January, this Mac botnet was described as being orchestrated by a PHP script, running as root on the infected system. Turns out, in a March 2006 post titled When Macs Attack, I reported on the existence of a DDoS botnet that included Mac OS X systems. The botnet was being controlled by a script that took advantage of insecure installations of PHP running on Mac OS X systems as root.

By Brian Krebs  |  April 17, 2009; 7:55 AM ET
Categories:  From the Bunker  | Tags: mac botnet  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Creating a Public Nuisance with Insecure Web Sites
Next: Cyber Spies Breach Pentagon's Fighter Jet Project



Could you please share with us the "list of security Web sites I normally check via my RSS reader"?


Posted by: PSolus | April 17, 2009 9:54 AM | Report abuse

Yes, please do share. I'm subscribed to 16 security websites and I didn't not see that headline. Not even the Mac related security websites mentioned this.

Posted by: StillLoveWebkit | April 17, 2009 11:23 AM | Report abuse

well, there's zdnet, already mentioned in the article. also, picked this up today, as did ars technica

Posted by: BTKrebs | April 17, 2009 11:32 AM | Report abuse

You're right, Ars did report on this. I never saw it in my feeds because I was NOT subscribed to the RSS feed that shows all articles but subscribed to the one the shows less articles. Bummer.

Posted by: StillLoveWebkit | April 17, 2009 1:44 PM | Report abuse

Yes, in spite of MAC users thinking they are immune to malware the number of threats is bound to increase as MACs become more popular and, therefore, a more attractive target for hackers, virus writers and so on.

Brian is right about the first one being in 2006 and it makes sense for MAC users to protect their data and personal privacy now by getting some security software. There are links to a couple of good programs (with free trials) on

Posted by: datadefender | April 18, 2009 6:03 AM | Report abuse

What people don't know about the machines in their homes is what makes those machines zombies. I am a Mac user, and a Win 7 test machine is in the house (and I run a couple of linux nodes, have a couple of VMS machines, and just keep going with that). Problems like this are more complicated than they appear, and solving them will take more than a free software trial.

Buy insurance if you want peace of mind, not software!

Posted by: vax_wiz | April 18, 2009 7:45 AM | Report abuse

May we assume that Apple put out patches via Software Update?

Posted by: Garak | April 18, 2009 1:47 PM | Report abuse

There's nothing for Apple to patch, really ... this software was installed by users. (They happened to be users who were stealing software from Apple and Adobe, but it could as easily have been included with free software. Maybe the hackers thought people are less likely to report any strange behavior of their computers if they've stolen the software on them.)

The most Apple could probably do is provide something like Little Snitch which runs at the operating system level, and asks/warns any time that an application or other part of the system wants to access the network. I don't think the current Mac OS firewall restricts outgoing traffic, only incoming.

(There are certainly things Apple can do here, but this isn't a vulnerability in the operating system; trojan horses rely on social engineering -- making users install software that they shouldn't.)

Posted by: ttarrantt | April 18, 2009 11:40 PM | Report abuse

A bunch of sites had it, Ars technica etc. My personal favorite covers more topics As we all know, Macs are not immune they are simply not targeted by most "diseases".

Posted by: funkmasterflex57 | April 21, 2009 12:03 AM | Report abuse

This also brings up another source of Geek arrogance- PFW with outgoing control.

It seems that many thought outgoing control was an absurd concept and only 1d1075 would consider it important.

Posted by: davekeays | April 21, 2009 8:58 PM | Report abuse

Most vulnerabilities that effect Windows computers "...gain access with privileges of the currently logged in user..."
If Windows/home users would log in as "limited user" for browsing the internet.
Instead of the default Administrator with blank password.
Windows computers would also become less attractive to malicious automated software attacks. No computer is invulnerable to a targeted attack from a skilled attacker.
Mac is much harder to attack with an automated attack. Social engineering is the best way to gain access to a mac.

Posted by: Chainmail | April 22, 2009 10:20 AM | Report abuse

I don't believe any of this. The cool Mac guy on TV says these sorts of things only happen to PCs.

Posted by: spidey103 | April 23, 2009 10:05 AM | Report abuse

This was NOT a Mac vulnerability. Vulnerabilities are made to exploit bugs in software. In this case, people were stealing software that was embedded with malware. That's hardly a software vulnerability. That's more like a PEBKAC issue. Solution: don't install software from untrustworthy sites. Even if you do, you can manipulate the firewall to only allow trustworthy outbound traffic (like most corporations do)...that won't get rid of the malware, but it will prevent further spreading of the malware or 'call-home' attempts.

Posted by: unixfool | April 23, 2009 4:33 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company