Security researchers came across a new malware toolkit that allows criminals to develop malware specifically for Mac OS X that uses the same templates as Zeus and Spyeye.
security researchers came across a new crimeware kit for sale on several
underground forums that purports to create malware that targets the Mac OS X
The $1,000 kit
is being sold on a few "closed" underground forums under the name
"Weyland-Yutani Bot," Peter Kruse, a partner and security specialist for Danish
IT firm CSIS Security Group
wrote on the company blog May 2. The "first ever" kit for Mac malware comes
with the ability to grab data entered into a Firefox Web browser, Kruse wrote.
Chrome and Safari versions are expected soon, as are versions that will target
Apple's iPad and Linux systems.
information about this crimeware kit is not being leaked publicly, and the
authors of the kit are obviously trying to stay below the radar allowing only
vetted users of the forums to see most of the content," Kruse wrote.
developers are increasingly monetizing their malicious code by selling do-it-yourself
toolkits to other cyber-criminals. Zeus is one of the better-known Trojans
available on the black market as a toolkit, and multiple gangs operate
autonomous Zeus botnets to steal banking information.
crimeware kits allow practically anyone to set up a fairly sophisticated attack
portal and launch a malicious campaign without needing a lot of development
expertise or know-how. Criminals can also modify existing kits and turn around
and sell customized versions to others, creating even more variants.
of these fairly
is directly responsible for the rise in Web-based
attacks, according to a recent Cyber-Security Risks Report from HP DVLabs.
include Phoenix, NeoSploit, Nukesploit and Blackhole, according to a
this crimekit to be quite disturbing news since MacOS previously to some degree
has been spared from the increasing amount of malware which has haunted
Windows-based systems for years," wrote Kruse.
magical about Macs when it comes to security, nothing that makes them immune to
malware, James Lyne, director of technology strategy at Sophos, told eWEEK.
Cyber-criminals just haven't been targeting the Macs as much because it was
still lucrative to target Windows users.
But as more
users and enterprises abandon PCs for the Mac's supposed invulnerability,
malware authors are beginning to pay attention, especially since Mac users
remain willfully resistant to the idea of installing antivirus software to
protect their systems, Lyne said. It doesn't help that some reputed experts at
the Apple Store often tell customers that Macs don't get malware, according to
Mac users may
have a "false sense of security" that may make them "especially vulnerable to a
sudden and highly sophisticated attack," according to Kruse.
is about to change with Weyland-Yutani BOT. The kit supports Web injects and
form grabbing in Firefox. The templates used are identical to the ones used in
Zeus and Spyeye, according to Kruse. The forms seamlessly inject fraudulent
fields into legitimate Websites that are intended to trick users into entering
additional sensitive information. When the data is entered, it is automatically
transmitted back to the malicious owner.
current version of the crimeware kits supports only Firefox, both Chrome and
Safari are expected soon. The developer had held off form-grabbing in Safari
because there were "too many problems in that browser," security writer Brian
Krebs wrote on Krebs
malicious sites customize the payload to the user's Web browser and operating
system. With Weyland-Yutani, attackers can download a Mac executable designed
to steal information, log keystrokes or exploit unpatched vulnerabilities in OS
X or other applications.
are highly user-friendly, coming with help files and product support to help
the criminal get up and running, according to Lyne. Krebs was able to see the
Web-based administration panel for Weyland-Yutani that allows the attacker to
manage and harvest data from infected PCs. Building the malicious site took a
few clicks and a remote host was able to log keystrokes in Safari and capture
passwords for a Gmail account, according to the video available on Krebs on
Fans of the
movie series "Alien" will recognize Weyland-Yutani as the fictional corporation
that established habitable bases and dwellings on extrasolar planets in advance
of the human colonies.