Crimeware Kit Targeting Mac OS X Mimics Zeus and Spyeye Features

Security researchers came across a new malware toolkit that allows criminals to develop malware specifically for Mac OS X that uses the same templates as Zeus and Spyeye.

Danish security researchers came across a new crimeware kit for sale on several underground forums that purports to create malware that targets the Mac OS X platform.

The $1,000 kit is being sold on a few "closed" underground forums under the name "Weyland-Yutani Bot," Peter Kruse, a partner and security specialist for Danish IT firm CSIS Security Group, wrote on the company blog May 2. The "first ever" kit for Mac malware comes with the ability to grab data entered into a Firefox Web browser, Kruse wrote. Chrome and Safari versions are expected soon, as are versions that will target Apple's iPad and Linux systems.

"Detailed information about this crimeware kit is not being leaked publicly, and the authors of the kit are obviously trying to stay below the radar allowing only vetted users of the forums to see most of the content," Kruse wrote.

Malware developers are increasingly monetizing their malicious code by selling do-it-yourself toolkits to other cyber-criminals. Zeus is one of the better-known Trojans available on the black market as a toolkit, and multiple gangs operate autonomous Zeus botnets to steal banking information.

These crimeware kits allow practically anyone to set up a fairly sophisticated attack portal and launch a malicious campaign without needing a lot of development expertise or know-how. Criminals can also modify existing kits and turn around and sell customized versions to others, creating even more variants.

The prevalence of these fairly affordable toolkits is directly responsible for the rise in Web-based attacks, according to a recent Cyber-Security Risks Report from HP DVLabs. Other popular kits include Phoenix, NeoSploit, Nukesploit and Blackhole, according to a Symantec report.

"CSIS finds this crimekit to be quite disturbing news since MacOS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years," wrote Kruse.

There's nothing magical about Macs when it comes to security, nothing that makes them immune to malware, James Lyne, director of technology strategy at Sophos, told eWEEK. Cyber-criminals just haven't been targeting the Macs as much because it was still lucrative to target Windows users.

But as more users and enterprises abandon PCs for the Mac's supposed invulnerability, malware authors are beginning to pay attention, especially since Mac users remain willfully resistant to the idea of installing antivirus software to protect their systems, Lyne said. It doesn't help that some reputed experts at the Apple Store often tell customers that Macs don't get malware, according to Lyne.

Mac users may have a "false sense of security" that may make them "especially vulnerable to a sudden and highly sophisticated attack," according to Kruse.

That clearly is about to change with Weyland-Yutani BOT. The kit supports Web injects and form grabbing in Firefox. The templates used are identical to the ones used in Zeus and Spyeye, according to Kruse. The forms seamlessly inject fraudulent fields into legitimate Websites that are intended to trick users into entering additional sensitive information. When the data is entered, it is automatically transmitted back to the malicious owner.

While the current version of the crimeware kits supports only Firefox, both Chrome and Safari are expected soon. The developer had held off form-grabbing in Safari because there were "too many problems in that browser," security writer Brian Krebs wrote on Krebs on Security.

Many existing malicious sites customize the payload to the user's Web browser and operating system. With Weyland-Yutani, attackers can download a Mac executable designed to steal information, log keystrokes or exploit unpatched vulnerabilities in OS X or other applications.

Crimeware kits are highly user-friendly, coming with help files and product support to help the criminal get up and running, according to Lyne. Krebs was able to see the Web-based administration panel for Weyland-Yutani that allows the attacker to manage and harvest data from infected PCs. Building the malicious site took a few clicks and a remote host was able to log keystrokes in Safari and capture passwords for a Gmail account, according to the video available on Krebs on Security.

Fans of the movie series "Alien" will recognize Weyland-Yutani as the fictional corporation that established habitable bases and dwellings on extrasolar planets in advance of the human colonies.