Infected Mac Computers Worth 43 Cents in Cyber-underworld

In a talk about the threats posed by Russian malware affiliate networks, a Sophos security researcher reveals an operation offering people 43 cents per Apple Mac they infected. Affiliate networks can generate serious profits pushing scareware online.

New research from Sophos underscores a growing interest in the Mac among cyber-criminals.

In a presentation at Virus Bulletin's VB Conference, in Geneva, Sophos Labs researcher Dmitry Samosseiko revealed a malware affiliate network offering 43 cents per infected Mac computer. The offer was the work of a larger network of Russian spammers, malware authors and businesspeople pushing everything from phony watches to medications-an alliance he called the "Partnerka."

This goes to show that Apple Macs, which are targeted far less than Microsoft Windows PCs, are not without security threats.

"Mac users are not immune to the scareware threat," Samosseiko wrote in a paper released at the conference. "In fact, there are 'codec-partnerka' dedicated to the sale and promotion of fake Mac software. One of the recent examples is ... the site is no longer available, but just a few months ago it was offering $0.43 for each install and offered various promo materials in the form of MacOS 'video players.'"

Earlier in 2009, attackers tried to infect people using pirated versions of Mac software in an attempt to build a Mac botnet. DNS (Domain Name System)-changing Trojans targeting Macs have been reported this year as well.

Perhaps in response to the changing landscape, Apple took the additional step of adding some new malware detection capabilities to Mac OS X 10.6, aka "Snow Leopard," using known malware signatures. If malware is detected, Snow Leopard will recommend moving the file to the trash.

"Cyber-criminals are interested in money, full stop," Sophos Security Analyst Michael Argast told eWEEK. "The fact of the matter is that users of Windows or Mac machines all buy stuff online, access online banking, have confidential information-and it is that information the criminals are after."

Rogue affiliate networks like the ones outlined by Samosseiko in his paper have the potential to earn attackers serious money. One such network uncovered by Finjan earlier in 2009 reportedly made $10,800 a day pushing scareware.

At Symantec Security Response, Research and Development Manager Marc Fossi said Symantec hasn't seen any specific advertisements for Mac bots in the cyber-underground, but said attackers are keen to get their hands on whatever they can. Argast echoed the sentiment.

"What we do know is that fake codec Trojans have been increasingly prolific, and we started seeing them pop up for the Mac platform about a year ago," Argast said. "Based on the breadth of the attacks, and variety of sites and malware involved, it is quite probable that affiliate networks like this have been in place for some time, and simply added the Mac as a platform of interest."