Security researchers at multiple vendors have reported finding a new piece of malware targeting Macs. The good news for Mac users – it is not quite up to snuff, according to Sophos.
Dubbed Tored, the malware is actually a worm that installs a backdoor on infected systems and attempts to steal e-mail addresses from infected Mac computers. The goal – written right into the worm’s RealBasic source code – is to create the “First Mac OS X Botnet.”
In addition to stealing e-mail addresses, the malware also records some keystrokes and attempts to copy itself to removable disk. However, according to Sophos, bugs in the worm’s code make it unlikely to spread.
According to Sophos, the worm tries to forward itself through e-mail using a SMTP server that is inactive. In addition, the command and control server it contacts to receive instructions does not exist. The worm represents a break from tradition for the limited amount of Mac malware out there, as it is “e-mail-aware,” as opposed to the Mac Trojans sometimes posted on Websites or peer-to-peer networks.
“A lot of Mac fans think that for something to be a worm then it requires no user interaction to spread,” said Graham Cluley, senior technology consultant at Sophos. “Although there are some Windows worms like that (for instance, Sasser and Code Red), many of the pieces of malware that we consider to be worms (for instance, The Love Bug, Anna Kournikova, etc.) did require user interaction and spread quite successfully.”
Perhaps the most interesting piece of the latest worm is that its author included this message to aid propagation: -For Mac OS X ! :(If you are not on Mac please transfer this mail to a Mac and sorry for our fault :)’
“The good news is that Tored doesn’t appear to be a very serious threat, and no-one is likely to encounter it,” Cluley told eWEEK. “A much more serious threat for Mac users are the Trojans that are being planted on Websites posing as an attractive download.”
Malware authors tried to do just that in January, when a Trojan was circulating via pirated versions of iWork -09 and the Mac version of Adobe Photoshop CS4. Researchers at Symantec said in a paper last month that the network of infected users, which is believed to have included some 5,000 machines, constituted the first known Mac botnet.
Update: This story was updated to add information about the worm.