Friday, January 23, 2009

iWork 2009 Trojan building a botnet

This week security researchers reported that pirated copies of iWork 2009 may contain a Trojan horse. Experts note that with Mac OS X threats, you have to be fooled into installing them. In this case, the chance to own iWork 2009 on the cheap is the potential draw. Most antivirus programs for the Mac are capable of stopping this threat.

But hasn't been widely reported is what happens after a machine is infected.

Jose Nazario of Arbor Networks today posted an interesting blog on the iWork Trojan. He found that it's creating a botnet (of course).

Earlier this week I speculated that the Downadup/Conficker worm might be doing the same.

Nazario says, like other botnets, it keeps trying until it connects to the command and control server. "It also grabs a list of seed P2P peers from the file itself by decrypting the running file (thwarting static analysis) and managing the known peers as you would expect. It generates a port to listen on as needed (although it’s not quite clear to me how it would handle being behind a NAT device)…. What’s more is that there is an embedded Lua interpreter, giving a very sophisticated command language some additional structure."

What is this new botnet been up to? So far, Nazario reports it has been creating distributed denial of service (DDoS) attacks.

No comments:

Post a Comment