New malware, toolkits target Mac OS

Security researchers have discovered a rogue antivirus program and a separate, advanced malware toolkit that specifically target Mac users.

The MACDefender rogue antivirus was discovered by Intego and it is reported to be circulating on malicious sites and reportedly Google's image search.

It is downloaded as a compressed file that contains JavaScript, and once installed, generates a string of fakes virus alerts before asking users to pay up to US$90 ($82) to purchase a copy of the software to 'remove' the infections.

Rob VandenBrink, incident response handler at the US-based SANS internet storm centre, said the file will automatically execute if the option to "open safe files after downloading" is enabled in the Mac Safari web browser.

"I'd suggest that OSX users disable [the feature] and also invest in a reasonable anti-malware suite," VandenBrink said in a blog post. "Installing a real anti-malware package is also a good idea (no matter what the Apple Fans say)."

Separately, Danish research firm CSIS said overnight that it had spotted the first "advanced do-it-yourself" kit designed to create malware for Mac OS X on offer in underground forums.

The kit, dubbed Weyland-Yutani BOT, steals information from Mozilla Firefox forms in the same way as the Zeus and Spyeye trojans. Authors have promised to include web browsers Safari and Google's Chrome in future releases.

"Detailed information about this crimeware kit is not being leaked publicly and the authors of the kit are obviously trying to stay below the radar allowing only vetted users of the forums to see most of the content," CSIS spokesman Peter Kruse said.

The crime kit costs US$1,000 ($912) and will soon be updated to allow malware to be written for both the Apple iPad and Linux operating systems, according to CSIS.

It is built similar to Windows alternatives and includes a builder, an admin panel and supports encryption, Kruse said.

Perhaps the first indication that the Mac malware was being developed was when Kaspersky researcher Kurt Baumgartner last month spotted a reference to "macbook" in a co.cc subdomain that was notorious for distributing malware.

At the time, that domain was still hawking Windows-based rogue antivirus, and it wasn't enough to convince Baumgartner that malware writers had begun targeting the previously sheltered Mac platform.

MACDefender installations currently far more easily removed than equivalents on Windows machines. The malware can be uninstalled straight from the application install list.

Copyright © SC Magazine, Australia