A crimeware kit that is designed to create malware for the Mac OS platform has been discovered on underground forums.
CSIS Security Group announced the findings, saying that detailed information about the crimeware kit is not being leaked publicly. The authors of the kit are trying to stay below the radar and allowing only approved users of the forums to see most of the content.
CSIS Security Group said that the kit is being sold under the name 'Weyland-Yutani Bot' and is the first of its kind to hit the Mac OS platform. It said that Weyland-Yutani Bot supports web injects and form grabbing in Firefox. It expects updates for both Chrome and Safari soon, while dedicated iPad and Linux releases are also under preparation.
It said that the advanced form grabber is advertised on several closed underground forums. In the same style as other DIY crimeware kits designed for PCs, this tool consists of a builder, an admin panel and encryption support
Talking to SC Magazine, Peter Kruse partner and security specialist at CSIS Security Group, said that he believes that this kit is already operational and version one has a licence price for the complete kit that is equal to 1,000 WMZ/LR or US $1,000.
Asked if there has been any downloads or uses of it so far, Kruse said: “We have no idea. It's being advertised and sold on several underground forums. We assume there is a market but also we currently expect the number of licences issued to be limited. This is also due to the fact that this is version one of the crime kit.
“First of all this is advanced crimeware very much like Zeus and Zbot. It even uses almost the very same templates to conduct web injections. Very nasty stuff indeed. Also this kit is a construction set meaning that it could generate a fairly large amount of samples in a very short time.”
Asked if this could pose a larger problem for the huge numbers of personal users of Mac OS products such as the iPhone and iPad, Kruse said that for the crimeware to execute or install, the device would have to be jailbroken.
“Then the attacker has to trick the user into opening a Trojan downloader. This could manifest as a smart and free application but bundled with the malware just like we have seen with Android,” he said.
“Alternatively the attacker would have to exploit a vulnerability in the OS by luring the user to visit a drive-by site to install or force feed the device with the malicious code. The lure could come from a spam mail, chat, SMS or Facebook link, there are plenty of ways to lure a user to click a link.”