Home Forums Networks & Cross-Platform Networking Bot nets on Mac?

Do Bot net infections exist in the wild on Macs? I have a Mac Pro running 10.6.8 with all security patches installed. I'm getting repeated warnings from Comcast (my ISP) telling me that I MAY have a Bot on one or more of my computers.

I do use their "Missed Spam" service at "missed-spam@comcast.net" to forward spam messages for their attention, but I have none of the symptoms they describe on their web page at https://constantguard.comcast.net In fact, my machine is running beautifully with no hiccups.
I wonder if they think that my faithful use of the missed spam service indicates a Bot on my machine? Their continuing persistence with email warnings and one phone message are becoming a pain in the neck.

I suppose botnets on Macs are theoretically possible, but there are no indications that they really exist, and so far there are no Mac spam-relay viruses. You might want to check this thread for some background info. Most current Mac malware can only affect you by masquerading as something else and thereby conning you to install it yourself. That could happen if you tend to click links willy-nilly and install pretty much anything for the sheer heck of it. If you don't qualify my personal opinion is that you're probably OK, given the other precautions you say you've taken.

I'm not aware of free malware scanners, but in addition to anti-virus software (which largely focuses on Windows viruses because of the lack of Mac versions) I'm aware only of the anti-malware MacScan utility. If anything, all such utilities are running behind the times, but at least they can check for known items. MacScan has a free 30 day trial mode mode, but some online comments I recall suggest that that trial may not be fully working.

My two cents' worth (if it's worth even that):

When my Virex on OS 9 went defunct in 2007, I never bothered to find another antivirus application. Even today there's nothing going there ... but, then, who writes malware and its ilk for ancient systems used by a handful of people?

A colleague of mine who has been using Mac Books since they were born and recently upgraded to the latest one running Lion and who spends gargantuan amounts of time online told me that he runs Sophos on it every month or so and over the years has never picked up anything suspicious or alarming. He opines that it's a waste of time.

So, my quasi-quandary is whether I should bother to install Sophos on my machine. Or just carry on regardless.

My experience is the same as yours and I've had many Macs and even a Lisa before that.

I bought MacScan a few months ago and it has been very helpful in deleting known tracking cookies, but other kinds of malware, if any, haven't been detected. I think Comcast is blowing hot air re Macs. Its stuff may be good for Windows, but I don't need it.

What's your local network like? If you have wireless, make sure that there are no other unexpected people using your wireless router by making sure it's passworded. Also, make sure that any other legimate computers on your network do not have any issues as well.

Do the warnings specify why they think that is? Can you post the body of one of those warnings here?

Well, I've got to amend that: Intego's VirusBarrier Express is free, but as a sales promotion tool has fewer features compared to the VirusBarrier Plus or X6 versions.

That said, I'm not yet convinced that an anti-malware utility is required for Mac users, particularly if they use common sense and keep abreast of developments in the field that allow them to recognize hazards.

I wasn't aware that ClamAV scanned for malware other than viruses (i.e., trojans etc), like VirusBarrier (and MacScan). Did I miss something?

Yes. My Mac got botted.

You have to do something really stupid to get botted, though. In my case, I created a separate user account for friends to use when they visited. It was named "Friend" with password "friend". That was dumb. (NEVER create an account whose password is empty, the same as the account name, or the account name spelled backwards. Those are the first three passwords an attacker will try.)

At the time, it was harmless. I didn't have Remote Login enabled, so there was no way for an outsider to even get to a password request.

But then I learned about ssh, and wanted a way to access my computer from outside. I configured my router to allow ssh from outside. I gave fleeting thought to passwords, but they were all strong except for the "friend" account, and that account was a non-admin account had been carefully configured to have no access to any of my data. My thought was: "I don't care if they log in as friend."

Then one day I discovered that my "friend" account had joined a botnet. It still had no access to any of my data, but was perfectly willing to contribute processor power and internet bandwidth to the cause.

As a non-admin, it could not install anything into /Applications, but it didn't need to. It installed an application directly into ~friend. It tried to clean up its tracks by removing the source files it was compiled from, but missed a few, enough to show that it was using the Darwin version of an IRC client. That is, the attacker knew they had reached a Macintosh, and wasn't deterred.

This attacker was clumsy. They made no effort to hide the application, leaving it unhidden right at the top lever of the home folder. They didn't clean up all the source files. They didn't even turn off the logs! They changed the password on the "friend" account (which was how I first spotted the intrusion). Why? I dunno. They didn't add any keys to ~/.ssh/authorized_keys, or leave any other back doors open. (Believe me, I searched, then wiped the account just to be sure.)

But this clumsy attacker still botted my Mac.

(BTW: according to the logs, I was lucky enough to detect the intrusion within hours. All they managed to do before I caught them was to log into an IRC server in Norway, and download some files from a porn site in Rumania. The attack appears to have come in from Los Angeles.)

In hindsight, opening a hole for remote login is dangerous, but the danger is manageable and the value to me of being able to login from outside is sufficient to warrant the risk. That's not the stupid thing I did.

The stupid thing I did was to have any account, even a useless throw-away account like this one, with a weak password.

For a long time after that, I monitored my security logs and internet connections intently, looking to see if I had overlooked anything. One thing I saw is that intruders probe throw-away account names, like "test", "test1", ... "test9", "ftp", "ftp1", ..., "ftp9", "web", ... "web9", "www", ... "www9", etc. along with common first names, like "Joe", "Bob", "Boris", "Dmitri", "Vladimir", "Katie", etc., presumably looking for weak passwords. (They also really hammer on "root", "admin", "admin1", ... "admin9", apparently taking the time to do full dictionary attacks on those.) The point here is that even a temporary "test" account needs a strong password. Same with the kids. Even your kindergartener needs a good password.

And the real point is: Macs can indeed be botted. We're not invulnerable, the attackers know it, and they are probing our defenses. This isn't abstract theory. The attacks are real, and when needed, Macintosh specific. I know. I've been there.


That having been said, most anti-malware software is useless on a Mac. Most attacks use social engineering, which anti-malware software is useless against. The software either looks for signatures of known viruses, or monitors for "suspicious activity". There is no known "suspicious activity" on a Mac, and the very ability to monitor the system in that level of detail would itself be an avenue for infection. (Little Snitch might be an exception to that: unplanned outgoing connections would count as suspicious activity.) And the bad guys can change their signatures too fast to make signature detection useless against any but the clumsiest attackers.

The best defense is vigilance.

Oh, and don't do anything stupid.

I have encountered only one remotely compromised mac in all my days, and it had a whole circle of computer experts surrounding it staring in disbelief. It was spam zombie'ing. But it was a high value (and somewhat embarrassing) target, a computer admin's laptop in a school with a big pipe. He had a weak password and ssh was on.