In their latest “Virus Bulletin” Symantec employees report that obviously the first Mac OS based botnet has appeared. They call it the iBotnet. Two trojan malwares could be identified as:

• OSX.Iservice
• OSX.Iservice.B

Technique

The trojans aim at gaining the user password or the root password – depending on what configuration you’re running. By default the “root” account is disabled on OS X and therefore user rights are getting leveled in certain situations. When having gained the user or root password the system is compromised and gets added to the botnet.

Distribution

Both these files are getting distributed currently via peer2peer networks like bittorrent. The trojans are included in illegal copies of

• iWork09 and
• Adobe Photoshop CS 4

Dissemination

It is estimated that some thousand Macs are already infected.

Behaviour

There is strong revealing that the botnet already has been used for Distributed-Denial-of-Service (DDoS) attacks using a PHP script.

Conclusion

From analyzing the trojans the Symantec guys reason that there might also be other versions already in the wild, since it seems to be a kinda flexible and expandable technique. Our recommendation: get yourself a virus scanner for your Mac, asap.