Apple zombie malware 'NetWeird' rummages for browser and email passwords

Filed Under: Apple, Featured, Malware, OS X

When we write Naked Security articles about Mac malware, we often end up creating a bit of a stir. Usually that's not on account of the malware itself, but on account of us writing about it in the first place.

Here's how it goes down.

We write the article. The politically-sensitive Apple fanbuoys come out swinging, saying we only write about Apple malware because we're down on Cupertino.

The artistic fanbuoys (Apple users who are in a band, for example) chime in even more fiercely, saying Mac malware is a figment of everyone else's unimaginative delusion.

The geeky fanbuoys (the ones who know where bash is, and what it's for) come out firmly to remind us - utterly without any accuracy - that if it doesn't ask for the Admin password, it can't be malware.

And then the long-suffering but battle-hardened Windows users pop up and say, "Back in 1991, we felt the same way. It didn't end well." Those of a philosophical bent repeat, with sincerity and concern, the words of George Santayana. "Those who cannot remember the past are condemned to repeat it."

So, with a deep breath, here's some Mac malware news.

There's been a touch of fuss in the media about it, which is the first reason we thought that we ought to tell you about it; the second reason is that it has an engagingly curious name: NetWeird. (No, I don't know why, either.)

NetWeird is interesting primarily because it is uninteresting. It's not very well written; it's not very well tested; it's probably not going to catch you unawares (but watch out if you're in a band!); and so far as we can tell, it's not in the wild.

But someone has gone to the trouble of creating it and, according to our chums at French Mac anti-virus outfit Intego, is actually trying to sell it on the underground market for the ambitious price of $60.

And that makes it interesting: it seems that the crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that's worked on Windows for years: making money out of next to nothing. Those who remember the past often choose to repeat it, especially if there's money to be made.

And now about the malware.

NetWeird installs itself into your home directory as an application bundle called That makes it rather obvious.

It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac. But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory.

NetWeird also calls home to a hosted server located in The Netherlands. This makes it a bot, or zombie.

Bots use an outbound connection to listen for command-and-control signals from a cybercrook known as a botmaster. This works because a TCP connection, once established, is fully bidirectional, so the client side can behave as a server, and vice versa.

The commands that the bot can process allow it to run arbitrary programs via the shell, monitor running processes, take screenshots, exfiltrate files, and to rummage through the password files of well-known third-party browsers and email clients Opera, Firefox, SeaMonkey and Thunderbird.

You're not likely to see this thing, but if you do, Sophos Anti-Virus will mop it up for you under the name OSX/NetWrdRC-A.

If you do get infected, deleting the above-mentioned application bundle and rebooting should get it off disk and out of memory.

And if you're running Mountain Lion in its default security settings, you won't be able to run it anyway, because it's not from the App Store and isn't digitally signed by an Apple-endorsed developer.

That's about all you need to know about it.


Do you have anti-malware on your Mac?

Try our free

Sophos Anti-Virus for Mac Home Edition.

No registration, no password, no expiry.

We don't even ask for an email address.

Stirrer image courtesy of Shutterstock.

, , , , , , , , , ,

You might like

32 Responses to Apple zombie malware 'NetWeird' rummages for browser and email passwords

  1. Mostly Mac · 1141 days ago

    A refreshingly pragmatic malware write up Paul!

  2. anaglyph · 1141 days ago

    Selling it for $60? Have these guys ever tried to earn money some other way. Like delivering pizzas or something? Sheesh.

  3. Mac Defender · 1141 days ago

    I feel the need to firmly remind you -- if it doesn't ask for the Admin password, it can't be malware. I know this with utter accuracy as I have been a tech professional for 10 years -- I know where bash is, and I know what it's for.

    • Tim · 1141 days ago

      I'll have you know that Mac malware is a figment of everyones unimaginative delusion!

      • Richard · 1141 days ago

        And the only reason Sophos write about it is to "sell" their free Mac Anti-Virus product. :o)

        • Paul Ducklin · 1141 days ago

          It's bad enough when a company uses its own website to promote its products. But then neither to charge you money, nor even to take your name - what's the world coming to, eh?

          For shame. Next thing you know some Finnish chap will start writing an operating system and giving it away for free...

    • Harry pollard · 1141 days ago


  4. Sean · 1141 days ago

    “the second reason is that it has an engagingly curious name: NetWeird. (No, I don't know why, either.)”

    You can blame our analyst, Brod, for that… he was the first to add detection for NetWeird (a month ago) and he gave it that name. The app calls itself “NetWire Remote Control” but we often opt not to “promote” (for lack of a better word) the author's work. So Brod just shuffled the letters a bit.

    “NetWeird is interesting primarily because it is uninteresting.”

    The fact that Brod didn't bother to blog about it one month ago when he discovered it… yeah, it's uninteresting.

    • Paul Ducklin · 1141 days ago

      NetWire --> NetWeird. Aha, thanks!

      I'm a bit word-blind when it comes to malware names, I'm afraid. Back in the days of the Nimda virus, it took me several months to realise that it was a deliberate choice, being "Admin" backwards. (At first I thought it was merely an amusing coincidence :-)

  5. Frank Artmiami · 1141 days ago

    I remember when the guy that did the free Mac Virus for years quit updating it because of Macro based Malware spread through Office.

    I remember that stupid virus/worm from 1998--it even infected a MacAddict CD--and one of my vendors gave me back a syquest disk with it from their infrcted system (remember syquests?)

    There might not be a lot mac specific malware, but flash based affects everyone. Thank you for your efforts on Mac user's behalf.

    • John Baxter · 1141 days ago

      I evaded the MacAddict infected CD through procrastination. I was far enough behind reading magazines that I hadn't gotten to that issue before the next one arrived.

      Never put off until tomorrow what you can altogether get out of doing.

      • Andrew Ludgate · 1140 days ago

        I remember that MacAddict CD... December 1998, and contained the AutoStart worm. At that point, I had already disabled AutoStart on my Mac, as it seemed like a really insecure and annoying feature. I didn't use Office on my Mac (Claris/AppleWorks and the translators worked just fine), and Disinfectant and GateKeeper handled all the 68k Mac malware just fine, so I was happy to see that I had inadvertantly protected myself from this undetected beast too :)

        Now fourteen years later, I find myself in the same place by keeping Flash, Java and PDF plugins out of my default web browser (and running SAV instead of Disinfectant+GateKeeper).

        The MacAddict thing really drove home to me though that I had to treat all external content as untrustworthy though, and that being protected against what had been done in the past wasn't enough to protect me against attacks in the future.

  6. Ted · 1141 days ago

    It just kills me when these totally clueless Mac fanboys ( I am one, but I am not clueless on security) give the admin password scenario. Then I go, have you heard the descriptive words " authentication bypass malware"? Have you heard the words "vulnerability" install? NOW combine the two. Then add the fact that there is probably 20-30 of these unintentionally build right into OS X because the Apple coders are human. It just takes time to find them. Just hope it is a white hat.

    Some of these fanboys are so smart too. But in this case, they are smart by a half.

  7. @EvolvingMeme · 1141 days ago

    How do we get it is the most important thing - browsing the wrong sites, clicking on email attachment, having it installed as something else? If someone has to explicitly install the thing, they deserve to loose their data. If there's no distribution mechanism build in, it's a joke. Much ado about nothing, truly NetWeird here.

    • Paul Ducklin · 1141 days ago

      The notion that "if there's no distribution mechanism built in, it's a joke" is a bit of a myth, I'm afraid.

      The Flashback malware, for example, which hit some 600,000 Macs earlier this year, was injected onto infected Macs by a so-called "drive-by install" that used a Java exploit. The drive-by installer piece needn't be part of the malware that is ultimately delivered and left behind. Indeed, the installer and the malware are very often quite separate, so that the crooks can use the same exploit to deliver multiple items of malware, and can deliver the same malware via multiple exploits.

      And the notion that "if you choose to install something that turns out to be malware you deserve to suffer for it" is just holier-than-thou claptrap, if you don't mind me saying so. It's a bit like saying that people who get mugged because they wander into the wrong part of town were somehow asking for it. Sure - they could have taken better precautions. But they're victims nevertheless.

  8. Laurence Marks · 1141 days ago

    Paul Ducklin wrote: "Bots use an outbound connection to listen for command-and-control signals from a cybercrook known as a botmaster."

    Here in the US we usually write "bot herder."

    • Paul Ducklin · 1141 days ago

      I prefer "botmaster", if that's OK. I think that the meaning is pretty clear, and it's in widespread mainstream use in technical articles.

      "Bot herder" sounds a bit too respectable to me. It's evocative of the noble profession of shepherd - I end up imagining bot herders all seated on the ground, watching their flocks by night with glory shining around &c.

      "Botmaster", on the other hand, reinforces the degree of authority and control the crook enjoys over your computer. Written as one word, I imagine a quartermaster, not a shepherd. I imagine the flock not lovingly guarded out in the fields by night by outdoorsmen with biblically-proportioned beards, but penned up ready for the slaughter, intimidatingly attended by a strident Sergeant Major with well-polished boots and a precisely-waxed moustache.

      In short: a botmaster is a bot herder with a swagger stick and a Browning HiPower.

      • Scott McCain · 1141 days ago

        Paul, you really should think about writing fiction. I don't mean that in a derogatory way as this piece was well written. I was referring to your little anecdote about the quartermaster and the sheep. Ha ha! Good story!

    • Thomas J. Raef · 1061 days ago

      If it's "listening..." wouldn't that make it a bot heard-er? I guess only if it gets an answer.

  9. Graham G · 1141 days ago

    It strikes me as quite appropriate for Mr DUCKlin to float his ideas about "fanbuoys". Is he trying to insinuate those that appreciate Apple computers are just bloated and full of wind?
    Excuse me while I bounce off whistling "A life on the Ocean wave" with smug grin on face!
    p.s. ALWAYS use AV 'cos the buggers are out to get you - seriously.

  10. Gustav · 1141 days ago

    Who cares if a bunch of fanboys write in. Just write about it. I don't want to read six paragraphs of why you don't like fanboys before actual information. All I want is:

    What is it?
    What does it do?
    How do I get it?
    How do I stop my Mac from getting it?

    I certainly don't want to know your opinion of fanboys. Why are you giving them credence anyway. I certainly hope you aren't painting all Mac users (or even a majority) as fanboys.

  11. Tim · 1141 days ago

    I agree that Mac uses really need to take security far more seriously, however I don't think insulting them for a third of the post is going to help that.

  12. Nigel · 1141 days ago

    Perhaps the most interesting (and justly tragic) thing about NetWeird is that Mac fanboys who blindly deny the Mac's vulnerability are those most likely to fall prey to something that could so easily be prevented if they would only remove their heads from their nether throats.

    For the record, I'm a confirmed Macaholic (although I do use Windows occasionally), an artist (a composer, multi-instrumentalist, and producer), and I know what the Bourne-Again SHell is (although I don't use it). I'm not a coder (well, except for some rudimentary AppleScript, HTML, and CSS), and I know that I DON'T know enough to about malware to be complacent about it. I use Little Snitch, Sophos AV for Mac, NoScript with SeaMonkey, and (hopefully) a bit of common sense in the things I click on in email and online. I keep my software updated, and I read NakedSecurity. Sometimes the folks in Cupertino do things that piss me off royally. If I'm an Apple fanboy, I suspect I'm not a typical one.

    Thanks for a great article, Paul.

    • Andrew Ludgate · 1140 days ago

      You may be more typical than you think :) Of course, you don't fall into any of the categories covered by Duck's pre-emptive flame - and that's a good thing.

  13. Derek Currie · 1141 days ago

    It's anti-Apple and anti-Apple fanatic FUD, such as that found in this waste of bandwidth, that inspired me to start my Mac-Security blog back in 2007.

    [Link removed]

    Sorry, but I don't fit your trollish version of Mac fanatics at all. Neither do the vast majority of Mac fanatics I've known over the last two decades. FUD is no good to anyone, especially the foolish perpetrators. Please read my blog before lashing back with inanities. Thank you.

    • Paul Ducklin · 1140 days ago

      Don't get too cheesed off, because I'm about to offer some criticism here, but "trollish" is rather what I thought of your blog.

      For example, when you say "for the next eight (8) years, the China government-assisted Red Hacker Alliance succeeded in 'PWNing' (OWNing) or botting every single US government Windows-based computer exposed to the Internet," my inclination was to think that this might be a slight overstatement.

      Where you comment on the Flame malware, asserting that "it could infect and PWN any Windows-based computer by a mere drive-by Internet infection," I thought you might be disparaging the more security-savvy Windows user just a little.

      Where you used - and capitalised - the word LUSER to describe the person at the keyboard, I felt that you might have picked a less insulting word.

      And when you recommended that the aforemention LUSERS ought to "ONLY download software from trusted sites like [..] CNET," I found myself wishing you'd balanced that advice with mention of "the nmap incident", where CNET did something very naughty:

      I trust you will take these remarks in the spirit they are intended: critical, to be sure, but not inane.

  14. Derek Currie · 1140 days ago

    Dear Paul,

    Insulting and incorrect descriptions of Mac fanatics is going to lose Sophos customers. You've certainly lost Sophos my endorsement. You censoring of my previous comment didn't help either. I was hoping for professional behavior from Sophos.

    • Paul Ducklin · 1140 days ago

      Hi, Derek. Your previous comment - which is now posted above - arrived at 3am my time. I wasn't feeling censorious, but I _was_ fast asleep. _That's_ why there was a 4-hour delay in it turning up.

      • Derek Currie · 1140 days ago

        Thank you Paul. I'd rather work with you folks than against you.

  15. Ted · 1140 days ago

    Derek, is the classic fanboy, but he has a soapbox blog that disallows posting comments of rebuttal on his blog so his "purple sky" view of security and his love for the word "" FUD"" can be used to excess. Back a bit on his blog he was the "sorry macs don't get infected because WE/OS X have the admin password that pops up to warn use of the install. Well........... 2012 coming onto 2013, look what we have seen.

    I have had many posting back and fourths with him on that the Mac has not seen "the pros" attack the Mac. Then 3 months later up to 900,000 Mac get pwnd. Almost equal to Conficker infection rates on the PC. Well.....

    Nothing, even the truth about the vulnerabilities/exploits and lack of truly pro hackers hitting OS X or organizations like China's Red Dawn or The Russian Business Network that have not put their sites on OS X yet will ever change his mind. Derek is a true zealot.

    Derek, open up your blog, or is the fear of another opinion other then yours scaring you? You have let a few comments in,but ONLY when they "back up" your very narrow view on Mac security.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog