Apple zombie malware ‘NetWeird’ rummages for browser and email passwords

Apple malware 'NetWeird' rummages for browser and email passwords

When we write Naked Security articles about Mac malware, we often end up creating a bit of a stir. Usually that’s not on account of the malware itself, but on account of us writing about it in the first place.

Here’s how it goes down.

We write the article. The politically-sensitive Apple fanbuoys come out swinging, saying we only write about Apple malware because we’re down on Cupertino.

The artistic fanbuoys (Apple users who are in a band, for example) chime in even more fiercely, saying Mac malware is a figment of everyone else’s unimaginative delusion.

The geeky fanbuoys (the ones who know where bash is, and what it’s for) come out firmly to remind us – utterly without any accuracy – that if it doesn’t ask for the Admin password, it can’t be malware.

And then the long-suffering but battle-hardened Windows users pop up and say, “Back in 1991, we felt the same way. It didn’t end well.” Those of a philosophical bent repeat, with sincerity and concern, the words of George Santayana. “Those who cannot remember the past are condemned to repeat it.”

So, with a deep breath, here’s some Mac malware news.

There’s been a touch of fuss in the media about it, which is the first reason we thought that we ought to tell you about it; the second reason is that it has an engagingly curious name: NetWeird. (No, I don’t know why, either.)

NetWeird is interesting primarily because it is uninteresting. It’s not very well written; it’s not very well tested; it’s probably not going to catch you unawares (but watch out if you’re in a band!); and so far as we can tell, it’s not in the wild.

But someone has gone to the trouble of creating it and, according to our chums at French Mac anti-virus outfit Intego, is actually trying to sell it on the underground market for the ambitious price of $60.

And that makes it interesting: it seems that the crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that’s worked on Windows for years: making money out of next to nothing. Those who remember the past often choose to repeat it, especially if there’s money to be made.

And now about the malware.

NetWeird installs itself into your home directory as an application bundle called That makes it rather obvious.

It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac. But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory.

NetWeird also calls home to a hosted server located in The Netherlands. This makes it a bot, or zombie.

Bots use an outbound connection to listen for command-and-control signals from a cybercrook known as a botmaster. This works because a TCP connection, once established, is fully bidirectional, so the client side can behave as a server, and vice versa.

The commands that the bot can process allow it to run arbitrary programs via the shell, monitor running processes, take screenshots, exfiltrate files, and to rummage through the password files of well-known third-party browsers and email clients Opera, Firefox, SeaMonkey and Thunderbird.

You’re not likely to see this thing, but if you do, Sophos Anti-Virus will mop it up for you under the name OSX/NetWrdRC-A.

If you do get infected, deleting the above-mentioned application bundle and rebooting should get it off disk and out of memory.

And if you’re running Mountain Lion in its default security settings, you won’t be able to run it anyway, because it’s not from the App Store and isn’t digitally signed by an Apple-endorsed developer.

That’s about all you need to know about it.

Do you have anti-malware on your Mac?

Try our free

Sophos Anti-Virus for Mac Home Edition.

No registration, no password, no expiry.

We don’t even ask for an email address.

Stirrer image courtesy of Shutterstock.