The Mac Security Blog
Intego has discovered a new malware called DevilRobber.A. This malware, which has been found in several applications distributed via BitTorrent trackers, steals data and Bitcoin virtual money, and uses CPU and GPU time on infected Macs to perform “Bitcoin mining.”
This malware is complex, and performs many operations. It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.
DevilRobber has been found in a small number of Mac applications that are distributed via BitTorrent trackers, including a popular graphic program.
When the doctored application is launched, a preflight script looks for Little Snitch, a network traffic blocker; if Little Snitch is found, the program terminates. If not, the malware adds a LaunchAgent file in the user’s ~/Library/LaunchAgents folder, to ensure that the malware launches on each reboot or login. The malware then searches for specific types of files with Spotlight, and writes data in a text file. It saves the user’s bash history file (this is a history of commands run in the Terminal application), saves the user’s Safari history file, takes a screenshot and saves that, and, if the user has a Bitcoin wallet, saves that as well. Another variant Intego has discovered also saves the user’s keychain files.
DevilRobber then launches a proxy on port 34522, and waits for a user to enter their user name and password; if this happens, it records these credentials, and sends them to a remote server. The malware continues performing other operations, such as posting data to a remote server, looking for the infected Mac’s external IP address, scanning the local network the Mac is on, searching for child pornography, and more.
One of the main tasks of this malware is to perform “Bitcoin mining.” This procedure is a way of defrauding the Bitcoin virtual money service by making calculations and generating Bitcoins. (Bitcoin mining is explained here.)
While this malware is fairly sophisticated in its actions, it is not very widespread. For now, Intego has only seen DevilRobber in a handful of Mac applications distributed via BitTorrent trackers. Mac users should avoid downloading software from untrusted sites, notably those that distribute software illegally, such as BitTorrent trackers. If possible, always download software from the publishers’ web sites, or from trusted download sites.
Intego’s the threat filters for VirusBarrier X6 dated October 28, 2011 or later, will spot and block this malware as OSX/DevilRobber.A.
As the scariest weekend of the year approaches, it’s a good time to give your Mac a treat and protect it from the dangers of the Internet. Intego is offering 15% off its acclaimed Internet Security Barrier X6, which provides comprehensive protection against malware, network threats, spyware, phishing, zombies and more.
Internet Security Barrier is a bundle containing the following Intego programs:
- VirusBarrier X6: Keeps Macs safe from all known malware and network threats.
- ContentBarrier: Protects children from adult web sites, predatory chats, suggestive e-mail and more.
- Personal Backup: The one-stop backup tool for Mac OS X, backs up files, clones startup volumes, and synchronizes folders or volumes, protecting Mac users from data loss.
- Personal Antispam: Analyzes incoming e-mail, determining which messages are spam and which are valid messages, so users can work more efficiently without spam getting in their way.
- FileGuard: Creates virtual safes that provide unbreakable protection for sensitive files. Users can create as many safes as they want, each with its own password.
Save 15% on Internet Security Barrier by entering the code HALLOWEEN when you place an order on Intego’s online store. This promotion is valid worldwide, only in Intego’s on-line store, and does not apply to software sold elsewhere.
Google is continuing with its frequent updates, and version number changes, for its Chrome web browser. The latest update fixes 28 security flaws, none of them considered to be critical, and adds another candle to the program’s version number moving it up to 15.
Since Chrome auto-updates, you don’t need to do anything. In fact, looking on our Mac, we saw that the version of the application is 15.0.874.106, and not 15.0.874.102 as Google mentions in their blog post presenting the release. So there must have already been a minor update since the announcement of the new version 15.
A new backdoor and hacker tool, Tsunami, has been discovered. This hacker tool seems to be a port of a Linux malware, which has been around for some time, and provides remote access to hackers by listening in on an IRC (Internet relay chat) channel for instructions.
Tools like this are often used for distributed denial of service (DDoS) attacks (more on that below). These attacks flood computers with standard network requests, with a goal of overloading them. If a server receives more requests than it can handle, it can slow down, or even crash.
The Tsunami backdoor accepts a number of commands, and can change servers, download files, such as updates, and send packets to a specified IP address.
* TSUNAMI <target> <secs> = A PUSH+ACK flooder * * PAN <target> <port> <secs> = A SYN flooder * * UDP <target> <port> <secs> = An UDP flooder * * UNKNOWN <target> <secs> = Another non-spoof udp flooder * * NICK <nick> = Changes the nick of the client * * SERVER <server> = Changes servers * * GETSPOOFS = Gets the current spoofing * * SPOOFS <subnet> = Changes spoofing to a subnet * * DISABLE = Disables all packeting from this bot * * ENABLE = Enables all packeting from this bot * * KILL = Kills the knight * * GET <http address> <save as> = Downloads a file off the web * * VERSION = Requests version of knight * * KILLALL = Kills all current packeting * * HELP = Displays this * * IRC <command> = Sends this command to the server * * SH <command> = Executes a command *
Source code for this backdoor has been publicly available since at least September 2009, and it is trivial to compile this code, using Apple’s XCode, and create a Mac executable.
This tool requires installation, and may actually be installed manually by people who choose to participate in DDoS attacks, such as those in the Anonymous group.
Individual users generally have little to fear from these tools. However, servers connected to the Internet can be vulnerable to remote installation. Hackers can take advantage of weaknesses in server tools, or especially PHP vulnerabilities, to gain access to a server and install a tool like this. In addition, once such a tool has been installed, the remote hacker can install other software onto the infected Mac.
What is a denial of service attack?
A denial of service attack, or a distributed denial of service attack (DDoS), occurs when one or many computers “gang up” on a web site or server by sending a flood of traffic to that server. Most web servers can handle standard traffic of a certain number of connection attempts per second. Large web sites, such as the biggest online retailers, can handle thousands of connections a second or more. But when thousands of computers get together and send requests all at the same time, sending “floods” of requests, servers have trouble remaining operable. When this type of attack happens, most firewalls will act and block the sending address, but in sophisticated attacks, these addresses are forged, and may change with each new packet.
Denial of service attacks are illegal; they are done for malicious purposes, such as to prevent a web site from functioning, or to block network traffic to and from a specific server. In some cases, such as Operation Payback, denial of service attacks were launched by a company paid by some Bollywood movie studios to attack websites that would not take down copyrighted material. After this, a retaliatory attack was made against a number of copyright organizations, law firms and others. Another attack was made on financial organizations that refused to process donations to Wikileaks.
Some users may install the Tsunami backdoor intentionally, to be part of such attacks. It is also possible that this tool is installed remotely on servers to increase the number of computers participating in such attacks, and, therefore, their effectiveness.
Hacker tools and their usage
Tsunami is one of the many dozens of hacker tools that Intego VirusBarrier X6 protects against. These are tools that are used to attack a machine other than the one on which it is installed, and include tools for executing DDoS attacks, scanning ports, sniffing network traffic, searching for known vulnerabilities and much more.
Most hacker tools are in limited circulation, and are not used for direct attacks; they need to be manually installed on computers, after which they are operated remotely. As such, their threat level is generally very low. Nevertheless, VirusBarrier X6 protects against all such tools, notably to protect servers where they may be installed via exploits that take advantage of vulnerabilities in third-party code, such as PHP.
In any case, Intego has updated the threat filters for VirusBarrier X6 to protect against this backdoor; threat filters dated October 25, 2011 or later, will spot and block this malware as OSX/Tsunami.A.
Security researcher Feross Aboukhadijeh discovered a flaw in Adobe Flash that could allow malicious users to “turn on your webcam and microphone without your knowledge or consent to spy on you.” You may not realize this, but one of the “features” in Flash is the ability for Flash objects to utilize your webcam (or iSight camera) and microphone. Ostensibly, this is so you can interact via Flash with other users, but we’ve never seen this in actual use.
It turns out that a sophisticated clickjacking technique could allow malicious users to set up a web page using CSS opacity to hide the Adobe Flash Settings Manager (a Flash object, naturally, that adjusts settings on your computer), and overlay it with buttons. When you click a button that seems to do something you want to do, the hidden Settings Manager setting gets turned on. Abjoukhadijeh has set up a demo page where you can see how this works.
Adobe has fixed their Settings Manager so this problem can no longer occur. Nevertheless, you might want to go to the Settings Manager page and, on the Global Privacy Settings tab, check Always Deny for the Camera and Microphone settings. Unless you have actually used a webcam and microphone with Flash, or plan to do so, there’s no reason for these settings to be active.
A security firm has published some information on a new variant of the Flashback Trojan horse, which Intego discovered in September. This new variant, which they are calling Flashback.C is the variant that Intego spotted a week ago, Flashback.D. (It’s not uncommon for different security companies to name variants differently; we may have more variants than other companies.)
Some of the information published about this variant is interesting, notably the fact that it can disable Apple’s Xprotect malware detection system. When disabling the Xprotect system, the Trojan horse overwrites certain files (notably the info.plist file for the XProtectUpdater daemon, which prevents Mac OS X from getting updates to this file), which means that VirusBarrier X6 cannot repair the damage. (In order to repair it, VirusBarrier X6 would need to re-install a new version of the file; the program cannot simply erase changes made, since the file is overwritten entirely.)
Some companies have published instructions for manually removing this malware, but it is important to note that such instructions only discuss removing code added to the Safari or Firefox web browsers; given the damage done to the XProtect system, manual repair is impossible. (It is technically possible to recover the XProtect file from a backup, if a user has cloned their startup volume, such as with Intego Personal Backup, which is part of Internet Security Barrier, or made a full system backup with Apple’s Time Machine; this entails restoring the /usr/libexec/XProtectUpdater daemon. Users should be very careful if they do this manually, as opposed to using the restoration function of Personal Backup or Time Machine, as permissions on the file could cause the daemon to not function correctly.)
This is the first malware affecting Mac OS X that we have seen that intentionally damages system files. Because of this, repairing damage can be very time-consuming. Even with the appropriate, up-to-date backups, it still takes time to restore the operating system. In the Windows world, the most common method for dealing with this type of file corruption is to re-install the entire operating system. We hope Mac malware doesn’t use similar techniques in the future that would require a full installation of Mac OS X to repair damage. Of course, it is wise to protect one’s Mac with antivirus software to ensure that such damage doesn’t occur in the first place.
Since Intego discovered this variant of the Flashback Trojan horse, the command and control servers that the malware contacts have been inoperable. However, now that this Trojan horse is in the news again, these servers have awakened, and Intego has seen activity today, sending updates to installed malware.
Intego VirusBarrier X6, with malware definitions dated October 13, 2011, or later, detects and blocks this malware.