New Malware DevilRobber Grabs Files and Bitcoins, Performs Bitcoin Mining, and More. Malware Intego has discovered a new malware called DevilRobber.A.
This malware, which has been found in several applications distributed via BitTorrent trackers, steals data and Bitcoin virtual money, and uses CPU and GPU time on infected Macs to perform “Bitcoin mining.” This malware is complex, and performs many operations. It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.
DevilRobber has been found in a small number of Mac applications that are distributed via BitTorrent trackers, including a popular graphic program. New Variant of DevilRobber Trojan Found in Three Mac Apps. Malware Intego’s malware researchers have found a new variant of the DevilRobber Trojan horse, which they first discovered in October.
The latest variant – DevilRobber.D (there have been two others in between) – has been spotted in three Mac applications distributed via BitTorrent trackers. The applications in question are Writer’s Café, EvoCam and Twitterrific. It is important to note that the original applications, obtained from the developers’ web sites, are not infected, but that malicious users distribute infected versions via BitTorrent trackers. If you use these applications, and have purchased them from the developers, you have nothing to worry about. Tsunami Backdoor Can Be Used for Denial of Service Attacks.
Malware A new backdoor and hacker tool, Tsunami, has been discovered.
This hacker tool seems to be a port of a Linux malware, which has been around for some time, and provides remote access to hackers by listening in on an IRC (Internet relay chat) channel for instructions. Tools like this are often used for distributed denial of service (DDoS) attacks (more on that below). These attacks flood computers with standard network requests, with a goal of overloading them. If a server receives more requests than it can handle, it can slow down, or even crash. OSX/Tsunami Variant Found Dropped by Java 0-Day. Malware A variant of OSX/Tsunami has been found that is rumored to be dropped as a drive-by-download by the new Java 0-day exploit, CVE-2012-4681.
This method of infection has not yet been confirmed, but as this OSX malware connects out to the same IP address as the Windows backdoors known to be dropped by CVE-2012-4681, it seems they are at least related incidents. At the time of writing, the JAR file that was purported to be dropping this Trojan has been replaced with a bit of threatening text. It seems like maybe someone knows they’ve been discovered? SECURITY MEMO: Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package. More About the Flashback Trojan Horse. Malware Intego’s security researchers have been examining the code of this new Trojan horse, which we announced yesterday.
They have found some interesting elements in the code. First, the code itself is quite sophisticated. The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. The backdoor uses the infected Mac’s hardware UUID (a unique identifier) as a user agent, and to identify specific computers. The encryption key used is an MD5 hash of the infected Mac’s UUID. Flashback Trojan Spreading; Mac Users Should Be Wary of Flash Installers. Malware Following our recent security memo about the Mac Flashback Trojan horse, Intego has seen an increase in the number of Mac users infected by this malware. After publicizing this threat, many users have posted both in the comments on this blog, and on other blogs and forums about having either seen this malware download, or actually installing it. If you end up on a site that is serving this malware, you will see something similar to this: The first things you see are the crashed plugin graphic and the purported error messages.
After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. This is effective social engineering. For these reasons, Intego is raising the risk level of this malware to medium. New Variant of Flashback Trojan Horse Gets Sneakier. Malware We’ve seen several variants of the Flashback Trojan horse, since Intego first discovered this malware on September 26.
The latest version, Flashback.D, has gotten a bit sneakier. First, it checks to see if the user is running Mac OS X in VMware Fusion. If so, it does not execute. It does this because many malware researchers test malware in virtual machines, rather than infect full installations, as it is easier to delete them and start over with clean copies. Flashback Trojan Horse: New Variants with New Features. The Flashback Trojan Horse Is Not Taking Time Off for the Holidays. Microsoft “Discovers” Mac Backdoor Olyx; Intego Found it Last Month. Security Memo – MAC Defender Fake Antivirus Program Targets Mac Users. Malware Malware: OSX/MacDefender.A Risk: Low; in the wild, but not very widespread for now Description: Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results).
MAC Defender Rogue Anti-Malware Program Attacks Macs via SEO Poisoning. Malware UPDATE: See Intego’s full security memo with detailed information about the MAC Defender fake antivirus.
Intego has discovered a rogue anti-malware program called MACDefender, which attacks Macs via SEO poisoning attacks. When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file. In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open “safe” files after downloading in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen: If the user continues through the installation process, and enters an administrator’s password, the software will be installed. It is important that users not continue with any unexpected installation of this type. How SEO Poisoning Works and Why You Should Care. Malware In this week’s report of the MacDefender fake antivirus program, we mentioned how this fake antivirus is delivered to users by way of SEO poisoning techniques.
In an article on Krebs on Security, journalist Brian Krebs gives some detailed information on how SEO poisoning works, and why it works so well. One of the main targets of SEO poisoning is via Google Image search. In part this is because it is harder to trick out a full web page and get it to appear high in Google’s search results than it is to get images high in the list. Once a user clicks on a thumbnail in the Google Image search results, this sets off the malicious code that can lead to malware being delivered (or, potentially, other types of attacks). Who’s Behind the Fake Antiviruses Targeting Mac Users? Malware With yet another version of the Mac Defender fake antivirus discovered, one may wonder who is behind this rash of attacks targeting Mac users.
Microsoft published an analysis of the malware and the URLs it uses and suggests it is created by the “Winwebsec” gang. The noted the similarity between web pages used to collect credit card numbers. And, they also said, In addition to using similar UIs, we noticed that they even share the same payment gateway (this is the site where users are duped into giving the criminals their credit card information). AppleCare Overwhelmed by Calls About Fake Antivirus. Malware With the MacDefender, MacSecurity and MacProtector fake antivirus spreading through poisoned Google images searches, more and more Mac users are getting stung by this scam.
Ed Bott on ZDNet spoke to an AppleCare representative who explained just how widespread this is. He says, “Our call volume here at AppleCare is 4-5x higher than normal and [the overwhelming majority] of our calls are about this Mac Defender and its aliases.” Our information at Intego is similar. Tens of Thousands of Mac Users Scammed by Fake Antivirus. Apple Offers Instructions for Removal for Mac Defender Fake Antivirus. Malware Apple has published a technical note regarding the MacDefender (and MacProcter and MacSecurity) fake antivirus, called How to avoid or remove Mac Defender malware. This document explains how to find and remove the fake antivirus, and Apple states that “In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”
Apple is to be commended for publishing this document, but we have two comments to make. Comment Moderator for Popular Blog Shilling for Malware Creators? Apple Issues MacDefender Security Update. New MacDefender Variant Evades Apple’s Malware Detection System. Apple Updates XProtect Malware Definitions for Latest MacDefender Variant. Discovers New Variants of Mac Defender Fake Antivirus. MacDefender / MacSecurity Malware Gets a Bit More Sophisticated. Malware The people behind the MacDefender/Mac Security malware fake antivirus that we reported here and here, have gotten a bit more sophisticated.
In our security memo of May 2, 2011, we reported that while the application served was sophisticated, the web page used to deliver it showed a bogus Windows environment. Well, this fake antivirus is now served to Mac users from a page that resembles the Mac OS X Finder. Not exactly, of course – as you can see in the screenshot below, the fonts in the list aren’t correct, and the alert window isn’t a real Mac alert, but the sidebar is a copy of the Mac OS X Finder; there’s even a Dropbox folder. Also, the malware in the list are real Mac malware names. Mac users will no longer be put off by seeing the fake Windows screen, and this may incite more of them to install the fake antivirus.
MacDefender, MacSecurity, now MacProtector: Latest Version of Fake Antivirus Targeting Mac Users. SECURITY MEMO – New Mac Defender Variant, MacGuard, Doesn’t Require Password for Installation. MacDefender Changes Name Again: Now MacShield. BlackHole RAT is Really No Big Deal. Discovers New, Improved BlackHole RAT Variant. BlackHole RAT Evolves Again: New Variant Found. Malware Intego has discovered a new variant of the BlackHole RAT which we discussed in February. While the main principles of the tool – a remote administration tool – remain the same, it includes a backdoor, called Server.app, and a keylogger, called KeyLogger.app. It also adds these two latter elements to a user’s Login Items.