Posted by: David Harley | October 29, 2011

Devilrobber: Bitcoin Miner preys on Snow White

Mac malware may lack the drama that comes with multi-million-zombie botnets and worm epidemics, but it doesn’t lack variety. The malware that Intego calls Devilrobber.A and Sophos calls  OSX/Miner-D is a Trojan with a number of party tricks, it seems:

  • It opens ports and listens for C&C servers
  • It steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
  • It acts as spyware, forwarding usernames and passwords to a remote server
  • It noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
  • It may also be looking for files that contain child abuse material

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Interestingly, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

Hat tip to Graham Cluley and to the guys at Intego for the information.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN/Mac Virus

About these ads

Responses

  1. I always wondered what those 7 little guys were mining.

    • As I recall, Snow White had bad experiences with apples, too.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

Join 39 other followers

%d bloggers like this: