Malware Descriptions

[Updated 7th November 2011]

Added links to some further information from F-Secure about OSX/Devilrobber to the appropriate section below.

[Updated 4th November 2011]

I’ve just been reminded of a threat descriptions database I should have added to this list: PC Tools’ iAntivirus page includes a threat descriptions page here. Brief descriptions, but plenty of them.

[Updated 1st November 2011]

OSX/Devilrobber (a.k.a. OSX/Miner)

  • It opens ports and listens for C&C servers
  • It steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
  • It acts as spyware, forwarding usernames and passwords to a remote server
  • It noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
  • It may also be looking for files that contain child abuse materia

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Interestingly, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

OSX/Tsunami.A

A version of the elderly Linux/Tsunami malware (also known as Kaiten), recompiled as a Mach-O binary to run on OS X. Low risk, but apparently a work in progress: a second version shows some “improvements”. More info:

[Updated 28th October 2011]

Sophos Mac Malware Descriptions

You may notice that this page is nowhere near keeping up with the flood – ok, trickle – of Apple-targeting malware that we’ve seen this year. No, that doesn’t mean there wasn’t any: it means that this page is a low priority. I should, however, certainly have mentioned before Graham Cluley’s excellent article “The short history of Mac malware: 1982 – 2011” – in fact, I did mention it, but only in the main Mac Virus blog, not as a resource to check on for malware descriptions. It’s not encyclopaedic, but it’s certainly an excellent summary.

[Updated 26th February 2011]

Blackhole RAT (darkComet, MusMinim):

Updated 1st April (no, I don’t think it’s a joke)

SecureMac describes a later variant it’s labelled BlackHole RAT 2.0a, which is said to be distinctly different to the variant described by Intego.

Updated 30th March (info on later variants)

RAT (Remote Access Tool) which targets both Windows and Mac users. Described as a beta version by its author, but already includes an interesting range of functions. The user interface includes some German words/command options.  The author refers to it as Blackhole ( but Sophos analysis indicates that it’s a variant of the Windows malware commonly referred to as darkComet: however, the apparent author of darkComet has denied it and says he’s developing his own – oh joy…). Sophos detects it as OSX/MusMinim-A: other AV researchers have samples, so other products will detect it too (contact your vendor if in doubt).

[Updated 22nd January 2011]

Symantec blog on the high proportion of Macs recruited into the Boonana botnet.

[Updated 21st January 2011]

I can’t believe I forgot to mention that Graham had updated his blog post to include Autostart! But he did.

Meanwhile, I came across a description of the Top 5 malicious programs that affect OS X, according to malwarecity.com, which is a BitDefender initiative. It includes short but to-the-point descriptions of:

  • Jahlav
  • RSPlug
  • HellRTS
  • OpinionSpy
  • Boonana

[Updated 24th November 2010]

No, this is not the week I get on with adding some more descriptions to this page. In the New Year, maybe. In the meantime, though, I notice that Graham Cluley has put up a blog including the highlights of Apple-targeted malware to date. While it’s not particularly detailed or comprehensive (surprisingly, it doesn’t mention 1998′s AutoStart worm), it’s accurate (as I’d expect), and you may find it of some interest.

Apple Mac malware: A short history

[Updated 22nd September 2010]

Predictably, my virtual ear has just been bent by someone assuming that because there are only a couple of descriptions here, that’s all the OS X malware there is. Sorry, but it isn’t. I simply don’t have time to put into this project right now: going back over descriptions for earlier malware simply isn’t a priority, and right now I’m up to my ears in conferences and can’t find time even to detail more recent malware.

Perhaps Old Mac can find some time for this, but I wouldn’t bet on it. As I remarked in a comment below, ESET’s OS X sample collection is now well into the thousands. There’s some information on the most common malware types and families in the EICAR paper on Apple security on the resources page at http://macviruscom.wordpress.com/mac-malware-resources/papers/ though that paper is now quite a few months old.

Ryan Russell’s blog at http://ryanlrussell.blogspot.com/2006/10/os-x-malware.html is not up-to-date (he didn’t have time to update either) but includes more individual items than I’ve managed so far.

David Harley 

[Updated 14th June 2010]

This is an embryonic information resource with information (or links to information) about specific Mac threats. This may not be the biggest project in the world (Mac threats tend to be counted in hundreds, not tens of millions, as is the case with PC threats), but it will take a finite amount of time, which I’m a little short of, so in the first instance, at least, I’m likely to add descriptions as they’re asked for, rather than chronologically or in order of importance. Descriptions may also be modified as I find time to work on them, and the format is likely to become a little less rough-and-ready.

 OSX/OpinionSpy

Also Known As:

Associated with software calling itself PermissionResearch or PremierOpinion

First reported

1st June 2010

Discussion on Mac Virus:

Information from Intego, including initial alert:

Discussion on the ESET blog:

Analysis by Methusela Cebrian Ferrer: http://ithreats.net/2010/06/02/premieropinion-spyware-now-in-mac-os-x/

Discussion by Paul Ducklin: http://www.sophos.com/blogs/duck/g/2010/06/02/mac-osx-monitorware/

Description by McAfee: http://vil.nai.com/vil/content/v_267638.htm

OSX/MacSweep

Also Known As

Troj/MacSwp-A, OSX_MACSWEEP, MacSweeper

First reported

January, 2008

Description

The first OSX scareware (or fake security application), or at any rate the first widely-recognized as such. Published by “KiVVi Software”, who covered themselves with glory by stealing most of the text from their self-description from Symantec’s web site, changing only the company name.

Most of the descriptive material applying to OSX/iMunizator also applies to MacSweep: in fact, some sources reported an almost identical screen for both “products” saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” The program flags a number of perfectly legitimate applications as privacy violations, malware, bad cookies (Down, Cookie! Down, boy! Naughty Cookie!), compromising files and so on , and anyone trying to remove them is told they need to buy the MacSweep software.

Perhaps the most interesting thing about these early Mac-specific ventures into the rogue application market is that they were also early examples of rogue security software that presents itself as something other than straightforward fake anti-virus or fake anti-spyware. Presumably the authors were taking into account that most Apple-users don’t believe that there is any Apple malware.

Further information

http://www.f-secure.com/weblog/archives/00001362.html 

http://blog.intego.com/2008/01/15/scareware-tries-to-trick-mac-users-into-buying-worthless-software/ 

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmacswpa.html 

http://vil.nai.com/vil/content/v_143952.htm

http://en.wikipedia.org/wiki/MacSweeper

OSX/Imunizator

Also Known As

OSX/iMunizator, OSX/Imunisator, Troj/MacSwp-B, OSX_MACSWEEP.B, OSX/AngeloScan

First reported

Late March, 2008

Description

As the fact that some vendors call it MacSweep.B indicators, Imunizator was essentially a retread of OSX/MacSweep (MacSweeper), the first OSX scareware (or fake security application), or at any rate the first widely-recognized as such.

The “call to action” in this case was a screen saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” (that’s the capitalization offered by the product’s screen, not mine: I know the difference between a raincoat, an Apple computer, and a Media Access Control address…).

Wouldn’t it be  nice if you could get an application to clean the Internet?

The program flags a number of perfectly legitimate applications as “trash”, and any victim naive enough to try to remove them is told they need to buy the Imunizator software. Amusingly (in a black sort of way), Imunizator tries to tell you that the apps it flags may compromise the victim’s credit card.

Pot, kettle….

Perhaps the most interesting thing about these early Mac-specific ventures into the rogue application market is that they were also early examples of rogue security software that presents itself as something other than straightforward fake anti-virus or fake anti-spyware. Presumably the authors were taking into account that most Apple-users don’t believe that there is any Apple malware. (Yes, I said that about MacSweep, too.)

Further information

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmacswpb.html

http://vil.nai.com/vil/content/v_144297.htm 

http://blog.trendmicro.com/scareware-software-makes-its-second-round-on-mac-os/

http://www.h-online.com/…/More-fake-anti-spyware-for-the-Mac-734693.html

http://www.intego.com/news/ism0801.asp

http://blog.intego.com/2008/03/28/new-scareware-targets-mac/

David Harley CITP FBCS CISSP
Mac Virus Administrator

Responses

  1. I took a shot a while back, which is now (predictably) out of date and abandoned.

    http://ryanlrussell.blogspot.com/2006/10/os-x-malware.html

  2. my mac’s regular mouse over actions EVERYWHERE in my computer are disabled, it wont work anywhere i have to click whatever for it to do the “animation” or whatever it would do when it rolls over then click it again to do whatever it does when u click, on the finder, aplications, web, preview, dock, etc!

    i havnt installed anything nothing new, yesterday it was perfect, today i opened it and its like this, i restarted and its still like this, ran the iAntivirus scan and it found nothing, do you think it would be a virus?

    • @twiztidmonkee, I’m afraid I can’t tell you whether you have a malware infection from that information, though it doesn’t sound particularly likely. I’m afraid that I’m not in a position to do one-to-one remote support.

  3. I am running OSX Snow Leopard on a MacBook. When I do a Google or Yahoo search, either in Firefox or Safari, and click on the search results, I am taken to a secondary search site (which seems to be random). If I click it away and re-click on the Google search, I go to the correct site. This happens for each item in the Google search and, as noted, happens with either search engine and either browser.

    Norton Mac Anti-virus has not fixed it.

  4. Follow up to the message below: It also affects my iPad, running its version of Safari.

    I am running OSX Snow Leopard on a MacBook. When I do a Google or Yahoo search, either in Firefox or Safari, and click on the search results, I am taken to a secondary search site (which seems to be random). If I click it away and re-click on the Google search, I go to the correct site. This happens for each item in the Google search and, as noted, happens with either search engine and either browser.

    Norton Mac Anti-virus has not fixed it.

  5. @Dan:

    What kind of home router do you have? Does your iPad have 3G, and if you use that, does the problem disappear? If you do a nslookup for Google or Yahoo, what is the result?

  6. Thanks Ryan. You are right – it seems to be in the router. When I use the iPad on 3G there is no problem, when I use my dark-side laptop at the office, no problem but when I use it at home I get redirected. I actually have two routers – a combo modem-router from my DSL provider and my own wireless router. I am pretty sure that our wireless is properly set up, so I suspect that the problem is in the ISP’s box. I will communicate with them in words of one syllable.

    Curiously, while Google and Yahoo are affected, Bing is not.

  7. @Dan,

    Most likely scenario is that your router (or some upstream DNS that it uses) has been compromised, and points at an attacker’s DNS. And the attacker has bothered with malicious entries for Google and Yahoo, but not Bing.

    So not necessarily a case of “properly set up” as whether or not the current config is the one you expected. Since your WAP is under your control, might as well double-check it.

    I’d be curious to see the output of dig yahoo.com from your Mac.

    Feel free to email ryan@thievco.com to continue if you like, so we don’t clutter up his blog comments further.

    • Don’t worry about cluttering my comments. It’s an interesting thread. Sorry I haven’t had a chance to comment, but Ryan’s comments sound convincing to me.

  8. A small square made up of flickering lines is attached to my mac mouse cursor – the tip of the cursor is at the top left hand corner of the square. It infects Word for Mac documents – imposing a patterned grey background, making it difficult to read the text. Has infected the desk top and the dock in same way.
 It is not detected by Integro VirusBarrier 5. My mac is a 800 MHz titanium powerbook G4 with 1GB SDRAM. The operating system is OS X Verson 10.4.11
    How do I remove the flickering square? 
mem

    • @mem That doesn’t sound like any malware I know, and in fact it’s unlikely to be the result of malware at all. I’m afraid you need to try somewhere or someone who’s better qualified to offer general Mac support and advice. I’m afraid it’s a long time since I worked a support desk. Sorry!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 40 other followers

%d bloggers like this: