I’ve been asked for more information on the recent threat that ESET calls OSX/HellRTS.AA. ESET hasn’t put up a description so far, but several other vendors have:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-041911-0548-99
http://vil.nai.com/vil/content/v_265239.htm
http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/
And while I’ve already pointed to descriptions by Intego and Sophos in a previous blog, they are, for completeness, at:
http://www.intego.com/news/hellrts-backdoor-can-allow-malicious-remote-users-to-control-macs.asp
http://www.sophos.com/security/analyses/viruses-and-spyware/osxpinheadb.html
If you were wondering, the reason that this detection has so many variant names is that nowadays, variant naming tends to reflect the type of detection used in a product rather than the identity of a single binary: otherwise, we’d be seeing malware with names like W32/YetAnotherNastyTrojan.HNEDODENOXQIDSEZZUAUOP… 😉
I’ve written a couple of papers on naming issues: see http://www.eset.com/resources/white-papers/Harley-Bureau-VB2008.pdf (written with Pierre-Marc Bureau) and http://www.eset.com/resources/white-papers/cfet2009naming.pdf.
David Harley FBCS CITP CISSP
Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence
Also blogging at:
http://www.eset.com/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com
Leave a Reply