Posted by: David Harley | April 24, 2010

OSX/HellRTS – more info

I’ve been asked for more information on the recent threat that ESET calls OSX/HellRTS.AA. ESET hasn’t put up a description so far, but several other vendors have:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-041911-0548-99

http://vil.nai.com/vil/content/v_265239.htm 

http://macscan.securemac.com/hellraiser-aka-osxhellrtsd/

And while I’ve already pointed to descriptions by Intego and Sophos in a previous blog, they are, for completeness, at:

http://www.intego.com/news/hellrts-backdoor-can-allow-malicious-remote-users-to-control-macs.asp

http://www.sophos.com/security/analyses/viruses-and-spyware/osxpinheadb.html 

If you were wondering, the reason that this detection has so many variant names is that nowadays, variant naming tends to reflect the type of detection used in a product rather than the identity of a single binary: otherwise, we’d be seeing malware with names like W32/YetAnotherNastyTrojan.HNEDODENOXQIDSEZZUAUOP… 😉

I’ve written a couple of papers on naming issues: see http://www.eset.com/resources/white-papers/Harley-Bureau-VB2008.pdf (written with Pierre-Marc Bureau) and http://www.eset.com/resources/white-papers/cfet2009naming.pdf.

David Harley FBCS CITP CISSP
Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: