Posted by: David Harley | February 26, 2011

MacRAT Blackhole

[Update: brief description added to the malware descriptions page at https://macviruscom.wordpress.com/apple-malware-descriptions/]

Methusela Cebrian Ferrer, who maintains an excellent Mac security resource at http://ithreats.net/, yesterday reported a new RAT (Remote Access Tool) which targets both Windows and Mac users. Slightly bizarrely, it’s described as a beta version by its author, but the client (essentially a tool for managing a compromised desktop) already includes an interesting range of functions. Or funktions, according to its author. (The user interface also includes some German words such as Ablage and Bearbeiten, though the messages are in (more or less) English.

 Chester Wisniewski (good to meet you at RSA, Chet!) has since blogged with more detail at the Naked Security blog. Though the author refers to it as Blackhole (so that’s where my income is ending up!), Sophos analysis indicates that it’s a variant of the Windows malware commonly referred to as darkComet. Sophos detects it as OSX/MusMinim-A: other AV researchers have samples, so other products will detect it too (contact your vendor if in doubt). The Sophos blog also has a slideshow of the Trojan in action, and quotes text that it displays such as:

“…I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can’t be infected, but look, you ARE Infected!…”

Not full stealth then. 😀 And not a cause for panic at the moment. But an interesting development.

David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus

Advertisements

Responses

  1. David,

    Great blog. More regular updates would be the next best thing.

    What is a good setup of software for effective defense against malware/spyware/av? Your advice would be highly appreciated.

    On Windows, something like the Norton 360 seems to a good enough job for me. I have heard horror stories about AV software on Mac’s making them really slow, etc. Want to avoid that.

    At the moment I have ClamXav set to manual monitoring the download folder and little snitch. Live protection would be awesome.

    Thanks,

    JBell

    • Thank you, Jennifer.

      I’d love to spend more time on this blog: in fact, it could easily become a full-time job. Unfortunately, though, I need a revenue stream. 😀

      I work within the AV industry (and my primary customer is a company with a Mac security product, though it has nothing to do with this blog, and I have nothing to do with that product). So it would be a bit flaky for me to be too specific about products, but I think an all-in-one product is a good option for Mac users at this point, where specific malware isn’t too much of a problem but more generic protection is worth having. I’d say that the stories about AV slowing down Macs are generally exaggerated as part of the “Macs don’t need security” mindset, though there’s always the possibility of problems with particular models and configurations. But that’s true on other platforms, of course. On the other hand, I do think the fact that AV vendors increasingly tend to fully support only the latest OS versions may have contributed to that perception for people using older systems. (I’m not sure there’s a commercial product at all that I could use on my ancient eMac, let alone my iBook, but I have very little real use for either of those now.)

      I wouldn’t, personally, recommend ClamXav. That will probably earn me accusations of pushing the AV industry’s agenda, but my problem is not with the fact that it’s free (except in that you can’t generally expect commercial standards of detection and support from a free product, as was true even of the excellent but now extinct Disinfectant). The Clam engine isn’t particularly Mac oriented detection-wise, there have been problems with the ClamXav shell quarantining essential files, and support is minimal. In general, you get what you pay for. However, the Sophos scanner is commercial grade AV and free to home users, and while I haven’t formally evaluated it recently, has to be worth a look if you don’t want to pay or to consider a product with a wider functional range. There are several vendors in that space (see the resources links at http://wp.me/PL5CO-88).

    • @JenBell!
      Since David didn’t say it (he wants to be independent in this blog) I will 😉
      I would recommend ESET’s Eset Cyber Security for your Mac without a doubt.
      I use it myself and it’s a really great product and quite resource friendly.

      @David.
      I don’t know if you didn’t knew that Dr.Web has a product for Mac OS X or not?
      But I have been thinking for a while that I should mention it to you, and that you should add Dr.Web to the Vendor resource page.
      http://products.drweb.com/mac/?lng=en
      It wouldn’t be fair to exclude them from the vendors list :).

      Cheers!

      • Thanks, Johan. I actually try to avoid being involved with product marketing at ESET too. Not that I don’t appreciate the efforts of ESET’s marketing teams, but I figure I can make more of a difference as a researcher/educationalist if I’m not seen as having a product evangelism role. I do, of course, like ESET’s products, or I wouldn’t work with the company so closely.

        Thanks for the prod on Dr Web. How could I have forgotten them when I put the resources page together?!? (Sorry, gents!) I haven’t looked at the product myself, but I’m sure it’s up to the high standard of their Windows product, and I’ll update the resources page sometime today.

  2. Thanks David.

    Few points.

    1. Any OS connected to the Internet needs security protection, unless your running something like a EAL6+ certfied Integrity OS (studying for CISSP so learning about NSA approved OS’s for backgound info…Federal Wang’s OS is so awesome!!!). OSX is no different.
    2. Active protection is always required. Unless you are seriously in tune with the sec tech’s coming out, only way to protect ourselves is active protection.
    3. Clam…I know its not the greatest but I am seriously looking into Intego’s suite. I dont mind paying $60-ish for a product that does what it says. Norton has never been the greatest but then was never meant to be. It was meant to protect against the majority and provide real time protection as best as possible…not perfect but good enough. Wish I could get something as easy on the system as Norton. Having tried so-ooooooo many of the so called ‘better suites’ I eventually returned back to Norton at the end of 2010 and have not looked elsewhere (this is coming from a person who is happy to upgrade pretty much every month to a different software for better protection…previous bad experiences means money I wise its all well spent).
    4. Sophos. Will check them out and compare against Intego.

    Right now the OSX or Mac selection of secsu’s (security suites) are not great. I know Apple do some but like MS…they know they cannot do it all.

    (bwt…I get miffed over 2 things every single time…1. Mac’s dont crash (they do babes, luckily though something like onyx is usually enough to get sorted out in a single hit. 2. Mac’s are more secure (only while in its ur bag honey, we still love u though;-)

    Keep up the good work…but please post a few more posts…not seeing a new post is so not fun – self declared RSS junkie (I refuse to bookmarks sites anymore…rss or nothing).

    Finally…what do u think of HTML5? Fallen in love with webdev all over again…

    JBell

    • Thanks again, Jennifer. 🙂 Re your points:
      1) I agree, but I guess we’re not exactly typical Mac users. Good luck with the CISSP studies!
      2) Agree again. Passive scanning doesn’t really cut it these days, which is why we tend to grumble about testers who rely on on-demand scanning of a static sample set.
      3) Intego is worth looking at. Its researchers keep a very close eye on Mac malware development.
      4) I must admit that I’ve spent a lot less time recovering from crashes and bad boots since OS X.

      The problem is that I post a great deal on other (less Mac-oriented) blogs – in fact, blogging, papers and articles are my main source of income – and I have to sleep occasionally. 😉

      Alas, the days when I did real web development are long gone.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: