Posted by: David Harley | October 29, 2011

Devilrobber: Bitcoin Miner preys on Snow White

Mac malware may lack the drama that comes with multi-million-zombie botnets and worm epidemics, but it doesn’t lack variety. The malware that Intego calls Devilrobber.A and Sophos calls  OSX/Miner-D is a Trojan with a number of party tricks, it seems:

  • It opens ports and listens for C&C servers
  • It steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
  • It acts as spyware, forwarding usernames and passwords to a remote server
  • It noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
  • It may also be looking for files that contain child abuse material

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Interestingly, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

Hat tip to Graham Cluley and to the guys at Intego for the information.

Small Blue-Green World/AVIEN/Mac Virus


  1. I always wondered what those 7 little guys were mining.

    • As I recall, Snow White had bad experiences with apples, too.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: