Mac malware may lack the drama that comes with multi-million-zombie botnets and worm epidemics, but it doesn’t lack variety. The malware that Intego calls Devilrobber.A and Sophos calls OSX/Miner-D is a Trojan with a number of party tricks, it seems:
- It opens ports and listens for C&C servers
- It steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
- It acts as spyware, forwarding usernames and passwords to a remote server
- It noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
- It may also be looking for files that contain child abuse material
The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Interestingly, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.
Hat tip to Graham Cluley and to the guys at Intego for the information.
David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN/Mac Virus