Mac OS X backdoor Trojan, now in beta?

Filed Under: Apple, Malware, OS X

OSX/MusMinim-A screenshotIt appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple's increasing market share.

SophosLabs analyzed the sample we received and determined that it is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet.

The author of the Trojan refers to it as the 'BlackHole RAT', as you can see from the screenshots, but Sophos calls it OSX/MusMinim-A, or 'MusMinim' for short.

Note: The author of DarkComet RAT has contacted Naked Security denying this relationship, admitting his own OS X RAT is in development.

The name 'Black Hole' is already used by a legitimate application which actually aims to increase security on your Mac by helping you get rid of potentially sensitive information such as recently-used file lists, data left in the clipboard, and more.

MusMinim is very basic and there appears to be a mix of German and English in the user interface. Its functions include:

* Placing text files on the desktop
* Sending a restart, shutdown or sleep command
* Running arbitrary shell commands
* Placing a full screen window with a message that only allows you to click reboot
* Sending URLs to the client to open a website
* Popping up a fake "Administrator Password" window to phish the target

Screenshot of fake Admin credentials dialog

Here is an excerpt from the default text that is displayed in the full screen window with the reboot button:

"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!
I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it.
So, Im a very new Virus, under Development, so there will be much more functions when im finished."

SophosLabs has published protection for our customers as OSX/MusMinim-A. Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it.

It could also be dropped by a vulnerability in your browser, plugins and other applications. Patching is an important part of protection on all platforms.

Fortunately our products can detect and remove Trojans like this, and for home use they're free! If you would like to install Sophos Anti-Virus for Mac Home Edition, click on the banner below.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

Below you'll see a slideshow of the Trojan in action:

This slideshow requires JavaScript.

I would like to thank Mike Shannon at SophosLabs Canada for help analyzing this threat, and Meths at http://ithreats.net.

Note: Blackhole RAT is not in any way related to the Black Hole software on www.irradiated.net.

, , , , , , ,

You might like

37 Responses to Mac OS X backdoor Trojan, now in beta?

  1. rattyuk · 1145 days ago

    Hmmm. Sophus trying to get their tithe from Mac users?

    • Paul Ducklin · 1145 days ago

      At $0, the free version of Sophos Anti-Virus for Mac is a pretty lightweight tithe.

      (Technically, it can't be a tithe, as a tithe is a tenth part, from the Old English word for tenth. Unless you're suggesting that Mac users are worthless, since a 10% share of zero is zero. As a Mac user myself, I hope that is _not_ what you meant :-)

      • rattyuk · 1145 days ago

        I did respond but the comment wasn't approved.

        But just to explain your comment I meant:

        "Pay or give as a tithe:
        Historical subject to a tax of one tenth of income or produce for the support of the church and clergy"

        The emphasis being on the repeated payment not on the amount.

        • Paul Ducklin · 1142 days ago

          Your cynicism is noted.

          Except that there are no repeated payments and the initial amount is $0.

          The emphasis being on the absence of repeated payments and on the amount.

          • rattyuk · 1142 days ago

            Here's the thing Paul.

            Why is Sophos talking up something which is in Beta? How do they know this? Really? Seems pretty dumb for a so-called hacker to contact Sophos.

            "Note: The author of DarkComet RAT has contacted Naked Security denying this relationship, admitting his own OS X RAT is in development."

            Why don't you just hand him over to the relevant authorities. That is what you are supposed to do to hackers, yes?

      • UKAIN99 · 1142 days ago

        This may be curretnly priced at $0.00 --- but not "free" at all, as anyone can tell the price from their end user license agreement, which states:

        7. Remote communication and optional data sharing
        7.1You acknowledge and agree that we may and the Licensed Product may, directly and remotely communicate with your computer for the purposes of, without limitation, verifying your credentials, issuing reports and alerts.

        7.2 If you choose to allow sharing of supplementary data with us, you will need to implement optional functions which allow the Licensed Product to provide us with various data. While we do not intend that such data will include confidential information or information that identifies individual persons, such data may be included. Please notify us if you have any cause to believe that data may include reference to confidential information or information regarding individuals.

        11.Use of your information
        11.1 We may use information you provide to us for the following purposes:

        11.1.1 to send emails to you to provide information and goods and services to you and to let you know about other goods and services which we think may be of interest to you;

        11.1.2 to pass your information to other companies within our group of companies;

        11.1.3 to use information in accordance with our privacy policy from time to time as set out at http://www.sophos.com;

        11.2 If you do not wish us to use your information as set out in this Clause, please contact us at any time by using the contact details at the end of this End-User License Agreement.

        11.3 We confirm that we will process personal information in accordance with the provisions of the Data Protection Act 1998.

        • Paul Ducklin · 1142 days ago

          Since you haven't tried the product (and it sounds as though you aren't going to :-), note that the download process for the free Mac product _has no registration or signup process at all_.

          So we don't even ask you to provide a name and email address (not even a bogus or throwaway one).

  2. Thu Win · 1145 days ago

    Why would a malware annonce themselves and tell the user that they are infected. Can't the user just uninstall it to add/remove? It looks similiar to most client used by tech folks.

    • P01s0n H4cker · 1028 days ago

      the reason that the user cant do anything about it is because once installed the Trojan takes over your computer and erases itself so to speak to where it is still on your computer but the computer's AI is numbed to not detect it.

  3. Kevin · 1145 days ago

    THE Era of Mac viruses is just Ahead !

    Good Luck Mac'cers !

    • John · 1142 days ago

      I've been hearing that "promise" for a quarter of a century...."just around the corner, here it comes, next time it will, just wait"....meanwhile my organization and I have been reaping the many TCO and ROI benefits of a Mac environment for all that time.

      Perhaps you should wait until that mythical day when Macs become widely infected like Windows has for the last 25 years, then start crowing. Until then, you'll likely be eating it instead. :-)

      • Steve · 1142 days ago

        Hackers and thieves will always follow the path of least resistance and the path that provides the most potential profit. That means they will get more results attacking lots of softer targets. Has anyone else noticed how popular apple are becoming.... Has anyone noticed how so many apple users don't think they need any protection from malware.....

        Sophos are a good AV product and invest time into research on apple malware. So if they have a free product it's hard to say no. Paying for an enterprise version may or may not be appropriate depending on how you are set for DR should the "impossible" happen and malware infect your business. Clearly there is a lot less malware for Apple than Windows but that won't help you when your Apple gets infected. It's a great idea to use Apple and reduce your vulnerabilites but don't confuse reduce with remove. Why wait until the mythical day you speak of. Simply reduce risk where you can.

      • Rowena Keefe · 1135 days ago

        Smug typical Mac-addict response - everyone knows Windows is virus-central but most choose to do so anyway because of the freedom! As a dual-user I realised pretty quickly their are benefits and detractions for both.. But I use PC predominantly due to CHOICE.

        I suppose the big deal about the increasing likelihood of Mac-attacks is that all the Mac-users who take it for granted they are secure aren't really secure. At least with my PC I expect to be attacked and am always on guard - it's worth the sacrifice for the enhanced software availabilities and cheap update of parts. I'd be pretty disappointed if I forked out for a Mac and it was caned by the very thing it touts it's invulnerable to..

        That being said, I don't get a day off system maintenance with the three PCs I've owned in the last few years, yet the Mac just keeps on running, year after year after year, without security issues. That's much better value!

  4. Old School · 1144 days ago

    Is it universal or Intel only?

    • Millhouse · 1144 days ago

      Judging from the quality of the software, it's /most/ likely Intel only, but I dare to conjecture that this is possible with PPC too. You just have to find another 13 year old german kid with an insecure grasp of English to do it for you.

      Seriously, "Finder is requesting you Administrator Password"? Seeing as this is basically automated social engineering, the guy who made this could at least have proofread his most important bit of text.

      • Beowulf · 1015 days ago

        Don't tell him! I use a Mac and my major means of detecting threats are spelling and grammar.

  5. n00neimp0rtant · 1144 days ago

    "Finder requires you Administrator password."

    Nothing suspicious here!

  6. blu · 1144 days ago

    Are Sophos AV in Mac Store, or not yet?

    • Chester Wisniewski · 1144 days ago

      Unfornately Apple's restrictions on not allowing kernel extensions and not being able to write programs to the file path prevents a true on-access anti-virus scanner from being on the App Store. If they were to make an exception or change their policies I imagine we would put the free version of SAV on the App Store.

      • kilibee · 1143 days ago

        I assume that this restriction does also prevent a number of malware attack vectors.

        • Chester Wisniewski · 1143 days ago

          Yes! It certainly helps, but is not nearly enough to provide comprehensive protection. You have to strike a balance between security and convenience and I do not think the scales in Cupertino are in balance at the moment.

          • JavaCaliente · 1142 days ago

            being a lack of Mac malware in the wild I'll wait to see how the scales fall as "unbalanced" as they might be.

  7. Vim Vendors · 1142 days ago

    In the 'Finder password-request' dialogue what info is shown up by expanding 'details'?

    That's always the first port of call for a user when investigating a suspicious request like this, but you haven't specified what it states ;)

    Also, if you have Little Snitch installed it should automatically block any outgoing traffic from newly-installed software by default allowing time to inspect it further.

    • Chester Wisniewski · 1142 days ago

      It is already expanded in the screenshot, so a cautious user may notice that something is a bit odd (if the grammar being wrong wasn't a tip-off).

  8. Shane · 1142 days ago

    Is this another OSX malware that needs to be first executed with admin privs?

    • Chester Wisniewski · 1142 days ago

      No, it will run in the context of the currently logged in user. This limits it to altering/copying data from that users home directory, but if the user provides his password to the fake escalate privilege dialog it would allow the attacker to gain root access through the remote shell feature.

  9. Squishy McSquish · 1142 days ago

    Hey buddy, would you like a free TV?
    - I sure would.
    Well just give me the keys to your house, let me have your address and I'll bring it straight round, I'll even set it up for you.
    - Gee that'd be swell, here are my keys, I'll write down my address for you. I'm real looking forward to checking out my new TV when I get home! Thanks very much.
    - Yeah buddy, your new TV is gonna be real fine.

  10. PcUser · 1142 days ago

    Welcome to the club, Mac users. The Club of Justifiably Paranoid Computer Users. Maybe one of you can invent a cute new name for the club. I'm just a regular PC user, so that cannot be expected of me.

  11. Mike · 1141 days ago

    HA HA HA! This is all such a bunch of crap. One of these "viruses" comes around for the mac about once every year to year and a half, and all the PCers go jumping up and down and laugh about how the Mac users are finally going to be in the same boat as they are... and then it goes away. Anyway, no where in this does it say HOW this crap would be installed to your Mac. It certainly can't be a self executable file, because those don't work on the Mac. The user HAS to install the thing, and Apple does a very good job of figuring out what might be coming and secures the OS for it anyway. I'll be sure to copy and paste this article in a year and a half.

  12. Malware vaporware? C'mon, guys, this is not even a trojan, as it has no delivery system. Get your facts right and people might start caring.

  13. g0bez · 1141 days ago

    I haven't yet found (and would be very interested to know) how this gets onto the mac in the first place. The video I saw shows BlackHole already listening on port 7777 which makes this "virus" completely unremarkable to me. All we see is what can be done once the hack is already in place... I just don't see how this is significant. There are tons of software options out there now that allow remote administration. How is this different from any other program that runs in the background listening for incoming traffic?

    User authentication *must* happen at some point, otherwise it wouldn't have access to any of the filesystem (unless someone chmod'd everything to 777, in which case they deserve it, imo)... and if users authenticate a hack, that is not a fault of the OS (no matter windows, linux, or mac).

  14. Dave · 1139 days ago

    I'm having trouble finding info about the BlackHole Rat your describing.

    When I google for info, all the links ultimately point back to you.

    Is this a serious issue that Mac users need to be concerned about, or are you promoting your company?

    • Strange. I just tried Googling for it, and the first result I got was this article by respected Mac threats researcher Methusela "Meths"Cebrian Ferrer.
      http://ithreats.net/2011/02/25/rat-blackhole/

      As Meths works for one of our competitors, I don't think your conspiracy theory holds much water!

      But, onto your other point - is this a serious issue? Well, chances are that you won't encounter the BlackHole RAT so I wouldn't lose a huge amount of sleep worrying over it. But there is, generally, a growing problem of Mac malware which you would be unwise to ignore.

  15. zan.felipo · 1137 days ago

    This is not any kind of threat... This not a virus, this not a malware, this is absolutely nothing since it requires to put the administrator password LOOOOOOOOOL !!

    The unix world still is clean of these threats and it will be in the future as well.

  16. Justin Time · 1131 days ago

    Geez guys. It is all about social engineering to get people to do something stupid. It happens a million times a day right now. The ugly truth is Mac OS X users are just as vulnerable and can be "engineered" just like PC users. There should be no joy in seeing others in pain except by the sociopaths who write this virus and trojan software.

  17. blueorange · 995 days ago

    My Norton anti-virus found a trojan horse ("usps invoice") on my Mac OS 10.6.8, marked the files as backdoor.trojan, and quarantined them. There was a reference to my g-mail account so I assume that is where it originated.
    At about the same time, my mail shaw.ca mail account forwarding option was set to "enabled" and mail from that account was being forwarded to a co.uk address. I noticed because I did not receive expected e-mails. My other mail accounts were unaffected.
    I don't know if the two are related but it seems like quite a coincidence.
    I did not have any messages or other evidence that the virus may have been (or is) damage to my files.

  18. TheMeaner · 706 days ago

    I can't stand the idiocy between windows and mac users.

    This is an obvious ploy by sophos.

    The biggest reason Macs aren't targeted for phishing or intrusion is because the users aren't setting up as many big-money corporate networks with them, and because the OSX frame is so restricted.

    Regardless, Mac viruses do exist, but I have serious doubts that an average Mac user would be able to tell the difference with/without a well-written trojan in the system. Malware designers hardly have a jump to the gun with scareware right now. Start fearing for your lives, because all the senior citizens are moving to Macs, which means you MAY get some more attention than you expect.

    Nonetheless, your best bet is to put a stop to all net-side tomfoolery and be a proper chap ;p

    As far as Macs [finally] getting viruses? The statement alone proves that my windows peers are a bit less intelligible about the current-standings of Macs. The problem isn't malware with a Mac, it's the lack of functionality, and the terrible distribution/compilation order. Really, both windows 7 and OSX are pretty close in quality, considering their downfalls.

    Ask a PC user running 5 years with no antivirus anything.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.