DevilRobber Mac OS X Trojan horse spies on you, uses GPU for Bitcoin mining

Filed Under: Apple, Featured, Malware

GraphicConverterYesterday, users of Sophos's security products (including our free anti-virus for Mac home users) had their protection automatically updated to protect against a new Mac OS X Trojan horse that has been distributed via torrent sites such as PirateBay.

Copies of the legitimate Mac OS X image editing app GraphicConverter version 7.4 were uploaded to file-sharing networks. However, they came with an unexpected addition.

Hidden inside the download was a copy of the OSX/Miner-D (also known as 'DevilRobber') Trojan horse.

If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish.

BitcoinThat's because OSX/Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time. GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.

Yes, this Mac malware is stealing computing time as well as data.

In addition to Bitcoin mining, OSX/Miner-D also spies on you by taking screen captures and stealing your usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history.

Curiously, the Trojan also hunts for any files that match "pthc". It's unclear whether this is intended to uncover child abuse material or not (the phrase "pthc" is sometimes used on the internet to refer to pre-teen hardcore pornography).

To complete the assault - if the malware finds the user's Bitcoin wallet it will also steal that.

OSX/Miner-D

Of course, the producers of GraphicConverter have done nothing wrong themselves - they are victims of the criminals who are using their popular software as a trap to infect Mac users who download software from unofficial sources.

It's possible that other apps have also been distributed via torrent sites infected by the malware, or that the cybercriminals will use other methods to distribute their Trojan horse.

Clearly, Mac users - like their Windows cousins - should practice safe computing and only download software from official websites and legitimate download services. But, in addition to that, it's becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software.

There may be a lot less malware for Mac OS X than there is for Windows, but many Mac users are making themselves an unnecessarily soft target by imagining that they are somehow magically protected from threats.

There are a number of anti-virus products available for Mac, including Sophos's free version for home users, so there's really no excuse.

, , , , , ,

You might like

18 Responses to DevilRobber Mac OS X Trojan horse spies on you, uses GPU for Bitcoin mining

  1. Redgrave · 1058 days ago

    Oh, thank God, finally!!! I've seen this one, another threat a few days back, it was about time!!! Those fanboys, believing they are protected by a magic circle just because they are using a Mac, will still not believe it anyway.

    • Charlie · 1057 days ago

      I used a PC for 5 years and it was good. I now have been using a Mac for the past 6 years and for the first 5 1/2 years I ran my Mac with no protection. Fortunately, I never did get any infections on my Mac. I now, for the past 2 months am running protection on my Mac because I know it is possible that a Mac can get infected although to a much lesser degree than a PC. I have been running Sophos AV for the Mac and think it is a wonderful program. I have done a few full scans of my Mac and it is clean. I feel much safer with a Mac because there is much less malware for Mac OS X. As for when I had a PC, it was good but I find the quality of Macs to be better than PC's and programs seem to run more smoothly on the Mac. So after 5 years with a PC and 6 years with a Mac, I can honestly say I prefer a Mac.

  2. Paula · 1058 days ago

    "oh my god. Finally,"? So you were waiting for to happen to Mac users. Nice thought. Now that you are happy go and re start your pc that froze again.

  3. Ex2Bot · 1057 days ago

    I'm magically protected from all this nonsense. Thank goodness.

    (Seriously, avoid Trojans by avoiding illegitimate software.)

  4. Danny · 1057 days ago

    Chances are still slim...

    I mean, I am a Windows user with no AV protection and still going strong.

  5. RilesPro · 1056 days ago

    Isn't it convenient that you both sell and promote the usage of anti virus software.

    The prior is the definition of a conflict of interest.

    Why don't you spend time focusing on the benefits of keeping you Mac up to date instead of pitching your product

    • We do put a fair bit of effort in recommending users keep their Macs (and other computers) up-to-date with security patches. Just read our many articles on what you can do for free to reduce the risk of threats on your computers.

      But yes, we both give away a free anti-virus for Mac home users and sell one to businesses. Sorry about that, but if we didn't make money somehow we'd probably not have guys in labs analysing the latest malware threats or answering questions like this on a Sunday night.

    • Alan hat · 1053 days ago

      See https://secure.wikimedia.org/wikipedia/en/wiki/So...
      - this company sells and promotes anti-virus software, I would expect it's website to do the same.
      They have been in the business since 1985, selling and promoting anti-virus software.
      At enterprise level.
      I see no 'conflict' of interest.

      As and additional and free service on this website and others they offer free advice and information (including patches). And free software.

      I appreciate this hugely.

    • I wish people like yourself would be better informed, your comment was wrong on every point and out of order.

      These guys very much promote we keep our macs up to date.

      They give out a free version of home users.

      Their software is excellent and detects threats like this.

      We need to be informed of these threats.

      Think before you speak next time?

  6. chas_m · 1055 days ago

    Dear Redgrave and the other PC fanbois:

    The Mac is still VIRUS-FREE. You just don't seem to get that, do you?

    This is MALWARE, which is quite different. Buy why let facts get in the way of your wishing harm to Apple users simply because they have the good sense to avoid all the security problems and viruses your PoS machines have?

    I appreciate that Sophos and others alert the community to Mac *MALWARE,* and despite their conflict-of-interest I believe they are a credible source of good info (particularly when confirmed by other agencies).

    Contrary to MYTH, Mac users have ALWAYS been on-guard against malware, because it's always been with us (to a far, far lesser extent than with PCs, but still). We just rely on the community and COMMON SENSE more than the PC world.

    If any of you knew the first thing about UNIX, you'd know that it's extremely unlikely that the Mac will EVER get an actual virus. But keep hoping, boys ... maybe one day your pizza-delivery job will pay enough that you can afford a real computer, a Mac, rather than a game-playing time-waster PC ... good luck ...

    • ICU · 1055 days ago

      Unless your reply is neutral, you look just as silly as the "fanbois"...

      Firstly, "Macs" are a type of computer. From the factory, they come with Apples UNIX based OS. The user can install Windows and dual boot, or wipe it completely, and put Windows on by itself. Doing this makes it no less safe than a "PC" (which through magical wizardry can also run Apples OS; it is technically in breach of the EULA, but can be done never the less)

      Contrary to what you may think, Windows users do not get 50 viruses every time they open a web browser. They (generally) happen to be more aware of what's out there, as it directly affects them. You as an individual do not define the mindset of all Mac users. There are power users and noobs on both sides, and common sense is usually much more common to power users.

      Afford a real computer? A PC can be spec'd up to be much more powerful than any Mac. It depends on what it will be used for/who will be using it; I see you're someone who thinks playing games is a waste of time. Well, that's nice to hear. Looks like you've got a computer perfectly suited to you. :)

  7. LookAtTheEvidence · 1055 days ago

    I would have a look at the definition of 'Malware' before you start trolling. It's a generic term that covers all harmful programs including trojans, worms, viruses, spyware, rootkits. Also how is it a "conflict of interest". They create security products, in your case for free, and are using this discovery to highlight potential dangers that you will not be affected by.

    What would you define the "Virus.MacOS.Code1" infection as then if it isn't a virus.

    "Virus.MacOS.Code1 is a destructive virus which infects Mac OS classic system files and applications. This virus has known payload which renames the user's infected hard drive to Trent Saburo on the 31st of October of every year."

    I'd check your facts whilst working on that magical, invincible, mystery machine of yours.

    Oh and nice use of Caps Lock.

    • henrybowman · 1048 days ago

      Wow… you have to reach over a decade back to the "Classic" system the Mac used, prior to the Unix-based OS X, to bring up an example of a Mac virus? You couldn't find a true virus more recent than that, one that actually infected OS X? Thanks for pwning your own argument for us.

  8. Logan Schlife · 1054 days ago

    Does Apple's XProtect at least provide some mitigation for Tsunami and DevilRobber? Is it able to detect these malware??

    Please respond.

  9. Logan Schlife · 1054 days ago

    I think in the future, you should also provide the MD-5 hash info when reporting on a new malware. Also PLEASE provide a note if XProtect does or does NOT flag the malware.

    This would be very helpful in the future.

    Thank you.

  10. oliver · 885 days ago

    most apple products sell because people "want it", not because they need it.
    how many of "you" bought one because they could'nt do their job without it?? if maybe 5 out of 100.

    my father was never interested in computer/technology that much, but when he saw an all-in-one mac, decided to get one: got "training" from a very good friend (apple fan) on how to use it, and needed me sitting next to him every time he wanted to use it.
    sold it after 2y and bought him a laptop with windows.
    after explaining things 4-5 times he now uses it almost every day for internet/printing (and even without me)...

    apple sells the cheapest hardware for the highest price.
    windows runs longer on most macs than OSX (on battery).
    doesnt leave much for apple users to rant about i guess, so "you" concentrate on "define virus"...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.