It appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple’s increasing market share.
SophosLabs analyzed the sample we received and determined that it is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet.
The author of the Trojan refers to it as the ‘BlackHole RAT’, as you can see from the screenshots, but Sophos calls it OSX/MusMinim-A, or ‘MusMinim’ for short.
Note: The author of DarkComet RAT has contacted Naked Security denying this relationship, admitting his own OS X RAT is in development.
The name ‘Black Hole’ is already used by a legitimate application which actually aims to increase security on your Mac by helping you get rid of potentially sensitive information such as recently-used file lists, data left in the clipboard, and more.
MusMinim is very basic and there appears to be a mix of German and English in the user interface. Its functions include:
* Placing text files on the desktop
* Sending a restart, shutdown or sleep command
* Running arbitrary shell commands
* Placing a full screen window with a message that only allows you to click reboot
* Sending URLs to the client to open a website
* Popping up a fake “Administrator Password” window to phish the target
Here is an excerpt from the default text that is displayed in the full screen window with the reboot button:
"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!
I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it.
So, Im a very new Virus, under Development, so there will be much more functions when im finished."
SophosLabs has published protection for our customers as OSX/MusMinim-A. Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it.
It could also be dropped by a vulnerability in your browser, plugins and other applications. Patching is an important part of protection on all platforms.
Fortunately our products can detect and remove Trojans like this, and for home use they’re free! If you would like to install Sophos Anti-Virus for Mac Home Edition, click on the banner below.
Free Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition
Below you’ll see a slideshow of the Trojan in action:
I would like to thank Mike Shannon at SophosLabs Canada for help analyzing this threat, and Meths at http://ithreats.net.
Note: Blackhole RAT is not in any way related to the Black Hole software on www.irradiated.net.
37 comments on “Mac OS X backdoor Trojan, now in beta?”
Hmmm. Sophus trying to get their tithe from Mac users?
At $0, the free version of Sophos Anti-Virus for Mac is a pretty lightweight tithe.
(Technically, it can't be a tithe, as a tithe is a tenth part, from the Old English word for tenth. Unless you're suggesting that Mac users are worthless, since a 10% share of zero is zero. As a Mac user myself, I hope that is _not_ what you meant 🙂
I did respond but the comment wasn't approved.
But just to explain your comment I meant:
"Pay or give as a tithe:
Historical subject to a tax of one tenth of income or produce for the support of the church and clergy"
The emphasis being on the repeated payment not on the amount.
Your cynicism is noted.
Except that there are no repeated payments and the initial amount is $0.
The emphasis being on the absence of repeated payments and on the amount.
Here's the thing Paul.
Why is Sophos talking up something which is in Beta? How do they know this? Really? Seems pretty dumb for a so-called hacker to contact Sophos.
"Note: The author of DarkComet RAT has contacted Naked Security denying this relationship, admitting his own OS X RAT is in development."
Why don't you just hand him over to the relevant authorities. That is what you are supposed to do to hackers, yes?
This may be curretnly priced at $0.00 — but not "free" at all, as anyone can tell the price from their end user license agreement, which states:
7. Remote communication and optional data sharing
7.1You acknowledge and agree that we may and the Licensed Product may, directly and remotely communicate with your computer for the purposes of, without limitation, verifying your credentials, issuing reports and alerts.
7.2 If you choose to allow sharing of supplementary data with us, you will need to implement optional functions which allow the Licensed Product to provide us with various data. While we do not intend that such data will include confidential information or information that identifies individual persons, such data may be included. Please notify us if you have any cause to believe that data may include reference to confidential information or information regarding individuals.
11.Use of your information
11.1 We may use information you provide to us for the following purposes:
11.1.1 to send emails to you to provide information and goods and services to you and to let you know about other goods and services which we think may be of interest to you;
11.1.2 to pass your information to other companies within our group of companies;
11.2 If you do not wish us to use your information as set out in this Clause, please contact us at any time by using the contact details at the end of this End-User License Agreement.
11.3 We confirm that we will process personal information in accordance with the provisions of the Data Protection Act 1998.
Since you haven't tried the product (and it sounds as though you aren't going to :-), note that the download process for the free Mac product _has no registration or signup process at all_.
So we don't even ask you to provide a name and email address (not even a bogus or throwaway one).
Why would a malware annonce themselves and tell the user that they are infected. Can't the user just uninstall it to add/remove? It looks similiar to most client used by tech folks.
the reason that the user cant do anything about it is because once installed the Trojan takes over your computer and erases itself so to speak to where it is still on your computer but the computer's AI is numbed to not detect it.
THE Era of Mac viruses is just Ahead !
Good Luck Mac’cers !
I've been hearing that "promise" for a quarter of a century…."just around the corner, here it comes, next time it will, just wait"….meanwhile my organization and I have been reaping the many TCO and ROI benefits of a Mac environment for all that time.
Perhaps you should wait until that mythical day when Macs become widely infected like Windows has for the last 25 years, then start crowing. Until then, you'll likely be eating it instead. 🙂
Hackers and thieves will always follow the path of least resistance and the path that provides the most potential profit. That means they will get more results attacking lots of softer targets. Has anyone else noticed how popular apple are becoming…. Has anyone noticed how so many apple users don't think they need any protection from malware…..
Sophos are a good AV product and invest time into research on apple malware. So if they have a free product it's hard to say no. Paying for an enterprise version may or may not be appropriate depending on how you are set for DR should the "impossible" happen and malware infect your business. Clearly there is a lot less malware for Apple than Windows but that won't help you when your Apple gets infected. It's a great idea to use Apple and reduce your vulnerabilites but don't confuse reduce with remove. Why wait until the mythical day you speak of. Simply reduce risk where you can.
Smug typical Mac-addict response – everyone knows Windows is virus-central but most choose to do so anyway because of the freedom! As a dual-user I realised pretty quickly their are benefits and detractions for both.. But I use PC predominantly due to CHOICE.
I suppose the big deal about the increasing likelihood of Mac-attacks is that all the Mac-users who take it for granted they are secure aren't really secure. At least with my PC I expect to be attacked and am always on guard – it's worth the sacrifice for the enhanced software availabilities and cheap update of parts. I'd be pretty disappointed if I forked out for a Mac and it was caned by the very thing it touts it's invulnerable to..
That being said, I don't get a day off system maintenance with the three PCs I've owned in the last few years, yet the Mac just keeps on running, year after year after year, without security issues. That's much better value!
Is it universal or Intel only?
Judging from the quality of the software, it's /most/ likely Intel only, but I dare to conjecture that this is possible with PPC too. You just have to find another 13 year old german kid with an insecure grasp of English to do it for you.
Seriously, "Finder is requesting you Administrator Password"? Seeing as this is basically automated social engineering, the guy who made this could at least have proofread his most important bit of text.
Don't tell him! I use a Mac and my major means of detecting threats are spelling and grammar.
"Finder requires you Administrator password."
Nothing suspicious here!
Are Sophos AV in Mac Store, or not yet?
Unfornately Apple's restrictions on not allowing kernel extensions and not being able to write programs to the file path prevents a true on-access anti-virus scanner from being on the App Store. If they were to make an exception or change their policies I imagine we would put the free version of SAV on the App Store.
I assume that this restriction does also prevent a number of malware attack vectors.
Yes! It certainly helps, but is not nearly enough to provide comprehensive protection. You have to strike a balance between security and convenience and I do not think the scales in Cupertino are in balance at the moment.
being a lack of Mac malware in the wild I'll wait to see how the scales fall as "unbalanced" as they might be.
In the 'Finder password-request' dialogue what info is shown up by expanding 'details'?
That's always the first port of call for a user when investigating a suspicious request like this, but you haven't specified what it states 😉
Also, if you have Little Snitch installed it should automatically block any outgoing traffic from newly-installed software by default allowing time to inspect it further.
It is already expanded in the screenshot, so a cautious user may notice that something is a bit odd (if the grammar being wrong wasn't a tip-off).
Is this another OSX malware that needs to be first executed with admin privs?
No, it will run in the context of the currently logged in user. This limits it to altering/copying data from that users home directory, but if the user provides his password to the fake escalate privilege dialog it would allow the attacker to gain root access through the remote shell feature.
Hey buddy, would you like a free TV?
– I sure would.
Well just give me the keys to your house, let me have your address and I'll bring it straight round, I'll even set it up for you.
– Gee that'd be swell, here are my keys, I'll write down my address for you. I'm real looking forward to checking out my new TV when I get home! Thanks very much.
– Yeah buddy, your new TV is gonna be real fine.
Welcome to the club, Mac users. The Club of Justifiably Paranoid Computer Users. Maybe one of you can invent a cute new name for the club. I'm just a regular PC user, so that cannot be expected of me.
HA HA HA! This is all such a bunch of crap. One of these "viruses" comes around for the mac about once every year to year and a half, and all the PCers go jumping up and down and laugh about how the Mac users are finally going to be in the same boat as they are… and then it goes away. Anyway, no where in this does it say HOW this crap would be installed to your Mac. It certainly can't be a self executable file, because those don't work on the Mac. The user HAS to install the thing, and Apple does a very good job of figuring out what might be coming and secures the OS for it anyway. I'll be sure to copy and paste this article in a year and a half.
Malware vaporware? C'mon, guys, this is not even a trojan, as it has no delivery system. Get your facts right and people might start caring.
I haven’t yet found (and would be very interested to know) how this gets onto the mac in the first place. The video I saw shows BlackHole already listening on port 7777 which makes this “virus” completely unremarkable to me. All we see is what can be done once the hack is already in place… I just don’t see how this is significant. There are tons of software options out there now that allow remote administration. How is this different from any other program that runs in the background listening for incoming traffic?
User authentication *must* happen at some point, otherwise it wouldn’t have access to any of the filesystem (unless someone chmod’d everything to 777, in which case they deserve it, imo)… and if users authenticate a hack, that is not a fault of the OS (no matter windows, linux, or mac).
I'm having trouble finding info about the BlackHole Rat your describing.
When I google for info, all the links ultimately point back to you.
Is this a serious issue that Mac users need to be concerned about, or are you promoting your company?
Strange. I just tried Googling for it, and the first result I got was this article by respected Mac threats researcher Methusela "Meths"Cebrian Ferrer.
As Meths works for one of our competitors, I don't think your conspiracy theory holds much water!
But, onto your other point – is this a serious issue? Well, chances are that you won't encounter the BlackHole RAT so I wouldn't lose a huge amount of sleep worrying over it. But there is, generally, a growing problem of Mac malware which you would be unwise to ignore.
This is not any kind of threat… This not a virus, this not a malware, this is absolutely nothing since it requires to put the administrator password LOOOOOOOOOL !!
The unix world still is clean of these threats and it will be in the future as well.
Geez guys. It is all about social engineering to get people to do something stupid. It happens a million times a day right now. The ugly truth is Mac OS X users are just as vulnerable and can be "engineered" just like PC users. There should be no joy in seeing others in pain except by the sociopaths who write this virus and trojan software.
My Norton anti-virus found a trojan horse ("usps invoice") on my Mac OS 10.6.8, marked the files as backdoor.trojan, and quarantined them. There was a reference to my g-mail account so I assume that is where it originated.
At about the same time, my mail shaw.ca mail account forwarding option was set to "enabled" and mail from that account was being forwarded to a co.uk address. I noticed because I did not receive expected e-mails. My other mail accounts were unaffected.
I don't know if the two are related but it seems like quite a coincidence.
I did not have any messages or other evidence that the virus may have been (or is) damage to my files.
I can't stand the idiocy between windows and mac users.
This is an obvious ploy by sophos.
The biggest reason Macs aren't targeted for phishing or intrusion is because the users aren't setting up as many big-money corporate networks with them, and because the OSX frame is so restricted.
Regardless, Mac viruses do exist, but I have serious doubts that an average Mac user would be able to tell the difference with/without a well-written trojan in the system. Malware designers hardly have a jump to the gun with scareware right now. Start fearing for your lives, because all the senior citizens are moving to Macs, which means you MAY get some more attention than you expect.
Nonetheless, your best bet is to put a stop to all net-side tomfoolery and be a proper chap ;p
As far as Macs [finally] getting viruses? The statement alone proves that my windows peers are a bit less intelligible about the current-standings of Macs. The problem isn't malware with a Mac, it's the lack of functionality, and the terrible distribution/compilation order. Really, both windows 7 and OSX are pretty close in quality, considering their downfalls.
Ask a PC user running 5 years with no antivirus anything.