Risk
2/27/2011
11:32 AM
George V. Hulme
George V. Hulme
Commentary
50%
50%

New Mac OS X Backdoor Trojan Surfaces

Researchers at anti-virus firm Sophos say they've identified a new Trojan designed to infect Mac OS X users.

Researchers at anti-virus firm Sophos say they've identified a new Trojan designed to infect Mac OS X users.Perhaps it was only a matter of time, considering the success of the Apple brand and the growing marketshare of OS X, that malware created to explicitly target OS X would surface.

The Trojan has been named the Blackhole RAT (for Remote Access Trojan), and according to Sophos researchers, the backdoor is not yet completely written. However, their analysis shows that it's a revise of a common Windows RAT, known as darkComet.

According to Sophos:

The Mac OS X version is very basic and there appears to be a mix of German and English in the user interface. Its functions include: * Placing text files on the desktop * Sending a restart, shutdown or sleep command * Running arbitrary shell commands * Placing a full screen window with a message that only allows you to click reboot * Sending URLs to the client to open a website * Popping up a fake "Administrator Password" window to phish the target

The author has also included a welcome note within the Trojan:

"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected! I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it. So, Im a very new Virus, under Development, so there will be much more functions when im finished."

While such Trojans don't spread like worms or viruses, they can easily infect users through vulnerabilities within their browser and tainted applications and files.

For my information security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

CVE-2015-1951
Published: 2015-07-01
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX001, and 7.6.0 before 7.6.0.0 IFIX005 does not prevent caching of HTTPS responses, which allows physically proximate attackers to obtain sensitive local-cache information by leveraging an unattended workstation.

CVE-2015-1967
Published: 2015-07-01
MQ Explorer in IBM WebSphere MQ before 8.0.0.3 does not recognize the absence of the compatibility-mode option, which allows remote attackers to obtain sensitive information by sniffing the network for a session in which TLS is not used.

CVE-2014-9734
Published: 2015-06-30
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

CVE-2014-9735
Published: 2015-06-30
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin a...

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report