
Mac OS X backdoor Trojan, now in beta? - ggordan
http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-backdoor-trojan-now-in-beta/
======
ajg1977
It never ceases to amaze me how virus/malware/phishing authors blow holes in
their efforts by failing to correctly reproduce simple sentences.

"Finder Requires You Administrator Password"

Really? You couldn't do a 30 second web search to find the correct phrase? On
a different note, Vista/Win7's way of darkening the entire desktop when asking
for an admin password, which is difficult if not impossible to emulate, is a
very clever technique.

~~~
X-Istence
Not only that, but the Details arrow is pointing down, which indicates that
there is more information available at the bottom that describes the program
that is requesting the information.

The entire window is off.

------
timtadh
Posts like this annoy me. It only gives details about the symptoms of the
virus and gives zero details of the infection vector. What does this virus
exploit? How does it take control of the computer? Is it a root kit? Does it
have a C&C server associated with it allowing it to become a botnet?

It is especially frustrating because although I am not a Mac user I like to
keep up to date on threats against the Mac platform since exploits on the Mac
are easier to port to other *nixs. Does anyone have actual details on this
trojan?

~~~
awakeasleep
Did the article give you the distinct impression this is only a GUI to ssh
meant to amuse kids?

Everything mentioned in the article can be accomplished with ssh and the
osascript command. The only interesting part of this software would be the
rootkit used to hide it from an admin.

~~~
hackermom
What rootkit? This is OS X, not Windows. You can't hide processes here the
same way, or even to the same extent, you can under ntoskrnl.

~~~
X-Istence
Sure you can. If you have root access to Mac OS X and can thus load stuff into
the kernel you can easily disguise applications that are running by modifying
the process tables, or replacing the ps binary by one that does filtering.

Look at some of the BSD rootkits for inspiration on how to accomplish a task
like that.

------
Groxx
I honestly wonder if the security companies are making crap like this in an
attempt to get OSX users into the virus-fear market. Trojans are
incomprehensibly simple things to write, but whenever one comes up for a Mac
security companies go absolutely nuts and try to sell you something to get rid
of it.

Wake me when there's a worm with rights escalation that installs itself
without my approval or notice. As long as you have to put in your password and
run their application, I'm safe, and it's hardly a virus so much as mere
malware. Everything you need for malware has been around forever, and is
already on your system: rm -rf *

edit: ran it and experimented. The only interesting thing about this is the
password pop-up window, which looks fake and has a non-functioning abort
button (!). I'm guessing it somehow resists focus while looking like it's
focused and handling input, because it always looks like it's coming from the
application you last had active. _That_ is clever and an attack vector, the
rest of this is child's play.

------
sorbus
"Fortunately our products can detect and remove Trojans like this, and for
home use they're free! If you would like to install Sophos Anti-Virus for Mac
Home Edition, click on the banner below."

Hmm.

------
DougBTX
It would make perfect sense for Sophos to develop software like this. As long
as they don't get caught.

------
uxp
I found the original source of the malware release. If anyone wants to look at
it, Googling for "Blackhole RAT" and visiting the result titled "Blackhole Rat
Problem" will return the same result I found. You'll have to change your
UserAgent string to GoogleBot or similar because it is a registered forum.

------
badwetter
But, but just ask a MacOS fanboi, they don't suffer from trojans/malware! So
this must be a mistake </sarcasm>

