Skip navigation

NEW APPLE TROJAN DISCOVERED

933 Views 4 Replies Latest reply: Nov 4, 2011 10:02 PM by MadMacs0 RSS
angus cooney Calculating status...
Currently Being Moderated
Oct 31, 2011 6:19 PM

A newly identified Mac OS X Trojan bundles a component that leverages the processing power of video cards (GPUs) to generate Bitcoins, a popular type of virtual currency.

The new Trojan was dubbed DevilRobber by antivirus vendors and is being distributed together with several software applications via BitTorrent sites.

“This malware is complex, and performs many operations,” security researchers from Mac antivirus vendor Intego warned. “It is a combination of several types of malware: It is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers,” they explained.

The Bitcoin mining program that DevilRobber installs on infected computers is called DiabloMiner and is a legitimate Java-based application used in the virtual currency’s production.

Bitcoin is a form of virtual cash that can be exchanged by users without the need for an intermediary bank or payment service. Bitcoins are actually cryptographic hashes that get generated piece by piece using specialized programs like DiabloMiner, according to a public algorithm.

One Bitcoin is currently valued at around $3.20, and it is a good source of profit for both Bitcoin miners, who legitimately use their computer resources to generate them, and cybercriminals who steal them.

The DevilRobber trojan steals processing power, which can lead to slow computer performance, as well as actual Bitcoins, which are kept in virtual wallets on the victim’s machine.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Nov 3, 2011 2:29 PM (in response to angus cooney)

    Credit ProtectMac with this description:

    ***************************************************************************

    New Mac OS X Trojan distributed via BitTorrent file-sharing sites

    A new Mac OS X Trojan has been discovered on BitTorrent sites. The threat, dubbed OSX.DevilRobber or OSX.Miner, has appeared within legitimate copies of GraphicConverter v7.4, Flux v3.2.5 and CorelPainter v12, which the virus writer has modified and posted on the file-sharing websites. The Trojan is installed on your computer when the parent application’s installer is run.

    The threat appears to be quite sophisticated, adopting a multi-pronged approach to harvesting personal details from your computer, including stored information from encryption software and Safari, and sends this to a remote server. In addition, the Trojan utilizes your Graphics processor (GPU) to perform calculations required to undertake bitcoin mining, hence the name. If it discovers a bitcoin wallet it will save that, too.


    If your Mac becomes infected by this Trojan then the first thing you may notice is a sluggishness as it performs the bitcoin permutations required for ‘mining’. Check for the presence of a folder in your login user area called ~/Library/mdsa1331/ and a launch agent file in ~/Library/LaunchAgents/ that looks unfamiliar. The current version of the trojan creates a startup file, which at first glance appears to have come from Apple, com.apple.legion.plist.

    Interestingly, the Trojan script exits if it detects that LittleSnitch, a network analyzing tool, is installed on your Mac. Presumably this is because it will highlight network traffic and raise awareness of the Trojan’s presence in the wild.


    As always, we advise extreme caution when downloading software from file-sharing websites as you don’t always get what you expect. Unfortunately in this case you get a lot more than you bargained for!

    ProtectMac AntiVirus detects this new Trojan as OSX.DevilRobber.

    *****************************************************************************

    Participants in this forum discussion appear to have been infected by a different version.

  • Csound1 Level 7 Level 7 (32,385 points)
    Currently Being Moderated
    Nov 3, 2011 2:30 PM (in response to angus cooney)

    Stay away from BitTorrents then.

  • Allan Eckert Level 8 Level 8 (39,450 points)
    Currently Being Moderated
    Nov 3, 2011 2:33 PM (in response to Csound1)

    Love those simple solutions.

     

    Allan

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Nov 4, 2011 10:02 PM (in response to angus cooney)

    Some additional details from F-Secure about the first three versions.

     

    WebLog: Backdoor:OSX/DevilRobber.A

     

    Virus Description: Backdoor:OSX/DevilRobber.A

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.