Posts tagged: Mac OS Trojan

Oct 28 2011

Tsunami – Backdoor Trojan for Mac OS X Discovered

OSX/Tsunami.A, an IRC controlled backdoor Trojan for Mac OS X, has been discovered that enables the infected machine to become a bot for Distributed Denial of Service (DDoS) attacks.

The analyzed sample contains a hardcoded list of IRC servers and channel that it attempts to connect to. This client then listens and interprets commands from the channel. The list of accepted commands can be seen in the following comment block from the C source code of the Linux variant.

Linux Tsunami

In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine.

In terms of functionality, the Mac variant of the backdoor is similar to its older Linux brother, with only the IRC server, channel and password changed and the greatest difference being that it’s a 64-bit Mach-O binary instead of an ELF binary.

Feb 27 2011

BlackHole RAT Beta – Mac OS X Trojan Horse

BlackHole is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet.
BlackHole RAT Client

“Hello, Im the BlackHole Remote Administration Tool.
I am a Trojan Horse, so i have infected your Mac Computer.
I know, most people think Macs can’t be infected, but look, you ARE Infected!
I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it.
So, Im a very new Virus, under Development, so there will be much more functions when im finished.
But for now, it’s okay what I can do?”

This message, displayed in the full screen window with the reboot button blocks user’s screen.

As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple’s increasing market share.

Functions :

  • Remote execution of shell commands.
  • Opens URL using victim’s default browser.
  • Sends a message which is displayed on the victims screen.
  • Creates a text file.
  • Perform shutdown, restart and sleep operation.
  • Popping up a fake “Administrator Password” window to phish the target.

Video Demonstration :