New OS X trojan horse sends screenshots, files to remote servers

“These days when people think of malware and OS X the first name that comes to mind is likely MacDefender or one of its variants, which were rogue utilities designed to trick users into giving up personal and financial information,” Topher Kessler reports for CNET.

“Recently a new trojan horse attempt for OS X has surfaced that tries to steal users’ personal information,” Kessler reports. “The malware was first seen in late July of this year, and has been identified by security firms F-Secure and Sophos as ‘trojan dropper’ and ‘backdoor’ utilities that both work in tandem to install on the system.”

Kessler reports, “When the backdoor is installed, it will set up a launch agent on the system that is used to continually keep the malware active on the system. It will then connect to a remote server and send the system’s current username and MAC address to the server, after which the server will instruct it to either archive files and upload them, or take screenshots and upload them to the server.”

“According to F-Secure, the malware does not appear to work very well (if at all) at this time since it does not receive instructions from the remote server, but the malware may still be capable of performing its malicious activities,” Kessler reports. “Currently the server seems to be a crude Apache implementation that is likely in a testing phase, but has the potential to be active and properly interact with the malware.”

Read more, including how you you can check for the presence of this trojan horse on your Mac, in the full article here.

F-Secure reports:

Trojan-Dropper:OSX/Revir.A drops a PDF file in the /tmp folder, then opens it to distract the user from noticing any other activity occurring.

The PDF file contains Chinese-language text related to political issues, which some users may find offensive.

The PDF file will actually use the same name as the trojan-dropper’s binary file, which is usually saved to the /Users/%user%/Downloads or /User/%user%/Documents folders.

In the background, the malware will drop and execute the following downloader component (detected as Trojan-Downloader:OSX/Revir.A):

This file downloads and executes a file from the following remote location:

h t t p://[…]
The downloaded file is also saved as:

As of this writing, the downloaded file is detected as Backdoor:OSX/Imuler.A. Our Browsing Protection blocks the download server hosting the file.

More info here.

MacDailyNews Take: Here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.

Related articles:
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Apple malware: 6 years of crying wolf – May 6, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011
Sophos details new Mac OS X Trojan – February 28, 2011
Warning: Mac users beware of yet another trojan masquerading as video codec – June 11, 2009
CNN blows it; gets all worked up about a Mac Trojan that isn’t the first nor is it the last – April 23, 2009
Mac trojan expands to affect pirated versions of Photoshop CS4 – January 26, 2009
Intego: Mac trojan horse found in pirated Apple iWork ‘09 – January 22, 2009
New Mac OS X Trojan horse identified – June 23, 2008
Mac OS X Scareware trojan ‘MacSweep from Imunizator’ tries to scam Mac users – March 29, 2008
Mac trojan makers churn out slightly modified versions to evade anti-malware detection – November 08, 2007
Mac DNS Changer Trojan [OSX/Puper] relatively simple; works like the Windows version – November 01, 2007
New Mac OS X Trojan warning – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004


    1. This variant yes.

      It will have to become 1,000,000 times worst than this before I’ll run antivirus on my mac.

      god coming from the PC side that is one of the things I love the most right now… I don’t run any anti-anything software and OS X has never thrown up an annoying “Your computer needs to be scanned” dialog. Absolutely love it.

      1. Actually this has happened to me in the distant past. I threw the message a bone and agreed to the scan. It promptly displayed a progress bar and after about 20 seconds, the program indicated that I had in fact, not two, but three virus’. It also recommended to remove these threats to my system and kindly displayed the down load link and purchase price for the solutions. But to my dismay, I was stuck without the cure. Since it said my XP OperatIng System was comprised. Sadly I was Using Mac OS X and did not feel ike installIng XP to fix it. Bummer.

        1. LOL.

          Thats what I love with using Windows Virtualized on OS X. I haven’t had malware hit my windows install, but if it does I’m just going to roll back to a snapshot vs. trying to remove whatever garbage found its way onto the thing.

  1. MDN’s take: No OS can protect users from themselves

    Actually, Windows 8 is trying to protect itself from users. The new hardware EFI spec allows Win8 to include boot code on the motherboard to not allow any other OS to be installed. Apparetly, Win 8 is a trojan, too!

    1. Actually, in many ways, Apple’s own iOS does (at least partially) protect users from themselves. You can only install apps from the App Store. Much harder to install a Trojan – you have to hack your own system.
      Of course, it doesn’t completely protect you from phishing.

  2. Most malware these days wants to call OUT from your computer across the Internet to bad guys. The simple way to stop this behavior dead in its tracks it to use what I call a ‘Reverse Firewall’. It stops ALL applications from calling out to the Internet without your explicit approval.

    My choice for years has been the most excellent Little Snitch program. There is also a decent reverse firewall in the current version of Intego’s most excellent VirusBarrier suite.

    Of course, if you are in charge of a computer or local network with several users you know are prone to be ‘LUSERS’ (IOW they download and install anything), give them ONLY Standard user accounts and NEVER give them the administrative password under any circumstances. Require them to ask YOU if they can install ANYTHING, then YOU do it.

    It has been estimated from testing that there are currently well over 10,000 botted Macs on the Internet acting as slaves to money generating bot wranglers. All of of these Macs are infected with Trojan horses that actively call out over the Internet for instructions. Don’t be a LUSER! At the very least, scan your Mac with freeware anti-malware apps on a regular basis. I am actively involved with a group keeping ClamAV/ClamXav up-to-date with Mac malware definitions. There are also several other legitimate free/trial anti-malware apps available.

    Mac-Security Blog

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.