A new Mac OS X Trojan has been discovered on BitTorrent sites. The threat, dubbed OSX.DevilRobber or OSX.Miner, has appeared within legitimate copies of GraphicConverter v7.4, Flux v3.2.5 and CorelPainter v12, which the virus writer has modified and posted on the file-sharing websites. The Trojan is installed on your computer when the parent application’s installer is run.
The threat appears to be quite sophisticated, adopting a multi-pronged approach to harvesting personal details from your computer, including stored information from encryption software and Safari, and sends this to a remote server. In addition, the Trojan utilizes your Graphics processor (GPU) to perform calculations required to undertake bitcoin mining, hence the name. If it discovers a bitcoin wallet it will save that, too.
If your Mac becomes infected by this Trojan then the first thing you may notice is a sluggishness as it performs the bitcoin permutations required for ‘mining’. Check for the presence of a folder in your login user area called ~/Library/mdsa1331/ and a launch agent file in ~/Library/LaunchAgents/ that looks unfamiliar. The current version of the trojan creates a startup file, which at first glance appears to have come from Apple, com.apple.legion.plist.
Interestingly, the Trojan script exits if it detects that LittleSnitch, a network analyzing tool, is installed on your Mac. Presumably this is because it will highlight network traffic and raise awareness of the Trojan’s presence in the wild.
As always, we advise extreme caution when downloading software from file-sharing websites as you don’t always get what you expect. Unfortunately in this case you get a lot more than you bargained for!
ProtectMac AntiVirus detects this new Trojan as OSX.DevilRobber.
There is numerous security fixes included in this update to improve the stability and security of your computer relating to core technologies, networking, file viewing and downloading and in particular Quicktime and the Application Firewall. Full details of the security update can be found on the Apple website http://support.apple.com/kb/HT5002
Update 26 Oct 2011: The Quicktime fixes are also available for Windows computers.
The main products and technology affected by this update are:
- Email, calendars, contacts, Safari bookmarks and reading list are all automatically saved to iCloud and data pushed to all your Apple devices
- Back to your Mac provides remote access to your Mac from any other Mac.
- Find my Mac helps locate your Mac computer and display the location on a map, allowing remote locking or wiping of the computers’s content
Further details of the new version of Mac OS X can be found on the Apple website.
XProtect was introduced in Snow Leopard Mac OS X version 10.6
Users who visit a compromised website will see a link to a Flash Player Installer and because of the downloaded file extension, Safari will categorize the file as ‘safe’ and automatically run the malicious software on your computer when downloaded.
We recommend that users consider disabling the ‘Open “Safe” files after downloading’ option in the Safari General preferences to prevent Safari automatically opening downloaded files such as this and other threats like OSX.MacDefender
If users require Flash Player for Mac OS X then we also recommend that they download it directly from the Adobe website. Users should always be extremely careful when downloading any files from the internet and only download files from trusted sites.
ProtectMac AntiVirus detects the Flash Player Trojan as Trojan.Flashback.
Whilst the idea of disguising a threat as a PDF document has been seen before on Windows computers, this is the first time that the virus writers have adopted this approach on Mac OS X. At the moment the risk that this threat poses is low, the quality of the code suggests that it is a proof-of-concept that is not yet spreading in the wild.
ProtectMac AntiVirus detects the PDF-style application as OSX.Revir-1 and the backdoor trojan as OSX.iMuler-1
ProtectMac recommends that users are always extremely careful when downloading any files from the internet and only download from trusted sites. As we've seen with this threat and Microsoft Word files, because a file appears to be a document does not make it harmless.
The update contains a fix to the Certificate Trust Policy to resolve a security vulnerability whereby an attacker might be able intercept user credentials or other sensitive information.
Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.
The latest security update can be downloaded via Mac OS X Software Update. Note, after downloading you will be required to restart you computer for the update to take affect.
Further information on Security Update 2011-005 can be found on the Apple website http://support.apple.com/kb/HT1222
Users with the option Check For Updates enabled (set by default) in the ProtectMac Updating preferences will download and have Version 1.2 installed automatically whenever an update check is next performed on their computer. Or they can download and install it immediately by selecting Check For Updates from the ProtectMac menu bar icon at the top right of their computer screen.
Version 1.2 installer can be downloaded directly from here for users who need to install afresh on OS X Lion.
Note, ProtectMac AntiVirus Version 1.2 is capable of running on Mac OS X 10.4.7 through to 10.7, OS X Lion.
A full description of all the features and capabilities of the new operation system, including how to download and install OS X Lion, can be found on the Apple website http://www.apple.com/macosx/
- Mac OS X 10.6.6 or later. It is recommend that you upgrade to the latest version of Snow Leopard, version 10.6.8, via Software Update before purchasing and installing OS X Lion
- Mac computer with an Intel Core 2 Duo, i3, i5, i7 or Xeon processor. To establish your Mac’s processor type click on the Apple icon at the top left of your computer screen and choose ‘About this Mac’ from the menu options.
- 2GB of memory
- 7GB of disk space
It is also recommended that users backup important files and data on their computer before upgrading to Mac OS X 10.6.8, purchasing and installing OS X Lion.
*ProtectMac AntiVirus Version 1.2 and later is fully compatible with OS X Lion
- Resolves an issue that may cause Preview to unexpectedly quit.
- Improves support for IPv6.
- Improves VPN reliability.
- Identifies and removes known variants of MacDefender malware.
- Corrects timezone data in iCal for Lisbon-Portugal.
- Adds the ability to use Kerberos authentication to a web proxy server.
- Fixes an issue when saving documents from Xcode or TextEdit when using an NFS home directory.
- Fixes an issue when importing certain media files into Final Cut Pro
Full details of the update are described in the following Apple knowledge base article http://support.apple.com/kb/HT4561
Information on security updates within Mac OS X can be found here http://support.apple.com/kb/HT1222
Note: Mac OS X updates and the security updates can also be downloaded directly from the Apple website http://support.apple.com/downloads/
Apple recommends that you back up your system before upgrading to 10.6.8.
ProtectMac AntiVirus customers are protected against these threats OSX.MacDefender, Trojan-Downloader.OSX.Fav.A
***To prevent downloaded archives and files from being opened automatically it is recommended that you disable the ‘Open “safe”files after downloading’ option in their General Safari preferences.
The trojan which has appeared across the internet in recent weeks poses as antivirus software, downloading itself to user’s Macs and installing the fake product in their Applications folder. The fake software then alerts the user to non-existent malware it has detected on their computer and attempts to persuade them to license the software so as to be able to remove the threats.
Mac users can opt out of the malware updates by unchecking the new option “Automatically update safe downloads list” in the General, Security Preferences.
The malicious application then runs and downloads a MacDefender variant called MacGuard and installs this into the Applications folder. An item is also added the user's Login Items in System preferences so that MacGuard runs each time on startup.
Web traffic is hijacked, too, such that users are sent to pornographic and phishing websites to further encourage them to license the fake software to eliminate this additional problem.
ProtectMac AntiVirus customers are protected against these threats OSX.MacDefender, Trojan-Downloader.OSX.Fav.A
How to manually removal MacDefender and any variants
Manual removal instructions
Mac users can prevent downloaded archives and files from being opened automatically by disabling the ‘Open “safe”files after downloading’ option in their General Safari preferences.
“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”
The latest security fix will be available for download via Apple’s Software Update mechanism.
After closing the alert a zip file named, BestMacAntiVirus2011.mpkg.zip will be downloaded, which extracts a Mac Installer meta-package called MacDefender.mpkg. Unfortunately the only thing that this software is like to remove are your credit card details!
As a general rule it is best not to respond to any prompts that you receive whilst browsing the internet. If you do require antivirus software, or anything for that matter, then it’s best to do the research yourself and choose a well known legitimate company.
ProtectMac AntiVirus customers are protected against this threat OSX.MacDefender.A.
Note: There is a legitimate Mac antivirus product named MacDefender
The impact of the security vulnerabilities could mean that ’Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution’
The update is available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.5 or later and Mac OS X Server v10.6.5 or later.
Further information on Security Update 2011-002 can be found on the Apple website http://support.apple.com/kb/HT1222
The latest security updates can be downloaded via the Mac OS X Software Update mechanism.
• Improve the reliability of Back to My Mac
• Fix for a file transfer problem to certain SMB servers
• Several minor Mac App Store bugs have been resolved
Full details of the update are described in the following Apple knowledge base article http://support.apple.com/kb/HT4472
The Mac OS X release also includes a number of security enhancements to several application areas. Full details of the security update can be found here http://support.apple.com/kb/HT1222
Note: the Mac OS X update and the security update can also be downloaded directly from the Apple website http://support.apple.com/downloads/
Apple recommends that you back up your system before upgrading to 10.6.7.
In its current state the threat is quite basic and even warns you in flawed English if you become infected. Furthermore, if the threat is running then it is displayed in the list of processes as "BlackHole" and can often appear on disk in a folder of the same name.
The trojan should pose little risk to Mac users at present, but we are continuing to monitor the situation closely as all indications are that the author is developing a more sophisticated variant.
As the threat is likely to appear as some kind of trojan on the internet, our recommendations as always is to be vigilant when downloading any application from the internet and only visit well-known reputable sites.
- Scanning of NTFS-formatted disks has been made more reliable.
- Improved performance of the file-access scanner.
- Minor changes have been made to the application GUI.
Version 1.1.5 will be downloaded automatically by the background update scheduler. The new version can also be downloaded manually via the ‘Check For Updates’ option in the menu bar icon. Users can view the new version details in the ProtectMac AntiVirus application’s About box.