Macintosh Malware
As well as installing security software to detect malware that runs on Mac OS X, whether that's native code or cross-platform application threats such as Microsoft Office macro viruses, if you dual-boot or share files with non-Mac users it is also important to detect non-Mac threats. Hence, ProtectMac AntiVirus detects both Mac and non-Mac viruses and spyware.Below is a brief description of some of the Mac-specific malware that has appeared on Mac OS X.
Amphimix : MP3Concept
Amphimix
also known as
MP3Concept.A, MP3Virus.Gen
Discovered 9 April 2004
Description
This is a proof of concept Trojan horse that contains an MP3 file with an embedded application; the file will appear to be a normal MP3 file.
If you run the application it will display the following message in a dialog box, "Yep, this is an application (So what is your iTunes playing right now?)" and iTunes will launch and play the MP3 file of a man laughing wildly.
Discovered 9 April 2004
Description
This is a proof of concept Trojan horse that contains an MP3 file with an embedded application; the file will appear to be a normal MP3 file.
If you run the application it will display the following message in a dialog box, "Yep, this is an application (So what is your iTunes playing right now?)" and iTunes will launch and play the MP3 file of a man laughing wildly.
Hovdy.A : AplS.Saprilt.A
Hovdy.A
also known as
AplS.aprilt.A
Discovered 20 June 2008
Description
Hovdy.A is a Trojan horse that exploits a vulnerability in Apple's Remote Desktop Agent that could allow software to perform commands with root access.
The Trojan attempts to install a number of files throughout your Mac in various locations, as well modifying the startup and login sequence so that it always runs. It lowers security by manipulating the firewall and setting up several remote access and network features, in addition, it will try to gather local account information and forward this to the attacker.
Discovered 20 June 2008
Description
Hovdy.A is a Trojan horse that exploits a vulnerability in Apple's Remote Desktop Agent that could allow software to perform commands with root access.
The Trojan attempts to install a number of files throughout your Mac in various locations, as well modifying the startup and login sequence so that it always runs. It lowers security by manipulating the firewall and setting up several remote access and network features, in addition, it will try to gather local account information and forward this to the attacker.
DNSChanger : OSX.RSPlug.A
DNSChanger
also known as
OSX.RSPlug.A
Discovered 31 October 2007
Description
This is a Trojan horse pretending to be a codec that allows users to view pornographic videos. The Trojan modifies the DNS settings on the compromised computer to unwittingly redirect users to other potentially malicious websites.
It also sends the Mac's CPU type, User Identifier (UID), and the hostname to the following URL:
http://85.255.121.37
Discovered 31 October 2007
Description
This is a Trojan horse pretending to be a codec that allows users to view pornographic videos. The Trojan modifies the DNS settings on the compromised computer to unwittingly redirect users to other potentially malicious websites.
It also sends the Mac's CPU type, User Identifier (UID), and the hostname to the following URL:
http://85.255.121.37
Fromr.A : AS.MW2004
Fromr.A
also known as
AS.MW2004, MacOS.MW2004.Trojan
Discovered 14 May 2004
Description
This threat is an Applescript Trojan posing as a Microsoft Word 2004 Installer that attempts to delete the user's home folder and all of its contents. It is displayed with a custom psuedo-Microsoft installer icon.
Note: If the user is logged in as root then the entire home folder and all of its contents will be deleted. If the user is not logged in as root then a Permission Denied error will appear but many of the files and folders will still be deleted from the home folder.
Discovered 14 May 2004
Description
This threat is an Applescript Trojan posing as a Microsoft Word 2004 Installer that attempts to delete the user's home folder and all of its contents. It is displayed with a custom psuedo-Microsoft installer icon.
Note: If the user is logged in as root then the entire home folder and all of its contents will be deleted. If the user is not logged in as root then a Permission Denied error will appear but many of the files and folders will still be deleted from the home folder.
Leap.A
Discovered 18
Feb 2006
Description
Leap.A is a virus/worm that spreads via iChat by forwarding a file named "latestpics.gz" to everyone in your Buddy List.
Once the archive file is expanded and the JPEG image file double-clicked the virus writes itself to disk. It installs a file called apphook.bundle in either the user's InputManagers folder or /Library/InputManagers folder (depending if you're logged in as root). Apphook.bundle attempts to send latestpics.gz to everyone in your iChat's Buddy List.
The virus also uses Spotlight to search for the four most recently used applications and infects them with a copy of itself. However, due to a bug in the virus the infection may corrupt the application, preventing it from ever being launched.
On Intel Macs the Trojan will infect applications but not spread via iChat.
Description
Leap.A is a virus/worm that spreads via iChat by forwarding a file named "latestpics.gz" to everyone in your Buddy List.
Once the archive file is expanded and the JPEG image file double-clicked the virus writes itself to disk. It installs a file called apphook.bundle in either the user's InputManagers folder or /Library/InputManagers folder (depending if you're logged in as root). Apphook.bundle attempts to send latestpics.gz to everyone in your iChat's Buddy List.
The virus also uses Spotlight to search for the four most recently used applications and infects them with a copy of itself. However, due to a bug in the virus the infection may corrupt the application, preventing it from ever being launched.
On Intel Macs the Trojan will infect applications but not spread via iChat.
InqTana
Discovered 18
Feb 2006
Description
InqTana is a proof-of-concept worm that spreads via a vulnerability in Apple's Bluetooth technology.
Users must accept a file transfer to receive the worm (3 files) and get infected in the first place, but then the worm exploits a BlueTooth vulnerability by traversing the directory structure and copying itself in a directory outside the normal exchange path which allows the worm to become active the next time the Mac is restarted. After restart the worm searches for Bluetooth devices to 'push' its three files to.
Note: The worm is using a demo version of a commercial Bluetooth software library, which is time limited, so may not replicate.
The Bluetooth vulnerability was fixed in Apple Security Update 2005-006
Description
InqTana is a proof-of-concept worm that spreads via a vulnerability in Apple's Bluetooth technology.
Users must accept a file transfer to receive the worm (3 files) and get infected in the first place, but then the worm exploits a BlueTooth vulnerability by traversing the directory structure and copying itself in a directory outside the normal exchange path which allows the worm to become active the next time the Mac is restarted. After restart the worm searches for Bluetooth devices to 'push' its three files to.
Note: The worm is using a demo version of a commercial Bluetooth software library, which is time limited, so may not replicate.
The Bluetooth vulnerability was fixed in Apple Security Update 2005-006
OSX.iWorkServices.A
OSX.iWorkServices.A
also known as
OSX.Iwork, OSX.iWorkS-A
and
OSX.Trojan.iServices.A
Discovered 22 January 2009
Description
This is a Trojan Horse that is packaged with pirated copies of Apple's iWork 09 on BitTorrent websites. The BitTorrent file is approximately 450Mb in size and when downloaded contains a folder named iWork.09, with a zip file, iWork09.zip, and a text file with a product serial number, serial.txt.
The zip file contains a valid copy of iWork 09 as well as the Trojan Horse. Expanding the zip file and running the iWork 09 installer meta-package installs not only iWork 09 but also the Trojan.
The iWorksServices installer package is contained within the Contents folder and installs the Trojan in /usr/bin/iWorkServices with corresponding files in /System/Library/StartupItems/iWorkServices. The Trojan attempts to connect to a remote server over the internet during installation, allowing it to broadcast its existence and possibly download further malware. The files in StartupItems ensure that the Trojan is run each time you restart your Mac.
Discovered 22 January 2009
Description
This is a Trojan Horse that is packaged with pirated copies of Apple's iWork 09 on BitTorrent websites. The BitTorrent file is approximately 450Mb in size and when downloaded contains a folder named iWork.09, with a zip file, iWork09.zip, and a text file with a product serial number, serial.txt.
The zip file contains a valid copy of iWork 09 as well as the Trojan Horse. Expanding the zip file and running the iWork 09 installer meta-package installs not only iWork 09 but also the Trojan.
The iWorksServices installer package is contained within the Contents folder and installs the Trojan in /usr/bin/iWorkServices with corresponding files in /System/Library/StartupItems/iWorkServices. The Trojan attempts to connect to a remote server over the internet during installation, allowing it to broadcast its existence and possibly download further malware. The files in StartupItems ensure that the Trojan is run each time you restart your Mac.
ProtectMac AntiVirus Alert of the installer
package
Removal
If the
Trojan has been installed on your Mac, it should be
deleted from the /usr/bin folder and both the
'iWorkServices' and the 'iworkservices' root
processes killed or your Mac restarted. The folders
/System/Library/StartupItems/iWorkServices and
/Library/Receipts/iWorkServices.pkg should also be
removed.
OSX.iServices.B
OSX.iServices.B
also known as
OSX.iWorkS-B,
Discovered 26 January 2009
Description
This is a Trojan Horse that is packaged with pirated copies of Adobe PhotoShop CS4 on BitTorrent websites.
The zip file contains a commercial version of Adobe PhotoShop CS4 as well as an application to 'crack' the software's serial number protection. Running the Crack application installs the Trojan on your Mac.
The Trojan is written to /usr/bin/DivX and also to /private/var/tmp but given a random filename, such as tmp.0.ORbnHw. Associated files are also written in /System/Library/StartupItems/DivX to ensure that the Trojan runs each time on Startup. The Trojan attempts to connect to a remote server, freehostia.com:1024, over the internet, allowing it to broadcast its existence and download further malware.
Discovered 26 January 2009
Description
This is a Trojan Horse that is packaged with pirated copies of Adobe PhotoShop CS4 on BitTorrent websites.
The zip file contains a commercial version of Adobe PhotoShop CS4 as well as an application to 'crack' the software's serial number protection. Running the Crack application installs the Trojan on your Mac.
The Trojan is written to /usr/bin/DivX and also to /private/var/tmp but given a random filename, such as tmp.0.ORbnHw. Associated files are also written in /System/Library/StartupItems/DivX to ensure that the Trojan runs each time on Startup. The Trojan attempts to connect to a remote server, freehostia.com:1024, over the internet, allowing it to broadcast its existence and download further malware.
ProtectMac AntiVirus Alert of the Crack
application
Removal
If the
Trojan has been installed on your Mac, it should be
deleted from the /usr/bin folder and the
/private/var/tmp folder, the 'DivX' root processes
killed or your Mac restarted. The folder
/System/Library/StartupItems/Divx should also be
removed.
OSX.Jahlav.A : OSX.RSPlug.D
OSX.Jahlev.A
also known as
RSPlug.D
Discovered 23 November 2008
Description
This Trojan comes from the same virus writing group that produced the RSPlug.A/ DNSChanger Trojan. It can be found on pornographic websites and purports to be a fix for Active X errors when attempting to view online videos. Once the user sees these alerts the only way to terminate the dialog sequence and prevent the Trojan from being downloaded is to quit the browser.
Discovered 23 November 2008
Description
This Trojan comes from the same virus writing group that produced the RSPlug.A/ DNSChanger Trojan. It can be found on pornographic websites and purports to be a fix for Active X errors when attempting to view online videos. Once the user sees these alerts the only way to terminate the dialog sequence and prevent the Trojan from being downloaded is to quit the browser.
The Trojan is delivered
to the user's Mac as a disk image (dmg file) and
mounts an installer package on the desktop called
"install.pkg". When the installer package is
double-clicked an Installer titled "MacAccess" is
run.
This Trojan differs
from RSPlug.A in that it includes several scripts
that communicate with remote servers, sending
computer information such as OS version, IP address
and processor type, as well as downloading
malicious software (malware) to the user's Mac.
OSX.Jahlav.B : OSX.RSPlug.E
OSX.Jahlav.B
also known as
RSPlug.E
Discovered 2 December 2008
Description
This is a variant of the OSX.Jahlav.A/RSPLug.D Trojan. It can be found on pornographic websites and purports to be a fix for Active X errors when attempting to view online videos. Once the user sees these alerts the only way to terminate the dialog sequence and prevent the Trojan from being downloaded is to quit the browser.
Discovered 2 December 2008
Description
This is a variant of the OSX.Jahlav.A/RSPLug.D Trojan. It can be found on pornographic websites and purports to be a fix for Active X errors when attempting to view online videos. Once the user sees these alerts the only way to terminate the dialog sequence and prevent the Trojan from being downloaded is to quit the browser.
The Trojan is delivered
to the user's Mac as a disk image (dmg file) and
mounts an installer package on the desktop called
"install.pkg". When the installer package is
double-clicked an Installer titled "MacAccess" is
run.
This Trojan includes
several scripts that communicate with remote
servers, sending computer information such as OS
version, IP address and processor type, as well as
downloading malicious software (malware) to the
user's Mac.
OSX.Jahlav.C : OSX/Jahlav-C, OSX.RSPlug.C and OSX.RSPlug.K
OSX.Jahlav.C
also known as
OSX/Jahlav-C, OSX.RSPlug.C
and
OSX.RSPlug.K
Discovered 11 June 2009
Description
This Trojan is a variant of the Jahlav family of Trojans, it purports to be an installer for a missing Video ActiveX Object.
The Trojan is delivered to the user's Mac as a disk image (dmg file) and mounts an installer package on the desktop called "install.pkg". When the installer package is double-clicked an Installer titled "MacCinema" is run.
A shell script named AdobeFlash is copied to /Library/Internet Plug-Ins as part of the installation process and is configured to periodically access remote servers on the internet via a worker script, which could potentially download malicious code.
Discovered 11 June 2009
Description
This Trojan is a variant of the Jahlav family of Trojans, it purports to be an installer for a missing Video ActiveX Object.
The Trojan is delivered to the user's Mac as a disk image (dmg file) and mounts an installer package on the desktop called "install.pkg". When the installer package is double-clicked an Installer titled "MacCinema" is run.
A shell script named AdobeFlash is copied to /Library/Internet Plug-Ins as part of the installation process and is configured to periodically access remote servers on the internet via a worker script, which could potentially download malicious code.
OSX.Lamzev.A : Troj/RKOSX-A : OSX.TrojanKit/Malez
OSX.Lamzev.A
also known as
Troj/RKOSX-A
and
OSX.TrojanKit/Malez
Discovered 17 November 2008
Description
This is a Trojan horse that is capable of opening up a backdoor on a compromised Mac.
If the Trojan is executed it creates a file called ezmal in /Applications. A chosen host application is copied to /Application//Contents/MacOS/2 which then creates a file in /Application//Contents/MacOS/1 that installs and runs the backdoor whenever it is executed. A file named com.apple.Docksettings is copied to ~/Library/LaunchAgents so that the backdoor is launched on each system startup.
Discovered 17 November 2008
Description
This is a Trojan horse that is capable of opening up a backdoor on a compromised Mac.
If the Trojan is executed it creates a file called ezmal in /Applications. A chosen host application is copied to /Application//Contents/MacOS/2 which then creates a file in /Application//Contents/MacOS/1 that installs and runs the backdoor whenever it is executed. A file named com.apple.Docksettings is copied to ~/Library/LaunchAgents so that the backdoor is launched on each system startup.
OSX.LoseGame : OSX.Loosemaque
OSX.LoseGame
also known as
OSX./LoseGame-A, OSX.Loosemaque
Discovered 4 Nov 2009
Description
An arcade-style, shoot'm up alien game for Mac OS X.
When the game is run it will create 'aliens' based on the files it finds on your disk, and every time you kill an alien the associated file is deleted!
At the moment you need to go the author's website and download the game to come across it, ignoring the big red warning....
KILLING ALIENS IN LOSE/LOSE WILL DELETE FILES ON YOUR HARD DRIVE PERMANANTLY
And the warning in the Introduction....
ProtectMac AntiVirus will report the game as OSX.LoseGame...
Discovered 4 Nov 2009
Description
An arcade-style, shoot'm up alien game for Mac OS X.
When the game is run it will create 'aliens' based on the files it finds on your disk, and every time you kill an alien the associated file is deleted!
At the moment you need to go the author's website and download the game to come across it, ignoring the big red warning....
KILLING ALIENS IN LOSE/LOSE WILL DELETE FILES ON YOUR HARD DRIVE PERMANANTLY
And the warning in the Introduction....
ProtectMac AntiVirus will report the game as OSX.LoseGame...
OSX.RSPlug.F : OSX.RSPlug.G
OSX.RSPlug.F
also known as
OSX.RSPlug.G
Discovered 20 March 2009
Description
This Trojan is a variant of the DNSChanger/RSPlug Trojan that modifies your network settings, changing DNS server configuration and causing the user to be redirected to malicious websites when browsing the internet.
The Trojan has been posted to various websites claiming to be an installer for Avid Express Pro, although the title in the Installer window when run pertains to MacCinema application.
When the Installer is run the Trojan will be installed along with a cronjob to ensure that the Trojan (/Library/Internet Plug-ins/AdobeFlash) is run at regular intervals.
The modified DNS Server settings will typically have entries associated with the domain 85.255.112
Discovered 20 March 2009
Description
This Trojan is a variant of the DNSChanger/RSPlug Trojan that modifies your network settings, changing DNS server configuration and causing the user to be redirected to malicious websites when browsing the internet.
The Trojan has been posted to various websites claiming to be an installer for Avid Express Pro, although the title in the Installer window when run pertains to MacCinema application.
When the Installer is run the Trojan will be installed along with a cronjob to ensure that the Trojan (/Library/Internet Plug-ins/AdobeFlash) is run at regular intervals.
The modified DNS Server settings will typically have entries associated with the domain 85.255.112
OSX.Tored.A
OSX.Tored.A
also known as
OSX/Tored.A
and
OSX/Tored-A
Discovered 5 May 2009
Description
OSX.Tored.A is a proof-of-concept worm created with RealBasic that attempts to set itself up as a Botnet on infected Macs. It also tries to gather email addresses from your Address Book to propagate to other users.
Errors in the worm's code and mistakes in the email content make it very unlikely that this threat would spread even if it was 'in the wild', so this version poses a very low risk.
Discovered 5 May 2009
Description
OSX.Tored.A is a proof-of-concept worm created with RealBasic that attempts to set itself up as a Botnet on infected Macs. It also tries to gather email addresses from your Address Book to propagate to other users.
Errors in the worm's code and mistakes in the email content make it very unlikely that this threat would spread even if it was 'in the wild', so this version poses a very low risk.
OSX.Tored: OSX/Tored-Fam
OSX.Tored
also known as
OSX/Tored-Fam
Discovered 10 June 2009
Description
OSX.Tored is a worm created with RealBasic that attempts to set itself up as a Botnet on infected Macs. It also tries to gather email addresses from your Address Book to propagate to other users.
Discovered 10 June 2009
Description
OSX.Tored is a worm created with RealBasic that attempts to set itself up as a Botnet on infected Macs. It also tries to gather email addresses from your Address Book to propagate to other users.
Macarena
Discovered 2
Nov 2006
Description
Is a proof of concept virus that infects files in the current folder when they are exceuted.
Description
Is a proof of concept virus that infects files in the current folder when they are exceuted.
Renepo : Opener
Renepo
also known as
Opener
Discovered 25 Oct 2004
Description
Renepo is shell script virus that will make various changes to your system, including attempting to disable your firewall, download hacking tools and try and collect data from a compromised Mac.
There are no reports of this virus ever being discovered in the wild.
Discovered 25 Oct 2004
Description
Renepo is shell script virus that will make various changes to your system, including attempting to disable your firewall, download hacking tools and try and collect data from a compromised Mac.
There are no reports of this virus ever being discovered in the wild.
Sub7
Description
This is a Mac OS X client of the Sub7 Trojan that allows backdoor remote access.
This is a Mac OS X client of the Sub7 Trojan that allows backdoor remote access.
UnderHand : Cowhand
Description
This is a backdoor trojan that can be used to remotely control a machine.
This is a backdoor trojan that can be used to remotely control a machine.