Macintosh Malware
As well as installing security software to detect malware that runs on Mac OS X, whether that's native code or cross-platform application threats such as Microsoft Office macro viruses, if you dual-boot or share files with non-Mac users it is also important to detect non-Mac threats. Hence, ProtectMac AntiVirus detects both Mac and non-Mac viruses, trojans, worms and spyware.
Below is a brief description of some of the Mac-specific malware that has appeared on Mac OS X.
Amphimix : MP3Concept
Discovered 9 April 2004
Description
This is a proof of concept Trojan horse that contains an MP3 file with an embedded application; the file will appear to be a normal MP3 file.
If you run the application it will display the following message in a dialog box, "Yep, this is an application (So what is your iTunes playing right now?)" and iTunes will launch and play the MP3 file of a man laughing wildly.
Hovdy.A : AplS.Saprilt.A
Discovered 20 June 2008
Description
Hovdy.A is a Trojan horse that exploits a vulnerability in Apple's Remote Desktop Agent that could allow software to perform commands with root access.
The Trojan attempts to install a number of files throughout your Mac in various locations, as well modifying the startup and login sequence so that it always runs. It lowers security by manipulating the firewall and setting up several remote access and network features, in addition, it will try to gather local account information and forward this to the attacker.
DNSChanger : OSX.RSPlug.A
Discovered 31 October 2007
Description
This is a Trojan horse pretending to be a codec that allows users to view pornographic videos. The Trojan modifies the DNS settings on the compromised computer to unwittingly redirect users to other potentially malicious websites.
It also sends the Mac's CPU type, User Identifier (UID), and the hostname to the following URL:
http://85.255.121.37
Fromr.A : AS.MW2004
Discovered 14 May 2004
Description
This threat is an Applescript Trojan posing as a Microsoft Word 2004 Installer that attempts to delete the user's home folder and all of its contents. It is displayed with a custom psuedo-Microsoft installer icon.
Note: If the user is logged in as root then the entire home folder and all of its contents will be deleted. If the user is not logged in as root then a Permission Denied error will appear but many of the files and folders will still be deleted from the home folder.
Leap.A
Description
Leap.A is a virus/worm that spreads via iChat by forwarding a file named "latestpics.gz" to everyone in your Buddy List.
Once the archive file is expanded and the JPEG image file double-clicked the virus writes itself to disk. It installs a file called apphook.bundle in either the user's InputManagers folder or /Library/InputManagers folder (depending if you're logged in as root). Apphook.bundle attempts to send latestpics.gz to everyone in your iChat's Buddy List.
The virus also uses Spotlight to search for the four most recently used applications and infects them with a copy of itself. However, due to a bug in the virus the infection may corrupt the application, preventing it from ever being launched.
On Intel Macs the Trojan will infect applications but not spread via iChat.
InqTana
Description
InqTana is a proof-of-concept worm that spreads via a vulnerability in Apple's Bluetooth technology.
Users must accept a file transfer to receive the worm (3 files) and get infected in the first place, but then the worm exploits a BlueTooth vulnerability by traversing the directory structure and copying itself in a directory outside the normal exchange path which allows the worm to become active the next time the Mac is restarted. After restart the worm searches for Bluetooth devices to 'push' its three files to.
Note: The worm is using a demo version of a commercial Bluetooth software library, which is time limited, so may not replicate.
The Bluetooth vulnerability was fixed in Apple Security Update 2005-006
OSX.Boonana : Trojan.Java.Boonana, OSX.Koobface
Discovered 1 November 2010
A version of the Koobface trojan has been discovered on social networking sites, Facebook, Twitter and Myspace, as well as on popular internet sites, which has the ability to infect Mac computers.
Adopting 'social engineering' techniques to catch out the unwary. TheTrojan tries to persuade users on social networks to click on a link to see a video of themselves. In other cases the Trojan has been discovered masquerading as 'interesting' videos on the internet.
The multi-platform Java threat is designed to run not only on Mac OS X, but Windows and Linux, too. In all cases so far on Mac a Java security alert appears requesting access to your computer and the the digital signature of the applet could not be verified.
***Selecting Deny will prevent the threat from running!
If further proof were required to raise suspicions then clicking on the Show Details button will display information of an untrusted certificate associated with the applet.
If a user is persuaded to authorize the Java applet, it has the potential allow remote access to the users's computer, setup the computer as a host server to send spam and spread the trojan, and contact a number of remote sites with the intent of downloading further malicious software.
An installer run on a computer will create a hidden folder in the user's Home folder called .jnana, and will modify the startup items of the computer to allow the threat to run automatically on each restart.
We obviously recommend that users do not click on any speculative link they come across on their social network account and be highly suspicious of any installer window they have not initiated.
Should you see unverified software requiring access to your computer, deny it!!
OSX.DevilRobber : OSX/Miner
Discovered 31 Oct 2011
Description
A Trojan distributed on BitTorrent file-sharing websites inside copies of popular Mac OS X applications, such as GraphicConverter, Flux and CorelPainter.
The Trojan harvests personal details from your Mac, usernames and passwords, as well as third-party encryption software information and Safari browsing history, and attempts to send these details to a remote server.
The Trojan also steals a user's bitcoin wallet, if present, and hijacks the Graphic Processing Unit (GPU) on their Mac to perform calculations to 'mine' bitcoins. Users, therefore, may notice a sluggishness as their computer resources are utilized in the background.
If the parent application is installed then the Trojan will create a folder in your user area ~/Library/mdsa1331/ and a plist file in ~/Library/LaunchAgents/ called com.apple.legion.plist to ensure that it runs each time on startup.
Note, the Trojan will not install itself if the network analzing tool, Little Snitch, is installed.
*Bitcoins is an alternate digital currency system that allows users to pay for (limited) goods and services online. Users can transfer bitcoins anonymously through peer-to-peer digitally signed transactions. Bitcoins can also be converted into more recognizable currencies through a small number of specialized broker sites.
OSX.Flashback : Trojan.Flashback
Discovered 27 Sept 2011
Description
A backdoor Trojan threat that pretends to be an Adobe Flash Player plugin. A new variant of this Trojan has appeared that exploits multiple vulnerabilities in Apple's shipping Java component.
Whilst visiting a compromised website users are typically prompted to install or update their installation of Flash Player so as to enable them to view a particular topical or salacious video.
If the backdoor Trojan runs on your computer it has the potential for remote hackers to control your Mac and retrieve sensitive information.
Note, reports of this trojan also being installed automatically in the background have occurred on systems where the user has not installed the latest Apple security updates. So we strongly recommend that you always enable Apple's Software Update feature in the System Preferences to Check for Updates daily and Download updates automatically.
The latest variant of this trojan takes advantage of multiple vulnerabilities within Java 1.6.0_29 available with Mac OS X 10.6 and OS X Lion 10.7.
The threat is delivered when a user visits a malicious website; a Java applet is downloaded and if the computer is not protected the backdoor trojan will be installed. Like most trojans the purpose of this threat is to gather personal and sensitive information and to allow a remote hacker control of your computer.
Users who keep their computer up to date with the latest security patches from Apple via Software Update are not at risk from this threat. The various vulnerabilities that this threat exploits were fixed by the following Apple Security Update on 3 April 2012:
Mac OS X 10.6 - Java for Mac OS X 10.6 Update 7
OS X Lion 10.7 - Java for Mac OS X 2012-001
Further information about the security update can be found in the Apple knowledgebase http://support.apple.com/kb/HT5228
Note: Clean installations of OS X Lion do not come with Java installed by default. Whenever a user first comes across a Java applet they will prompted by the operating system to install Java to allow the applet to run.
If Java functionality is installed on your Mac it can subsequently be disabled from within your web browser. Read more
OSX.Imuler-1
Description
This is a backdoor Trojan that would allow a hacker remote access to your computer should it run.
The backdoor Trojan is downloaded by a 'dropper' Trojan posing as a PDF document (OSX.Revir-1), which connects to a remote server to download this threat.
OSX.iWorkServices.A
Discovered 22 January 2009
Description
This is a Trojan Horse that is packaged with pirated copies of Apple's iWork 09 on BitTorrent websites. The BitTorrent file is approximately 450Mb in size and when downloaded contains a folder named iWork.09, with a zip file, iWork09.zip, and a text file with a product serial number, serial.txt.
The zip file contains a valid copy of iWork 09 as well as the Trojan Horse. Expanding the zip file and running the iWork 09 installer meta-package installs not only iWork 09 but also the Trojan.
The iWorksServices installer package is contained within the Contents folder and installs the Trojan in /usr/bin/iWorkServices with corresponding files in /System/Library/StartupItems/iWorkServices. The Trojan attempts to connect to a remote server over the internet during installation, allowing it to broadcast its existence and possibly download further malware. The files in StartupItems ensure that the Trojan is run each time you restart your Mac.
ProtectMac AntiVirus Alert of the installer package
Removal
If the Trojan has been installed on your Mac, it should be deleted from the /usr/bin folder and both the 'iWorkServices' and the 'iworkservices' root processes killed or your Mac restarted. The folders /System/Library/StartupItems/iWorkServices and /Library/Receipts/iWorkServices.pkg should also be removed.
OSX.iServices.B
Discovered 26 January 2009
Description
This is a Trojan Horse that is packaged with pirated copies of Adobe PhotoShop CS4 on BitTorrent websites.
The zip file contains a commercial version of Adobe PhotoShop CS4 as well as an application to 'crack' the software's serial number protection. Running the Crack application installs the Trojan on your Mac.
The Trojan is written to /usr/bin/DivX and also to /private/var/tmp but given a random filename, such as tmp.0.ORbnHw. Associated files are also written in /System/Library/StartupItems/DivX to ensure that the Trojan runs each time on Startup. The Trojan attempts to connect to a remote server, freehostia.com:1024, over the internet, allowing it to broadcast its existence and download further malware.
ProtectMac AntiVirus Alert of the Crack application
Removal
If the Trojan has been installed on your Mac, it should be deleted from the /usr/bin folder and the /private/var/tmp folder, the 'DivX' root processes killed or your Mac restarted. The folder /System/Library/StartupItems/Divx should also be removed.
OSX.Jahlav.A : OSX.RSPlug.D
Discovered 23 November 2008
Description
This Trojan comes from the same virus writing group that produced the RSPlug.A/ DNSChanger Trojan. It can be found on pornographic websites and purports to be a fix for Active X errors when attempting to view online videos. Once the user sees these alerts the only way to terminate the dialog sequence and prevent the Trojan from being downloaded is to quit the browser.
The Trojan is delivered to the user's Mac as a disk image (dmg file) and mounts an installer package on the desktop called "install.pkg". When the installer package is double-clicked an Installer titled "MacAccess" is run.
This Trojan differs from RSPlug.A in that it includes several scripts that communicate with remote servers, sending computer information such as OS version, IP address and processor type, as well as downloading malicious software (malware) to the user's Mac.
OSX.Jahlav.B : OSX.RSPlug.E
Discovered 2 December 2008
Description
This is a variant of the OSX.Jahlav.A/RSPLug.D Trojan. It can be found on pornographic websites and purports to be a fix for Active X errors when attempting to view online videos. Once the user sees these alerts the only way to terminate the dialog sequence and prevent the Trojan from being downloaded is to quit the browser.
The Trojan is delivered to the user's Mac as a disk image (dmg file) and mounts an installer package on the desktop called "install.pkg". When the installer package is double-clicked an Installer titled "MacAccess" is run.
This Trojan includes several scripts that communicate with remote servers, sending computer information such as OS version, IP address and processor type, as well as downloading malicious software (malware) to the user's Mac.
OSX.Jahlav.C : OSX/Jahlav-C, OSX.RSPlug.C and OSX.RSPlug.K
Discovered 11 June 2009
Description
This Trojan is a variant of the Jahlav family of Trojans, it purports to be an installer for a missing Video ActiveX Object.
The Trojan is delivered to the user's Mac as a disk image (dmg file) and mounts an installer package on the desktop called "install.pkg". When the installer package is double-clicked an Installer titled "MacCinema" is run.
A shell script named AdobeFlash is copied to /Library/Internet Plug-Ins as part of the installation process and is configured to periodically access remote servers on the internet via a worker script, which could potentially download malicious code.
OSX.Lamzev.A : Troj/RKOSX-A : OSX.TrojanKit/Malez
Discovered 17 November 2008
Description
This is a Trojan horse that is capable of opening up a backdoor on a compromised Mac.
If the Trojan is executed it creates a file called ezmal in /Applications. A chosen host application is copied to /Application/
OSX.LoseGame : OSX.Loosemaque
Discovered 4 Nov 2009
Description
An arcade-style, shoot'm up alien game for Mac OS X.
When the game is run it will create 'aliens' based on the files it finds on your disk, and every time you kill an alien the associated file is deleted!
At the moment you need to go the author's website and download the game to come across it, ignoring the big red warning....
KILLING ALIENS IN LOSE/LOSE WILL DELETE FILES ON YOUR HARD DRIVE PERMANANTLY
And the warning in the Introduction....
ProtectMac AntiVirus will report the game as OSX.LoseGame...
OSX.MacDefender.A : Trojan.OSX.MacDefender, MacSecurity, MacProtector, MacGuard
Discovered 3 May 2011
Description
A fake Mac antivirus product likely to be found on compromised websites when users search for key topics and images via popular internet search engines.
A compromised website contains JavaScript code that executes and displays a Windows-style scan of your computer.
After closing the alert a zip file named, BestMacAntiVirus2011.mpkg.zip is downloaded, which extracts a Mac Installer meta-package called MacDefender.mpkg. Later variants of this threat are named Mac Security, Mac Protector, Apple Web security and Mac Guard (see also Trojan-Downloader.OSX.Fav.A).
The software runs for a short while giving the appearance that it is performing a scan of your computer.
It requests that you enter your credit card details to register the product and enable the virus removal features.
Later variants portray what looks like an Apple-desktop scanning window within your web browser. A download of an Installer meta package happens automatically, downloading a file called MacSecurity.mpkg
Note: The MacGuard and MacShield variants first download and run an intermediate file (trojan downloader) that does not require admin rights.
After removing the trojan with ProtectMac AntiVirus restart your computer .
How to manually removal MacDefender and any variants
Manual removal instructions
OSX.MusMinum
In its current state the threat is quite basic and even warns you in flawed English if you become infected. Furthermore, if the threat is running then it is displayed in the list of processes as "BlackHole" and can often appear on disk in a folder of the same name.
The trojan should pose little risk to Mac users at present, but we are continuing to monitor the situation closely as all indications are that the author is developing a more sophisticated variant.
As the threat is likely to appear as some kind of trojan on the internet, our recommendations as always is to be vigilant when downloading any application from the internet and only visit well-known reputable sites.
OSX.OpinionSpy
Discovered 2 June 2010
Description
Premier Opinion is a trojan application that is included with several free screensavers and video plugins. The software gets installed as part of the host application's installation, during which time you are prompted to accept the software terms of the additional software based on the understanding that you are participating in market research by providing details of your computer usage and online habits.
There’s no opt-out choice for this component during the installation phase, so if you don't want to participate in the market survey then you cannot install the screensaver in the example below.
Currently it is quite easy to detect whether you have Premier Opinion installed on your computer, there's a menu bar icon at the top of your screen and most of the software is located in the Applications folder within a sub folder called Premier Opinion. 
There is also a root process called PremierOpinion (note, no space in the middle) running on your Mac, which is the main component collecting data on your computer and forwarding it across the internet - there’s also a plist file in /Library/LaunchDaemons to ensure that the root process is run on startup.
To remove the software firstly disconnect your computer from the internet and run the uninstaller located in the /Applications/Premier Opinion folder, uninstalling the host screensaver or codec in itself does not remove the Premier Opinion software.
OSX.Revir-1
Description
Is a malicious application that poses as a PDF file and attempts to disguise itself from the user when run by opening an embedded Chinese PDF document.
Meanwhile the threat will be connecting to a remote server and downloading a backdoor Trojan (MacOSX.iMuler-1), which will allow a hacker to gain remote access to your Apple computer.
OSX.RSPlug.F : OSX.RSPlug.G
Discovered 20 March 2009
Description
This Trojan is a variant of the DNSChanger/RSPlug Trojan that modifies your network settings, changing DNS server configuration and causing the user to be redirected to malicious websites when browsing the internet.
The Trojan has been posted to various websites claiming to be an installer for Avid Express Pro, although the title in the Installer window when run pertains to MacCinema application.
When the Installer is run the Trojan will be installed along with a cronjob to ensure that the Trojan (/Library/Internet Plug-ins/AdobeFlash) is run at regular intervals.
The modified DNS Server settings will typically have entries associated with the domain 85.255.112
OSX.Tored.A
Discovered 5 May 2009
Description
OSX.Tored.A is a proof-of-concept worm created with RealBasic that attempts to set itself up as a Botnet on infected Macs. It also tries to gather email addresses from your Address Book to propagate to other users.
Errors in the worm's code and mistakes in the email content make it very unlikely that this threat would spread even if it was 'in the wild', so this version poses a very low risk.
OSX.Tored: OSX/Tored-Fam
Discovered 10 June 2009
Description
OSX.Tored is a worm created with RealBasic that attempts to set itself up as a Botnet on infected Macs. It also tries to gather email addresses from your Address Book to propagate to other users.
OSX.Word.Malware : Tibet
Discovered 30 Mar 2012
Description
A backdoor trojan that takes advantage of a vulnerability in un-patched versions of Microsoft Word that could allow remote code execution.
The threat is run when a user opens a maliciously crafted Word doc, allowing the hacker to take complete control of an infected computer.
Mac versions of the following Microsoft products are prone to attack if they have do not have the appropriate Microsoft security updates installed: Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac and OpenXML File Format Converter for Mac.
The 'critical' vulnerability was first reported in 2009 and affects both Mac OS X and Windows computers. Further details can be found in the Microsoft Security Bulletin MS09-027 - Critical
ProtectMac AntiVirus detects this threat as OSX.Word.Malware.
OSX.Yontoo.B
Description
OSX.Yontoo.B is an Adware trojan that disguises itself as an HD video codec, required to view movies downloaded from the internet. Once installed the plugin inserts adware into every web page that is viewed in your web browser
The trojan has been designed to install plugins in Safari, FireFox and Chrome and is delivered as a zip file to your downloads folder, which gets expanded into a standard looking OS X installer. In our example these files were named, otherx.zip and Custom Installer, respectively.
Several OS X installer screens precede the installation of a couple of (Safari) extensions.
Safari Extensions page in the application's preferences
The malware is reported by ProtectMac AntiVirus as OSX.Yontoo.B
Macarena
Description
Is a proof of concept virus that infects files in the current folder when they are exceuted.
Renepo : Opener
Discovered 25 Oct 2004
Description
Renepo is shell script virus that will make various changes to your system, including attempting to disable your firewall, download hacking tools and try and collect data from a compromised Mac.
There are no reports of this virus ever being discovered in the wild.
Sub7
This is a Mac OS X client of the Sub7 Trojan that allows backdoor remote access.
Trojan-Downloader.OSX.Fav.A
Description
This is a Mac downloader application designed to download and install a variant of the MacDefender trojan called either MacGuard or MacShield.
Whilst browsing a compromised website users will see what appears to be a scan of their computer occurring within their web browser.
The JavaScript on the website first downloads a small zip file, anti-malware.zip, which unpacks an application called avRunner or mdDownloader. The malicious app then downloads a MacDefender trojan and installs it in the Applications folder.
An entry is also added the user's Login Items in System preferences so that the Trojan runs each time on startup.
See OSX.MacDefender for further information on this family of threats.
How to manually remove MacDefender and any variants
Manual removal instructions
Trojan.OSX.Generic : Tibet - Java exploit
Discovered 21 Mar 2012
Description
This trojan takes advantage of multiple vulnerabilities within Mac OS X in a similar way to later variants of the Flashback trojan.
The trojan is downloaded when a user visits a compromised website, a Java applet is downloaded and will run on an unprotected computer installing the backdoor threat.
Note: Clean installations of OS X Lion do not come with Java installed by default. Whenever a user first comes across a Java applet they will prompted by the operating system to install Java to allow the applet to run.
Java functionality, if installed, can be disabled by unchecking the 'Enable Java' option in Safari's Security preferences.
Users should keep their computer up to date with the latest security patches from Apple via Software Update. The various vulnerabilities that this threat exploits were fixed by the following Apple Security Update on 3 April 2012:
Mac OS X 10.6 - Java for Mac OS X 10.6 Update 7
OS X Lion 10.7 - Java for Mac OS X 2012-001
Further information about the security updates above can be found in the Apple knowledgebase http://support.apple.com/kb/HT5228
ProtectMac AntiVirus detects this threat as Trojan.OSX.Generic.
Trojan.OSX.Imuler
Discovered 19 March 2012
Description
A variant of the OSX.Imuler backdoor trojan that first appeared appeared 24 Sept 2011. This version pretends to be an image file but is actually an application that when double-clicked will install a backdoor trojan that could allow a remote hacker access to your computer
As file name extensions are typically hidden on Mac OS X the user believes they are opening an image file because of the file icon, however, double-clicking the file will run the application and install the backdoor trojan on the user's computer.
UnderHand : Cowhand
This is a backdoor trojan that can be used to remotely control a machine.