Saturday, February 26, 2011

BlackHole RAT: New Remote Access Trojan for Mac OS X

Via Naked Security (Shophos Blog) -

It appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple's increasing market share.

SophosLabs analyzed the sample we received and determined that it is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet, although the Trojan's creator appears to be keen to call it BlackHole RAT.

The Mac OS X version is very basic and there appears to be a mix of German and English in the user interface. Its functions include:

* Placing text files on the desktop
* Sending a restart, shutdown or sleep command
* Running arbitrary shell commands
* Placing a full screen window with a message that only allows you to click reboot
* Sending URLs to the client to open a website
* Popping up a fake "Administrator Password" window to phish the target


SophosLabs has published protection for our customers as OSX/MusMinim-A. Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it.


Spike in Apple Targeting
According to data from Cisco IntelliShield, while reported vulnerabilities and updates are on the rise from most major vendors, Apple shows the greatest increase.

“As with most large vendors with a broad product base and many new product and software releases, you’d expect to see a related increase in vulnerabilities,” explains Jeff Shipley, Security Research and Operations manager at Cisco. “In Apple’s case, the difference is that its products are being rapidly adopted by a growing user base, providing an attractive pool of potential targets.”

In other words, Apple reached the “tipping point” at which scammers see potential in shifting their exploits to a new venue.

No comments:

Post a Comment