New Mac malware opens secure reverse shell

New Mac malware opens secure reverse shell

تاریخ ایجاد

ID: IRCNE2013021765
Date: 2013-02-20

According to “CNet”, a new backdoor Trojan for OS X is making the rounds, attempting to set up a secure connection for a remote hacker to connect through and grab private information.
The malware, dubbed "Pintsized" by Intego, is suspected of using a modified implementation of OpenSSH to set up a reverse shell that creates a secure connection to a remote server.
The use of an encrypted connection makes it more difficult to detect and trace, especially since it uses the common SSH protocol. In addition, the malware attempts to hide itself by disguising its files to look like components of the OS X printing system, specifically the following:

  • com.apple.cocoa.plist
  • cupsd (Mach-O binary)
  • com.apple.cupsd.plist
  • com.apple.cups.plist
  • com.apple.env.plist

Intego does not state where these files are placed in the OS, but as with prior malware in OS X this requires an option to automatically launch the malware whenever the system is started or when a user logs in, which in OS X is the various launch agent directories in the system. Launch agents use a property list (plist) structure, and can be used to target a binary executable (such as the mentioned "cupsd" one above) to keep it always running on the system.
Therefore, to check for this malware, open the following directories in the system to check for the presence of any of the above files:

  • /System/Library/LaunchDaemons
  • /System/Library/LaunchAgents
  • /Library/LaunchDaemons
  • /Library/LaunchAgents
  • ~/Library/LaunchAgents

Because malware developers use these folders as a means of running their malware in OS X, one easy way to detect any misuse of them is to set up an alert that will notify you whenever files are added to them. Here it is outlined how to do this with tools and services that are included in OS X.
In addition to monitoring these folders, you can also install a reverse firewall like Little Snitch, which will notify you whenever a program attempts to make a connection to a remote server.
Currently it is unknown how the malware initiates its attack, whether it uses a previously documented vulnerability or one that is yet to be disclosed; however, the malware is not known to be widespread and is primarily being discussed on various security mailing lists. Nevertheless, by checking for the presence of the above files in the system's Launch Agent and Launch Daemon folders you should be able to determine if your system is free of it.

برچسب‌ها