Researchers have discovered a series of variants of the DevilRobber Mac OS X Trojan that have a menu of different capabilities, depending upon the strain, and can not only mine Bitcoins using the infected machine’s processing power, but also steals files, installs a Web proxy and may steal the user’s Safari browsing history.
The new variants of DevilRobber, which has been making the rounds recently, appear to each have a different set of capabilities because they may have each been built for specific jobs, according to an analysis of the malware by researchers at F-Secure. Some of the variants appear to be looking for specific pornographic files on infected Macs and steals passwords from the machine in order to access any files that may be protected. All of the variants of DevilRobber have the ability to take data from the machine and upload it to a remote server.
The new variants were discovered in Mac applications that had been Trojaned and then shared on Pirate Bay.
“The specific port used by the web proxy depends on the variant. The specific FTP server for data stealing also varies between samples. And DevilRobber’s data stealing routine is repeated on a fixed interval — every 43200, 60000, or 100000 seconds, depending on the sample,” F-Secure says in its analysis.
Mac malware has been making some headlines in the last few months, as attackers have begun applying to OS X some of the tactics they’ve been using on Windows for decades. In September, a Trojan called Imuler was found packed inside malicious PDFs, a trick that attackers have been using to get their malware into the hands of users for years now. And earlier in the year the MacDefender malware made a big splash as the first Mac-specific rogue antivirus program to emerge.
Apple is beginning to take some steps to address the threats facing its users, including the announcement this week that all apps submitted to the Mac App Store will have to have a sandbox by March 2012.
This post has been edited to clarify the nature of the apps containing the malware.
drStrangep0rk on
Check statement --
"The new variants were discovered in legitimate Mac applications that had been Trojaned and then shared on Pirate Bay."
"The new Trojan variants were discovered in crimilized software found on Pirate Bay. The legitimate Mac Applications are digitally signed and remain safe in the Mac App store."
The sentence is extremely misleading and may represent liability. This article is being listed as a source for other news organizations.
Correction Two
"In September, a Trojan called Imulerwas found packed inside malicious PDFs, a trick that attackers have been using to get their malware into the hands of users for years now."
Lumler Trojan was never packed inside a malicious PDF, it was infact an installer. This is completely a false statement and extrmemly poor analysis missing key facts. It was never in a PDF and never could you change the extension on a MAC file to get it execute in a particular way.
Correction Notice
This post represents a request for correction in a article posted on a site ran by Kaspersky. In good faith Kaspersky has been contacted to review the stated above sentence for accuracy and/or legal mis-representations. Kaspersky as stated in the TOS is the sole holder of the rights to this article and as such now are the sole holder of the rights to this post and request for correction review.
Thank You