New Mac OS X Trojan distributed via BitTorrent file-sharing sites
01/11/11 12:13
A new Mac OS X Trojan has been discovered on BitTorrent sites. The threat, dubbed OSX.DevilRobber or OSX.Miner, has appeared within legitimate copies of GraphicConverter v7.4, Flux v3.2.5 and CorelPainter v12, which the virus writer has modified and posted on the file-sharing websites. The Trojan is installed on your computer when the parent application’s installer is run.
The threat appears to be quite sophisticated, adopting a multi-pronged approach to harvesting personal details from your computer, including stored information from encryption software and Safari, and sends this to a remote server. In addition, the Trojan utilizes your Graphics processor (GPU) to perform calculations required to undertake bitcoin mining, hence the name. If it discovers a bitcoin wallet it will save that, too.
If your Mac becomes infected by this Trojan then the first thing you may notice is a sluggishness as it performs the bitcoin permutations required for ‘mining’. Check for the presence of a folder in your login user area called ~/Library/mdsa1331/ and a launch agent file in ~/Library/LaunchAgents/ that looks unfamiliar. The current version of the trojan creates a startup file, which at first glance appears to have come from Apple, com.apple.legion.plist.
Interestingly, the Trojan script exits if it detects that LittleSnitch, a network analyzing tool, is installed on your Mac. Presumably this is because it will highlight network traffic and raise awareness of the Trojan’s presence in the wild.
As always, we advise extreme caution when downloading software from file-sharing websites as you don’t always get what you expect. Unfortunately in this case you get a lot more than you bargained for!
ProtectMac AntiVirus detects this new Trojan as OSX.DevilRobber.