New Mac OSX backdoor Trojan discovered

28 Feb 2011

A new backdoor Trojan has been created affecting Mac OS X, which Sophos Labs believes reflects the rising popularity of Mac computers.

Macs have gotten a reputation for not being as prone to viruses and malware as PCs. This is because most consumers own PCs, meaning there is a larger userbase for malware creators to target. But Apple’s growth in this market means more malware will be produced for Macs.

According to security firm Sophos Labs, the Trojan, which is still unfinished, is a variant of the Remote Access Trojan (RAT) for Windows called darkComet.

While the author of the malware has called it “BlackHole RAT,” Sophos Labs is referring to it as OSX/MusMinim-A or MusMinim. “Black Hole” is also the name of an unrelated legitimate application which focuses on boosting the computer’s security by removing sensitive information on the device.

The Trojan can be picked up through pirated downloads, torrent sites or anywhere users may download an application, expecting to install it. The Trojan could also infect the computer through vulnerabilities in a browser, plugin and other applications.

When MusMinim infects a computer, it can run arbitrary shell commands, send URLs to the client to open a website, pop up a fake administrator window to phish for passwords and send commands to restart or shutdown the computer.

The Trojan’s message

The Trojan can also place a full screen window with a message along with a button which only allows users to restart the Mac.

“I am a Trojan Horse, so I have infected your Mac Computer,” reads the message.

“I know, most people think Macs can’t be infected, but look, you ARE infected!

“I have full controll (sic) over your Computer and I can do everything I want, and you can do nothing to prevent it.

“So, I’m a very new Virus, under Development, so there will be much more functions when I’m finished,” it said.

The Trojan can be removed by anti-virus software, such as the one Sophos Labs provides.