X

New Mac malware opens secure reverse shell

New malware for OS X is making the rounds in security circles, called "Pintsized," but has not yet been determined to be much of a threat.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
2 min read

A new backdoor Trojan for OS X is making the rounds, attempting to set up a secure connection for a remote hacker to connect through and grab private information.

The malware, dubbed "Pintsized" by Intego, is suspected of using a modified implementation of OpenSSH to set up a reverse shell that creates a secure connection to a remote server.

The use of an encrypted connection makes it more difficult to detect and trace, especially since it uses the common SSH protocol. In addition, the malware attempts to hide itself by disguising its files to look like components of the OS X printing system, specifically the following:

com.apple.cocoa.plist
cupsd (Mach-O binary)
com.apple.cupsd.plist
com.apple.cups.plist
com.apple.env.plist

Intego does not state where these files are placed in the OS, but as with prior malware in OS X this requires an option to automatically launch the malware whenever the system is started or when a user logs in, which in OS X is the various launch agent directories in the system. Launch agents use a property list (plist) structure, and can be used to target a binary executable (such as the mentioned "cupsd" one above) to keep it always running on the system.

Therefore, to check for this malware, open the following directories in the system to check for the presence of any of the above files:

/System/Library/LaunchDaemons
/System/Library/LaunchAgents
/Library/LaunchDaemons
/Library/LaunchAgents
~/Library/LaunchAgents

NOTE: You can highlight each folder path above individually, right-click the selection, and choose "Open" from the Services contextual submenu to open it in the Finder.

Because malware developers use these folders as a means of running their malware in OS X, one easy way to detect any misuse of them is to set up an alert that will notify you whenever files are added to them. I outlined how to do this with tools and services that are included in OS X, and the Luxembourg CIRCL subsequently developed a standalone installer that sets up a similar monitoring routine.

In addition to monitoring these folders, you can also install a reverse firewall like Little Snitch, which will notify you whenever a program attempts to make a connection to a remote server.

Currently it is unknown how the malware initiates its attack, whether it uses a previously documented vulnerability or one that is yet to be disclosed; however, the malware is not known to be widespread and is primarily being discussed on various security mailing lists. Nevertheless, by checking for the presence of the above files in the system's Launch Agent and Launch Daemon folders you should be able to determine if your system is free of it.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.