New OS X Trojan horse sends screenshots, files to remote servers

A new Trojan horse for OS X has been identified, which attempts to send files and screenshots to remote servers.

These days when people think of malware and OS X the first name that comes to mind is likely MacDefender or one of its variants, which were rogue utilities designed to trick users into giving up personal and financial information. As the Mac gains in popularity there will undoubtedly be more attempts like this, and recently a new Trojan horse attempt for OS X has surfaced that tries to steal users' personal information.

The malware was first seen in late July of this year, and has been identified by security firms F-Secure and Sophos as "Trojan dropper" and "backdoor" utilities that both work in tandem to install on the system.

Trojan-Dropper:OSX/Revir.A

trojan-dropper.OSX.Revir.A PDF file
The Trojan downloader will display this PDF file that contains offensive political statements in Chinese (click for larger view). F-Secure

This Trojan downloader is the initial phase of the attack, and is a program that when run will install a backdoor utility called "BackDoor:OSX/Imuler.A" onto the system. The downloader will also download and continually open a Chinese PDF document (aptly named "trojan.pdf") that contains offensive political statements, which apparently is an attempt to distract the user and disguise the installation of the backdoor malware.

BackDoor:OSX/Imuler.A

When the backdoor is installed, it will set up a launch agent on the system that is used to continually keep the malware active on the system. It will then connect to a remote server and send the system's current username and MAC address to the server, after which the server will instruct it to either archive files and upload them, or take screenshots and upload them to the server.

According to F-Secure, the malware does not appear to work very well (if at all) at this time since it does not receive instructions from the remote server, but the malware may still be capable of performing its malicious activities. Currently the server seems to be a crude Apache implementation that is likely in a testing phase, but has the potential to be active and properly interact with the malware.

Both F-secure and Sophos have issued malware definition updates to address this new threat, and it is very likely that other malware scanners will soon follow suit, so be sure you keep your malware scanners up to date.

If you do not have a malware scanner, then you can check for the presence of this Trojan horse by opening Activity Monitor, ensure you are viewing all processes, and then look for a process called "checkvir" (sort the processes by name to make locating it easier). If you see this process running, then select it and click the red stop sign button to quit it using Activity Monitor, followed by removing it from the following directory on your system:

/username/Library/LaunchAgents/

If you are running OS X Lion, you can get to the user library by holding the Option key and selecting "Library" from the Finder's Go menu, but in prior versions of the OS the Library should be visible in your home directory. Inside the LaunchAgents directory, remove the files "checkvir" and "checkfir.plist" which are the malware and its launcher agent, respectively. After this the malware should be removed from your system.

Overall while this is a new threat to OS X users, the threat level is relatively minor. The program is easily detectable and removable, and does not seem to be widespread. It also currently does not seem to work properly as it does not yet receive instructions from the remote server.

Unfortunately so far there is no information on exactly how the malware is distributed, but as with other malware it may be distributed via spam e-mails and underground Web sites. If you see an unknown PDF launch automatically on your system, then that is a very good sign the malware is running. As with other malware on OS X, this will need to be explicitly run by the user in order to install, so be aware of any programs that you have downloaded, especially if they show odd behavior like opening unknown documents, are in unexpected languages, or have obviously poor grammar and spelling.

Besides the use of malware scanners, OS X itself has a few guards against these types of Trojans. The system flags every application that is downloaded, and warns you that it is the first time you've run that file, which can help you determine if you want to open the program. In addition, while it has not yet been updated Apple has its XProtect malware detection system that may acquire definitions to this new malware and detect it if, and when, it is downloaded.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Find Your Tech Type

    Take our tech personality quiz and enter for a chance to win* high-tech specs!