X

New variant of the "HellRaiser" low-risk Trojan surfaces

Though not a grave security risk for Mac users, a new Trojan horse called "OSX/HellRTS.D" has been identified by Intego (developers of VirusBarrier X). The new trojan is a variant of a backdoor server called "HellRaiser," which was developed to allow full control of an infected PC by a remote attacker.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

Though not a grave security risk for Mac users, a new Trojan horse called "OSX/HellRTS.D" has been identified by Intego (developers of VirusBarrier X). The new Trojan is a variant of a backdoor server called "HellRaiser," which was developed to allow full control of an infected PC by a remote attacker.

As with many Trojan horses, this new one is a modification to previous code so hackers can hopefully get around current security measures and virus definitions.

Once installed it will duplicate itself and mask itself as legitimate applications that are already on the computer. It will then set up a server through which it can send e-mails, allow for remote connections, and communicate with remote servers.

The program is distributed as a file that must be installed by a user, and is being made available through user-provided download sources such as online forums and other less-than-legitimate Web sites, and the code is a universal binary file so it will work on both Intel and PowerPC Macs.

Since the installation of this Trojan requires you to manually install the first copy of it, the risk is relatively low, especially since the distribution is through forum postings and other unofficial download sites. As such, the easiest way to prevent infection is to only download programs from a legitimate source such as the developer's direct site, or from a source like VersionTracker or CNET's Download.com.

Unfortunately, in situations where there are many users for a machine, it is difficult to tell how the computer is being used and at times what is being installed (even standard users can install some applications to their own accounts). Apple provides parental controls, but users may still run across these programs and try to install them.

There are some steps you can take to ensure your system is safe:

  1. Virus Scanning

    Active virus scanning is still not considered a requirement for OS X, but at least have a good scanner installed that you can run periodically. I use Sophos antivirus, but there are several others including MacScan, VirusBarrier, and ClamXav. Ensure your virus definitions are up to date, and if you do not want to manually scan your system periodically, have the program automatically run scans at times when you are not using your system.

  2. Restrict administrative access

    It is unclear whether this Trojan requires administrative access to run (or at least run some of its features), but in general it is good practice to limit access to administrative rights, even for yourself. Set up an administrative account and then create a standard account for yourself for daily activities, and only use the administrative account to configure the system.

  3. Set up incoming and outgoing firewalls

    Apple's built-in application firewall is great for preventing access to your system; however, little prevents applications from sending information back out. In addition to regularly going over and removing application exceptions from the OS X firewall (done in the Security system preferences), install a program like Little Snitch, which will notify you of any program that is trying to send information out.

  4. Avoid malware

    It is very easy to avoid malware. As previously mentioned, do not install items that you downloaded from forums, but also avoid special deals that are not directly from developers or reputable vendors. Avoid installing items obtained from "warez" and porn sites, and if your browser automatically downloads an installer file, delete it. If a Web site claims you need a plug-in for a specific function, research the plug-in and download it from the developer.

For more tips on increasing the security of your system, check out this article.



Questions? Comments? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.