Sophos tackles new BlackHole RAT malware variant for OS X

Back in February of this year a malware utility called BlackHole, or MusMinim by security company Sophos, was found for OS X. BlackHole is a backdoor server program RAT (Remote Access Tool) that runs on an infected system and allows a remote user to interact with the system by sending shutdown commands, displaying screen messages, opening URLs, and requesting usernames and passwords. In essence it is similar to a remote desktop utility, but is not distributed for productive purposes.

Unlike more recent malware attempts on OS X that try to keep hidden and steal information automatically, the BlackHole malware is not too discreet and also requires a remote user to actively interact with the system. Therefore, it can be classified more as a prank or "annoyware" tool rather than an attempt to steal information. Nevertheless, it can be used for that purpose and was not developed as a legitimate piece of software, so therefore it is considered malware.

It appears that the developer of this malware is still refining it a bit, albeit at a relatively slow pace, and today Sophos has released new definitions for a third variant of the malware.

When new malware is found, definitions for it are generally labeled alphabetically to differentiate its variants, so the initial release of the BlackHole RAT was called OSX/MusMinim-A by Sophos, followed by OSX/MusMinim-B for the second variant. The variant found today is the third detected release, and continuing the naming scheme Sophos is calling it OSX/MusMinim-C.

While this update to the malware is by no means the cat-and-mouse game we saw with the MacDefender malware and its variants (which were released on an almost daily basis), it does show that even relatively old malware may be tweaked at any time. Despite this development, however, overall there is nothing new, and as with other recent malware for OS X, this variant presents a low (almost minuscule) risk for Mac users.

Nevertheless, if you do happen to encounter this malware you will likely want to remove it from your system as soon as possible, so be sure in the upcoming days that you keep your malware scanner definitions up-to-date. Sophos has released its new definitions for its scanners today, but other security utilities will likely soon follow suit.

Besides using malware scanners, there are a couple of things you can do to help protect your system from backdoor attacks:

1. Install Little Snitch
   The outgoing firewall utility Little Snitch will prevent any program on the system from communicating with another computer unless you specifically authorize it. This is useful for preventing personal information from being sent to unknown locations even by legitimate software packages, but it can also be used to root out malicious activity.

2. Disable automatic opening of 'safe' files in Safari
   Apple's Safari browser has an option to open "safe" files when downloaded, which may be convenient but also poses a security risk because some malware may be distributed in PDFs and other file types that are considered safe. Therefore, disable this option in Safari's preferences.

3. Enable network firewalls
   Since tools like the BlackHole malware require a connection from a client software package running on a remote system, an infected computer is essentially a server. If you have a system on a private network, then as long as your router is set with proper security settings such as NAT firewalls (most are by default), then the client software will not be able to connect to your system.

   In addition to the hardware firewall, be sure the OS X firewall is enabled and active (in the Security system preferences). Turn on Stealth mode, and also be sure to periodically clear the list of allowed programs, especially if you see items in the list that you do not recognize.

4. Never trust a program
   Many times people will see a prompt on their systems and obey its commands, but if you have not done anything and the system suddenly requests your log-in and password information, then first investigate why. Close down the request window and check to see if any updates are installing, or if you are performing a specific task such as copying files on your system. In addition, quit all of your open programs, and if the system still requests your password then be wary of it. If you cannot figure out why the system is asking for your credentials then take a screenshot of the behavior (press Shift-Command-3 to do this), and ask people in the Apple Support Communities or elsewhere whether or not the behavior should be expected.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.