DevilRobber Trojan now disguised as PixelMator

One of the latest trojan horse malware attempts on OS X is a bitcoin mining and data stealing bot called "DevilRobber" that uses the system's parallel processing capabilities of systems (the GPU and CPU) to run Bitcoin mining operations to rapidly generate Bitcoins (an experimental digital currency).

All malware is expected to be altered, refined, and otherwise updated, and recently security firm F-Secure has reported it found another variant of the DevilRobber Trojan roaming around pirated software networks.

The original DevilRobber was being distributed in pirated versions of the popular program Graphic Converter, and in similar form the malware developers are targeting additional graphics tools by releasing this new version disguised as the popular image-editing program PixelMator.

Unlike the original version of the malware that ran embedded in full versions of Graphic Converter, the new version contains none of the legitimate PixelMator code and instead is only disguised as the program. When run, the fake PixelMator program acts as a basic downloader that will contact some FTP servers and download and install the malware.

The new malware has some relatively significant changes from its predecessors. While it still tries to steal the contents of a user's Bitcoin wallet and generate Bitcoins, it now performs a few other operations. First it attempts to steal passwords from the popular password management utility 1Password. It also attempts to grab system log files in addition to Terminal command history files.

This version of DevilRobber no longer attempts to take screenshots and send them to remote servers; however, it also no longer checks for the presence of the Little Snitch reverse firewall daemon, which will detect its activity and prevent it from communicating with external servers. In previous versions of the malware the presence of Little Snitch caused its installation to fail, but this version continues to install, perhaps in hopes that even with Little Snitch installed some people will authorize a rule that allows the Trojan to communicate with external servers.

Despite this, the use of Little Snitch and other reverse firewalls like Intego Virusbarrier should prevent the malware from communicating with the outside world, so if these programs notify you of unauthorized connection attempts to FTP servers, then be sure you check them out.

As with the previous version of the DevilRobber malware, this version is distributed as pirated software, so provided you only run legitimately purchased software, you should be safe from this and other Trojans that are being disguised as popular programs. Be sure to only run software you have downloaded from reputable sources like the developer's Web page, software repositories like CNET's Download.com, or the Mac App Store.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.