How to find out if your Mac is infected with Backdoor.MAC.Eleanor

A new piece of malware targeting Macs was discovered this week. It's called Backdoor.MAC.Eleanor and here's everything you need to know about it and keeping your Mac safe.

Taylor Martin CNET Contributor
Taylor Martin has covered technology online for over six years. He has reviewed smartphones for Pocketnow and Android Authority and loves building stuff on his YouTube channel, MOD. He has a dangerous obsession with coffee and is afraid of free time.
Taylor Martin
3 min read
Sarah Tew / CNET
Watch this: Mac malware gives attackers full access to your computer

On Tuesday, Bitdefender announced its researchers had discovered new malware that's targeting Macs. The malware is referenced as Backdoor.MAC.Eleanor and it's capable of fully compromising your system. With the malware present, attackers can steal files, control your webcam, execute code and more.

So how does it work, how do you know if you're affected and what should you do if you are?

How the malware infects Macs

Hackers often look for exploits with the least resistance, and in many cases that's the unknowing user.

This backdoor is no different. It comes packaged inside what appears to be a legitimate file converter application, called EasyDoc Converter. However, the application doesn't actually work. Once installed, it runs a malicious script which installs a Tor hidden service, allowing attackers to remotely access and control the infected machine. This script sets up a web service which gives attackers the ability to manipulate files, execute commands and scripts, access a list of running processes and applications and send emails with attachments.

The malware also uses a tool called "wacaw," which allows an attacker to capture videos and images using the built-in webcam.

Using this software, Bitdefender warns an attacker could "lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices."

How to know if your Mac is infected

There is some good news, however. Seeing as the malware has only been found packaged in the EasyDoc Converter application, you have to download the application, install it and run it for your machine to have been affected.

Macs have an extra security step called Gatekeeper, which is located in System Preferences under Security & Privacy. By default, it stops unsigned applications from unidentified developers from running. If you download an unsigned application from outside the Mac App Store and try to run it, you will be met with a prompt stating the application cannot be opened.

If you downloaded the application, assuming you don't have Gatekeeper disabled, this prompt would have appeared when you tried running the application. To open the app, you would have to deliberately override the security settings to run the application the first time.

So if you never downloaded the application and/or didn't bypass Gatekeeper settings to run it, your Mac is not infected with the Backdoor.MAC.Eleanor malware.

On the other hand, if you did either, your Mac is may likely infected.

How to get rid of it

If you still have access to your Mac, you're in luck. Malwarebytes and Sophos have already been updated to detect Backdoor.MAC.Eleanor, and any anti-virus software that scans for malware should soon follow suit. To rid your Mac of the malware, download the Malwarebytes Anti-Malware application for Mac or Sophos Home, run a scan immediately and delete any associated files.

To avoid instances like this in the future, ensure Gatekeeper settings are set to only allow applications from the Mac App Store and identified developers. If you need to install an application from an unknown developer, be certain that it's from a trusted source.

Also, consider using an application like BlockBlock to detect the installation of any persistent software. This is not necessarily malware detection, but can help point out applications with components that shouldn't be there. Pair this with a periodic scan with Malwarebytes and more caution when downloading applications from untrustworthy sources and your Mac should remain free of malware.

If you suspect your Mac was infected with this malware, your best course of action is restoring from a Time Machine backup or reinstalling OS X.

  • Access Recovery by powering down the Mac.
  • Hold Command and R while powering the machine back on and release them when the Apple logo appears.
    • If you have a Time Machine backup, try restoring from a date prior to when you installed the EasyDoc Coverter.app.
    • If you do not have a Time Machine backup to restore, select Reinstall OS X. Be aware: You will lose any locally stored data on the hard drive, including pictures, documents and other files.
  • Wait for the system to finish the restore or reinstalling, and consider installing anti-malware software.

Editors' Note: This post was originally published on July 7 and has been updated with removal information.