The latest malware targeting Mac OS X steals user credentials and computer processing power to generate more Bitcoins, a virtual currency used online.
Security researchers have
uncovered yet another Mac Trojan in the wild, this time hiding inside pirated
versions of the Mac OS X image editing application GraphicConverter.
The pirated copy of
GraphicConverter 7.4 is being actively distributed on file-sharing networks and
torrent sites like Pirate Bay and contains the DevilRobber Trojan, Sophos
researchers reported Oct. 29. Once on the Mac OS X, DevilRobber creates a
backdoor for remote access and installs a Bitcoin miner that uses up spare
system resources and steals the content of the user's Bitcoin wallet, according
are anonymous, decentralized virtual currency commonly used online among people
interested in keeping their transactions secret. The BitCoin value is
determined on an online electronic exchange and generally hovers around $14 to $17
per unit. While often used for illegal transactions, BitCoins are used for
legitimate purposes as well, such as making donations to WikiLeaks.
"If your Mac computer
was infected by the malware, the first thing you might notice is performance
becoming sluggish," Graham Cluley, senior technology consultant at Sophos,
wrote on Naked
Security firm Intego said
the malware has been spotted in other pirated Mac applications, but declined to
identify the titles on the Mac
blog. The applications were generally being distributed by
BitTorrent, and Mac users should download only from trusted sites, Intego
If the user has Little
Snitch, a popular network traffic blocker, installed on the Mac, the Trojan
terminates, Intego said. Otherwise, it will launch on each reboot or log-in.
The application developers
are "victims," as criminals are using their popular software as a
trap to infect Mac users who download software from unofficial sources, Cluley
Some BitCoin users get in
the business of "mining," or generating more of the currency to
increase the pool of available funds. The mining is done with a specific
application that runs mathematically intensive operations that require a lot of
time and computer-processing resources. The DevilRobber Trojan
"steals" processing power from infected Macs for this purpose.
"Yes, this Mac malware
is stealing computing time as well as data," Cluley wrote, noting that
graphics processing unit (GPU) resources are much better than regular CPUs at
performing intensive mathematical calculations required for Bitcoin mining.
The malware also collects
system information such as shell and browser history, takes screen captures,
opens a proxy port and waits for the user to enter the user name and password,
performs a scan for private files on the system and on mounted encrypted volumes
using Spotlight, posting data files and looking for other infected Macs.
The Trojan also hunts for
any files that may contain adult content, but Sophos researchers were not clear
whether it was distributing the material or acting as a vigilante to uncover
objectionable material, according to Cluley.
The malware is
"complex," as it can perform tasks associated with several classes of
malware, including a Trojan horse, backdoor, data-stealer and spyware, Intego
said. Another variant uncovered by Intego saves the user's keychain files.
users-like their Windows cousins-should practice safe computing and only
download software from official Websites and legitimate download
services," Cluley said, adding that Mac users need to start practicing
safe security instead of thinking the platform
is impervious to malware
researchers uncovered a Mac Trojan that masqueraded as a Flash Player installer
and another that hijacked Mac OS X systems to launch
denial of service attacks
against other computers.