Mac OS X Variant of Windows Trojan to Pose Rising Threat

BlackHoleRAT, a Mac OS X variant of darkComet RAT for Windows, is backdoor Trojan that is still rudimentary in its capabilities, but the malware author promises there's more to come.

Security researchers have discovered a beta version of a new backdoor Trojan that targets Mac OS X.

SophosLAbs analyzed the sample and determined that the Trojan is actually a variant of darkComet, a well-known Windows Remote Access Trojan, Chester Wisniewski, senior security analyst at Sophos, wrote on the NakedSecurity blog on Feb. 26. The malware author apparently named it BlackHoleRAT, but Sophos has dubbed it MusMinim.

A number of security firms predicted the rise of Mac malware in 2011, and this Trojan is the first new Mac threat this year.

Black Hole is actually the name of a legitimate application that helps users get rid of potentially sensitive information from the computer, such as recently used file lists and data left on the clipboard, according to Wisniewski. The Trojan has nothing to do with that application, he said.

As a Trojan, MusMinim has very basic capabilities, including placing text files on the desktop; sending a restart, shutdown or sleep command to the computer; running arbitrary shell commands; and sending URLs to open a Website. The Trojan can also pop up a fake "Administrator Password" window to phish the victim's password credentials, Wisniewski said.

Once the Trojan has the password information, the remote attacker has full administrator privileges on the computer.

RAT malware generally employs a client-server program that communicates with victims through a Trojan server, according to Italy-based security researcher Methusela Cebrian Ferrer. The server application is installed on the compromised machine, and the client application is on the remote attacker's system, she said.

The malware author also provided an introductory message for victims in a full-screen window that can't be closed unless the user clicks on the Reboot button. "I am a Trojan Horse, so i have infected your Mac Computer," the message said.

"I know, most people think Macs can't be infected, but look, you ARE Infected!" the author wrote in the message. Victims are told the Trojan has "full control" over the computer to execute any number of functions.

The author also warned that it is a "very new Virus, under Development, so there will be much more functions when im finished."

The Trojan itself doesn't appear to use any Mac-specific security vulnerabilities or exploits to infect the computer. Instead, it uses a common Windows-malware tactic by piggybacking on a downloaded executable. MusMinim likely is distributed through pirated software downloads, torrent sites or anywhere users may download an application that would get installed, Wisniewski said.

It may also be able to take advantage of an unpatched vulnerability in the browser, third-party plug-ins and other applications, he said. There have been a number of security vulnerabilities discovered in the Safari Web browser recently.

It could be indicative of malware authors beginning to focus on the Mac OS X as the operating system gains market share and the target audience looks more lucrative. A number of security vendors have come out with Mac-specific security products recently, and Apple quietly invited several security researchers to preview the new Mac OS X Lion and provide security feedback.