Security Experts:

Newest Mac Malware is Snatching Passwords

The anti-Virus firm that discovered the Flashback Trojan, Dr. Web, has discovered another family of Mac-based malware that targets passwords. In addition to Mac OS X, this malware also targets Linux installations.

It isn’t clear how the malware spreads, the security company explained in a blog post, but when examined – it was clearly targeting passwords entered into a number of Internet applications on Mac OS X and Linux. 

Additional examination shows that the malware uses AES to communicate with its C&C, and will create a working copy of itself in the user’s home directory. The backdoor will act as a keylogger and targets passwords entered by the user in Opera, Firefox, Chrome, and Chromium, and passwords stored by such applications as Thunderbird, SeaMonkey, and Pidgin.

For now, the only true mitigation (aside from signatures and the likely chance that heuristics will flag the malware), is to block communication to the main control server with the IP address 212.7.208.65.

Dr. Web is still investigating the malware’s origins, but they are calling the newly discovered OS X backdoor Wirenet.

As mentioned, Dr. Web is credited with discovering the Flashback Trojan, which is responsible for the largest OS X-based botnet in history. According to the recent figures, and a report form the firm recapping the year’s malware statistics, Flashback is still a legitimate concern.

“Despite the fact that more than four months have passed since the discovery of the largest-ever Mac botnet, comprised of machines infected with Backdoor.Flashback.39, it would be premature to talk about its dissolution. At the moment, the botnet consists of 126,781 infected machines, which is 21,711 fewer hosts than at the end of July. In general, the rate of the BackDoor.Flashback.39 botnet’s reduction has declined noticeably (the malicious network was losing 76,524 machines a month until August),” the report explains. 

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.