Earlier this week, Mac security firm Intego discovered a new type of malware for Mac OS X, which will pose a bit of a problem when it comes to protection, given its use of Open SSH. Yet, while there is speculation, the methods used to propagate the malicious code remains unknown.
Intego calls their latest discovery a “Pint-sized backdoor” given its nature, but they’ve also shutdown the avenues of communication the Trojan’s operators were using at the time of its discovery. So for now, it’s a non-threat, but the way the Trojan operates is what made Intego sit-up and take notice.
“The binary component uses a modified version of existing tools (namely OpenSSH 6.0p1) for creating a secure connection to encrypt the traffic so that it is much better hidden. The tool is further hidden by placing the file in a directory that is usually used for printing, so that if anyone sees a list of processes contacting the network, it will appear as if the affected machine is simply printing from a networked printer. This version of the tool also has been modified so that it will not save a log of its command histories,” the AV firm wrote in a brief on the malware.
According to their research, the malware was using a communication address of corp-aapl.com, the name for Apple’s stock symbol. Intego says that their research thus far has led them to believe that the threat likely starts with an exploit that gets the malware past Gatekeeper, and once installed opens a reverse-shell with the secured connection. This implicates drive-by infections, or other types of socially-engineered attacks.
Yet, because the processes used for communication rely on Perl scripts, if a person knows what they’re looking for the threat is easily spotted on an infected system. Otherwise, it can run in the background with impunity.
“That is to say, rather than announcing to the controller that the machine is infected (because the machine has been targeted and they already know where it is), the controller periodically contacts the infected machine to perform commands. Initiating the contact from outside the affected machine potentially helps it get past firewalls,” Intego added.
Again, for now the main communication lines are clipped, but the code could easily be reproduced and new domains added for usage. So while they watch for new variants, Intego says that up-to-date AV signatures will detect this latest threat.