A new backdoor Trojan for OS X is making the rounds, attempting to set up a secure connection for a remote hacker to connect through and grab private information.
The malware, dubbed "Pintsized" by Intego, is suspected of using a modified implementation of OpenSSH to set up a reverse shell that creates a secure connection to a remote server.
The use of an encrypted connection makes it more difficult to detect and trace, especially since it uses the common SSH protocol. In addition, the malware attempts to hide itself by disguising its files to look like components of the OS X printing system, specifically the following:
com.apple.cocoa.plist cupsd (Mach-O binary) com.apple.cupsd.plist com.apple.cups.plist com.apple.env.plist
Intego does not state where these files are placed in the OS, but as with prior malware in OS X this requires an option to automatically launch the malware whenever the system is started or when a user logs in, which in OS X is the various launch agent directories in the system. Launch agents use a property list (plist) structure, and can be used to target a binary executable (such as the mentioned "cupsd" one above) to keep it always running on the system.
Therefore, to check for this malware, open the following directories in the system to check for the presence of any of the above file... [Read more]
No comments:
Post a Comment