1 / 11

Mac OS X backdoor Trojan, now in beta?

Mac OS X backdoor Trojan, now in beta?. 報告人:劉旭哲. Introduction. It targets users of Mac OS X As even the malware itself admits, it is not yet finished. It could be indicative of more underground programmers taking note of Apple's increasing market share. Introduction.

gil
Download Presentation

Mac OS X backdoor Trojan, now in beta?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mac OS X backdoor Trojan, now in beta? 報告人:劉旭哲

  2. Introduction • It targets users of Mac OS X • As even the malware itself admits, it is not yet finished. • It could be indicative of more underground programmers taking note of Apple's increasing market share.

  3. Introduction • Not the first backdoor Trojan for OS X. • HellRaiser(OSX/HellRTS)_by McAfee • This Trojan was detected earlier in 2010. • BlackHole RAT has the classic client-server architecture. • The server (the Trojan itself) works only on Intel-based OS X machines, while the client works also on Microsoft Windows.

  4. How to Work • Infects computers(Victims)through downloads over the Web or a vulnerability in your browser, plugins, and other applications. • The server will also open ports such as 10005, 10004, 10001, 10000, 9999, 7781, 7782, 7780, and 7779. • The attacker can use the client to connect to the victim’s machine on port 7777 and open port 7778 to accept incoming connections

  5. Method • Sophos calls it OSX/MusMinim-A, or 'MusMinim‘ • Its functions include: • Placing text files on the desktop • Sending a restart, shutdown or sleep command • Running arbitrary shell commands • Placing a full screen window with a message that only allows you to click reboot • Sending URLs to the client to open a website • Popping up a fake "Administrator Password" window to phish the target

  6. After connection, attacker click More

  7. Pop up on victim’s mac 此視窗僅能打帳密後按OK

  8. Default text that is displayed in the full screen window with the reboot button: "I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it.So, Im a very new Virus, under Development, so there will be much more functions when im finished."

  9. Demo_Video

  10. Conclusion • BlackHole RAT Trojan seems to be copying the behavior of DarkComet • The author deny this relationship • Easy to kill • Check port • kill process

More Related