Malware

An Analysis of the Cross-Platform Backdoor NetWeirdRC

Posted on August 22nd, 2012 by

A backdoor called OSX/NetWeirdRC has been found that affects OS X (versions 10.6 and higher), Windows, Linux and Solaris. Much like OSX/Crisis, this is a commercial remote access tool that was leaked to Virus Total. This malware appears to be in the wild, but the risk is considered low at this time. It is not known how the malware would arrive, though presumably it would be part of a targeted attack and it would come with a custom dropper or entice the user to run a file through social engineering.

In testing, it was found that this malware is not persistent--perhaps due to a bug, it does not restart after a reboot, and will lie dormant unless it is manually restarted or removed. It does add itself to the login items, but this does not succeed in restarting the malware; it will only open the user's home folder at login instead.

The sample we received copies itself to the user's home directory, though this is configurable and may vary.

Once it is installed, it calls home to the IP address 212.7.208.65 on port 4141 and awaits instructions. VirusBarrier's firewall alerts at this connection attempt:

The backdoor offers a number of different functions to perform actions and spy on the user of the infected machine:

  • Installing new files
  • Performing commands remotely
  • Grabbing screenshots
  • Gathering system information
  • Gathering information about what programs are running
  • Stealing encrypted Firefox, Thunderbird, Opera, SeaMonkey passwords

A temporary file is created for the malware to know if it has already been installed:

  • /tmp/.lbOOjfsO

It's interesting to compare and contrast OSX/Crisis and OSX/NetWeirdRC, as they are both commercially products. While OSX/Crisis is an advanced threat which hides itself reasonably well, OSX/NetWeirdRC has a number of glaring issues. Perhaps the pricetag tells us all we need to know: OSX/Crisis sells for €200,000, and OSX/NetWeirdRC starts at $60. The website for the developers of OSX/NetWeirdRC also lists the undetected nature of this tool as a selling point. It would seem that you get what you pay for, even in the malware world.

Intego VirusBarrier users with up to date virus definitions are protected from this threat.

  • Steven

    Well, i have some samples of it too, a friend shared, but mostly, you have a messed up version or something, the latest one i got survives reboot, if you want me to share them, just drop a message

  • Voorman

    Am I still protected if I have VirusBarrier Plus from Mac App Store?

  • LysaMyers

    Voorman – Yes, this threat is covered by the virus definitions.
    Steven – We’d be happy to get any samples, please send them to sample@virusbarrier.com

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}