A backdoor called OSX/NetWeirdRC has been found that affects OS X (versions 10.6 and higher), Windows, Linux and Solaris. Much like OSX/Crisis, this is a commercial remote access tool that was leaked to Virus Total. This malware appears to be in the wild, but the risk is considered low at this time. It is not known how the malware would arrive, though presumably it would be part of a targeted attack and it would come with a custom dropper or entice the user to run a file through social engineering.
In testing, it was found that this malware is not persistent--perhaps due to a bug, it does not restart after a reboot, and will lie dormant unless it is manually restarted or removed. It does add itself to the login items, but this does not succeed in restarting the malware; it will only open the user's home folder at login instead.
The sample we received copies itself to the user's home directory, though this is configurable and may vary.
Once it is installed, it calls home to the IP address 220.127.116.11 on port 4141 and awaits instructions. VirusBarrier's firewall alerts at this connection attempt:
The backdoor offers a number of different functions to perform actions and spy on the user of the infected machine:
- Installing new files
- Performing commands remotely
- Grabbing screenshots
- Gathering system information
- Gathering information about what programs are running
- Stealing encrypted Firefox, Thunderbird, Opera, SeaMonkey passwords
A temporary file is created for the malware to know if it has already been installed:
It's interesting to compare and contrast OSX/Crisis and OSX/NetWeirdRC, as they are both commercially products. While OSX/Crisis is an advanced threat which hides itself reasonably well, OSX/NetWeirdRC has a number of glaring issues. Perhaps the pricetag tells us all we need to know: OSX/Crisis sells for €200,000, and OSX/NetWeirdRC starts at $60. The website for the developers of OSX/NetWeirdRC also lists the undetected nature of this tool as a selling point. It would seem that you get what you pay for, even in the malware world.
Intego VirusBarrier users with up to date virus definitions are protected from this threat.