Intego’s security researchers have been examining the code of this new Trojan horse, which we announced yesterday. They have found some interesting elements in the code.
First, the code itself is quite sophisticated. The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. The backdoor uses the infected Mac’s hardware UUID (a unique identifier) as a user agent, and to identify specific computers. It also sends information about the infected Mac, such as which version of Mac OS X, which architecture (Intel or PowerPC), and more.
The encryption key used is an MD5 hash of the infected Mac’s UUID. This means that the encryption key for each Mac is different, but also allows the backdoor to find a key easily.
The backdoor is able to download further software, but, for now, we are not seeing this activity. It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.