Intego has discovered a new malware called DevilRobber.A. This malware, which has been found in several applications distributed via BitTorrent trackers, steals data and Bitcoin virtual money, and uses CPU and GPU time on infected Macs to perform “Bitcoin mining.”
This malware is complex, and performs many operations. It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.
DevilRobber has been found in a small number of Mac applications that are distributed via BitTorrent trackers, including a popular graphic program.
When the doctored application is launched, a preflight script looks for Little Snitch, a network traffic blocker; if Little Snitch is found, the program terminates. If not, the malware adds a LaunchAgent file in the user’s ~/Library/LaunchAgents folder, to ensure that the malware launches on each reboot or login. The malware then searches for specific types of files with Spotlight, and writes data in a text file. It saves the user’s bash history file (this is a history of commands run in the Terminal application), saves the user’s Safari history file, takes a screenshot and saves that, and, if the user has a Bitcoin wallet, saves that as well. Another variant Intego has discovered also saves the user’s keychain files.
DevilRobber then launches a proxy on port 34522, and waits for a user to enter their user name and password; if this happens, it records these credentials, and sends them to a remote server. The malware continues performing other operations, such as posting data to a remote server, looking for the infected Mac’s external IP address, scanning the local network the Mac is on, searching for child pornography, and more.
One of the main tasks of this malware is to perform “Bitcoin mining.” This procedure is a way of defrauding the Bitcoin virtual money service by making calculations and generating Bitcoins. (Bitcoin mining is explained here.)
While this malware is fairly sophisticated in its actions, it is not very widespread. For now, Intego has only seen DevilRobber in a handful of Mac applications distributed via BitTorrent trackers. Mac users should avoid downloading software from untrusted sites, notably those that distribute software illegally, such as BitTorrent trackers. If possible, always download software from the publishers’ web sites, or from trusted download sites.
Intego’s the threat filters for VirusBarrier X6 dated October 28, 2011 or later, will spot and block this malware as OSX/DevilRobber.A.