Malware

New Malware DevilRobber Grabs Files and Bitcoins, Performs Bitcoin Mining, and More

Posted on October 28th, 2011 by

Intego has discovered a new malware called DevilRobber.A. This malware, which has been found in several applications distributed via BitTorrent trackers, steals data and Bitcoin virtual money, and uses CPU and GPU time on infected Macs to perform "Bitcoin mining."

This malware is complex, and performs many operations. It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.

DevilRobber has been found in a small number of Mac applications that are distributed via BitTorrent trackers, including a popular graphic program.



When the doctored application is launched, a preflight script looks for Little Snitch, a network traffic blocker; if Little Snitch is found, the program terminates. If not, the malware adds a LaunchAgent file in the user's ~/Library/LaunchAgents folder, to ensure that the malware launches on each reboot or login. The malware then searches for specific types of files with Spotlight, and writes data in a text file. It saves the user's bash history file (this is a history of commands run in the Terminal application), saves the user's Safari history file, takes a screenshot and saves that, and, if the user has a Bitcoin wallet, saves that as well. Another variant Intego has discovered also saves the user's keychain files.

DevilRobber then launches a proxy on port 34522, and waits for a user to enter their user name and password; if this happens, it records these credentials, and sends them to a remote server. The malware continues performing other operations, such as posting data to a remote server, looking for the infected Mac's external IP address, scanning the local network the Mac is on, searching for child pornography, and more.

One of the main tasks of this malware is to perform "Bitcoin mining." This procedure is a way of defrauding the Bitcoin virtual money service by making calculations and generating Bitcoins. (Bitcoin mining is explained here.)

While this malware is fairly sophisticated in its actions, it is not very widespread. For now, Intego has only seen DevilRobber in a handful of Mac applications distributed via BitTorrent trackers. Mac users should avoid downloading software from untrusted sites, notably those that distribute software illegally, such as BitTorrent trackers. If possible, always download software from the publishers' web sites, or from trusted download sites.

Intego's the threat filters for VirusBarrier X6 dated October 28, 2011 or later, will spot and block this malware as OSX/DevilRobber.A.

  • http://www.filepile.org/openid/dominicsmith dominic

    So do us a favor and instead of reading us the Intego’s press release tell us how to look for this to make sure its not on our machines short of signing up for VirusBarrier X6.  What file does it show up in?  Visible?  Will Spotlight find it as Diablominer?  Yes, removal steps too would service your readers.
    Me?  Little Snitch running all the time.

    • Peter

      The problem with posting instructions on how to remove certain types of malware is this: the instructions may be valid at the time the malware is first detected, but future variants may – and often do – change the names and locations of the files that they install. Posting such instructions can actually be dangerous, since you may think that you have removed something, but in reality it’s just in a different location.

      This particular malware has been found in a number of applications. Even if we listed them today, nothing proves that in one week, one day, or even one hour, other applications will be infected.

      If you want to be safe from this malware, don’t download warez.

    • Marc Opperman

      Hope you realize this is a blog *from* Intego, dominic. 

  • http://twitter.com/DrDave Dave Nathanson

    Bitcoin mining is NOT defrauding the system! Read the very link provided in the article to learn that bitcoin mining is an essential part of the system that validates the bitcoin transactions in return for a small payment.
    https://en.bitcoin.it/wiki/Category:Mining

  • Anonymous

    Good to know that Little Snitch prevented it from running because I scanned my drive (VirusBarrier Express) and found that DevilRobber was hiding in a torrent-downloaded version of AudioHijack Pro 2.10. 

    • http://www.intego.com Intego

      Technically, it’s not that Little Snitch prevented it from running, it’s just that the malware, on detecting Little Snitch, decides not to run.

  • Jay

    Can you tell us which applications it’s been found in and how to find the malware manually, or do we have to download your software to do it? Is anyone else reporting this, or just you guys? 

    If this isn’t a ploy to get people to use your software, then tell us how to find it manually.

    • http://www.intego.com Intego

      Google can help you find that other security companies are reporting this. We found it in Graphic Converter and Painter, and another user reported in the comments that they found it in WireTap Pro. But there’s no way to be sure that it’s limited to those applications.

      Of course, it is not the fault of the developers; if you download software from warez or torrent sites, you don’t know if the software is indeed what it says it is.

      • Jay

        OK. So where would the trojan be hidden? In the application package contents, in the LaunchAgents directory, or both? 

        • http://www.intego.com Intego

          It’s in certain applications, if the apps don’t use installers. In others, it’s in the installer. I’m not sure exactly where in the installers though.

          For example, with Graphic Converter, the files were here:

          ./Contents/MacOS/arch.zip
          ./Contents/MacOS/preflight

          But, hey, just don’t download software from those sources and you won’t have to worry, ok? :-)

  • http://pulse.yahoo.com/_B7CBHDW2MSXOX23BRVFYGL36LY Eric

    Is XProtect able to detect Tsunami and DevilRobber variants??

    • http://www.intego.com Intego

      We can’t really speak for what Apple does.

  • gard bot

    Just so you know, bitcoin mining is ESSENTIAL to the operation of the bitcoin p2p network.  It is the method in which transactions are verified.  The bitcoins generated are the reward for doing this “work”, which has actual costs in electricity and hardware.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}