Malware

New Multiplatform Backdoor Jacksbot Discovered

Posted on October 12th, 2012 by

Update - October 15, 2012

Upon further analysis, it's been determined that this trojan is the Java RAT (aka jRAT) created by the hacker/programmer redpois0n.

____

A new Java backdoor trojan called Java/Jacksbot.A has been discovered that has partial multiplatform support. It is fully functional on Windows, and partially functional on OS X and Linux. This trojan is currently considered low risk as it is not known to have infected users, and it does not run without root permissions. Jacksbot has the usual backdoor functionality, including the following capabilities:

  • gathering system information
  • taking screenshots
  • performing denial of service attacks
  • deleting files
  • stealing passwords (including specifically Minecraft passwords)
  • visiting remote URLs, likely to perform Clickfraud


This code is looking for Minecraft passwords.

It appears likely that this trojan is intended to be dropped by another component that has not yet been identified. The present component will exit with an error message if the Java archive is not run with root permissions. There is also no functionality to trick the user into running the file. We will post additional information about the threat as more is discovered.

Intego VirusBarrier users with up-to-date virus definitions are protected from this threat, which is detected as Java/Jacksbot.A.

  • Nicole Lee
    • Lysa Myers

      It’s good to hear you found it helpful!

  • ENRIQUE COLÓN

    Is better to know the threats than to be an over confident ‘sitting duck’ awaiting to be ‘shoot at’ by hackers .

  • messager123

    the developer has posted a response on his site http://www.redpois0n.com and he does not seem to happy about this, and his public information says he is 13/14

  • message_driver

    This article is incorrect. Mistakes:

    - Redpois0n is not a group, nor is it a hacking or programming group.

    - Redpois0n is an individual developer who goes by the handle “redpois0n”.

    - redpois0n has actually released a removal tool and a tool to extract settings from the RAT, at http://redpois0n.com/index/projects.html

    - Jacksbot is actually called jRAT.

    - jRAT has the option to be dropped by a dropper.

    - jRAT is a public tool that can be downloaded and used by anyone.

    - jRAT has the option to have a tray icon.

    - The author is not the person who infects anyone, nor does he control any infected machines.

    • LysaMyers

      Thanks to you folks that have clarified about the identity of redpois0n. The update has been changed to reflect that this is one person, not a group, and that he also refers to it as jRAT. We’ve not made any statements about who is using this, or whether this has affected anyone’s system. The sample we received, as we noted, did not include a dropper and was likely incomplete. If you would like more information about our naming conventions, you can see our blog post on the subject: http://www.intego.com/mac-security-blog/how-does-malware-naming-work/

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}