The Mac Security Blog

Malware + Security News

Pint-Sized Backdoor for OS X Discovered

Posted on by

Updated February 19, 2013 to include more information

_____

A new backdoor which affects OS X has been announced to an AV industry mailing list. Details are fairly limited right now, and the components we have indicate a fairly small, simplistic but efficient threat. It’s believed that this was a targeted attack, perhaps dropped by an exploit. At the time of writing, all of the network components have been sinkholed so it’s unable to receive commands.

From what we’ve seen, this threat likely starts with an exploit to get it past Gatekeeper. Once on a system, it sets up a reverse shell. That is to say, rather than announcing to the controller that the machine is infected (because the machine has been targeted and they already know where it is), the controller periodically contacts the infected machine to perform commands. Initiating the contact from outside the affected machine potentially helps it get past firewalls. This part of the threat is comprised of clear text Perl scripts, which means it’s fairly easy to spot if someone knows what to look for.

So that’s where the second part of this threat comes in. The binary component uses a modified version of existing tools (namely OpenSSH 6.0p1) for creating a secure connection to encrypt the traffic so that it is much better hidden. The tool is further hidden by placing the file in a directory that is usually used for printing, so that if anyone sees a list of processes contacting the network, it will appear as if the affected machine is simply printing from a networked printer. This version of the tool also has been modified so that it will not save a log of its command histories.

The threat encrypts traffic with the command and control channel by use of an RSA key.

The filenames as they were reported are:

  • com.apple.cocoa.plist
  • cupsd (Mach-O binary)
  • com.apple.cupsd.plist
  • com.apple.cups.plist
  • com.apple.env.plist

One of the (sinkholed) network addresses that the threat contacts is “corp-aapl.com.” It’s been noted that this is a misspelling of Apple, but it is the stock symbol for Apple.

Intego VirusBarrier users with up-to-date virus definitions will detect the backdoor as OSX/Pintsized.A. At the time of writing, XProtect does not protect against this threat.