The new malware sample, dubbed ‘Blackhole RAT’ by its author, was first identified by SophosLabs late last week according to a blog post by company researcher Chet Wisniewski. He said that although the backdoor trojan is in the beta testing stage, “it could be indicative of more underground programmers taking note of Apple’s increasing market share”.
Wisniewski warned that the Mac malware was unrelated to a similar named legitimate program, known as ‘Black Hole’, that helps rid Macs of sensitive personal information. Regardless, according to the firm’s analysis, BlackHole RAT can place text files on the desktop of infected users, in addition to sending commands for restart, shutdown, or sleep, running arbitrary shell commands, and sending a fake pop-up to the user that phishes their administrator password.
Initial reports from Sophos said BlackHole RAT was a variant of the DarkComet trojan for Windows, with the new Mac malware using both English and German within its user interface. However, the author of the DarkComet trojan apparently contacted Wisniewski to deny involvement in creating the new Mac trojan currently under development.
“While the BlackHole RAT Trojan seems to be copying the behavior of DarkComet, the lack of functionality and the unsophisticated user interface clearly offended the author, who felt it was necessary to set the record straight”, Wisniewski wrote in a subsequent blog post. “To make a point, DarkComet's author acknowledges that he is developing his own Mac OS X Trojan, called DarkCometX, that is not yet finished.”
The Sophos researcher said the revelation of two Mac Trojans being developed – both within a week – took him by surprise. “Technically, in and of itself, writing a Trojan is not illegal”, he added, “It's all in what you do with it.”
Meanwhile, Mac security specialist Intego made its own comments on the malware find. The firm downplayed the threat posed by the new trojan:
“This tool…is something that needs to be installed on a Mac, generally via a Trojan horse, and, while it offers simple functionalities to control a Mac, merely having shell (Terminal) access is more than enough. A RAT, or remote administration tool (and not a “remote access Trojan,” as one site claims), such as this is designed to simplify the tasks of a malicious user who wants to control an infected computer, but in most cases, the people who are infecting Macs will be able to do all of this with a simple ssh connection using Terminal.
Backdoors are relatively easy to install once you get a user to install a Trojan horse. A remote administration tool is not in itself a threat; it requires that a backdoor be installed, and this in turn requires effective payload from a Trojan horse or other means of installation.”
Intego went on to say that its filters would monitor and move to block BlackHole, but that it did not consider the malware to be “a serious risk”.
Infosecurity notes that many security vendors, including Intego, have warned for some time now that the Mac would be increasingly targeted by malware as the platform continues to gain market share.