NEWS FROM THE LAB - Friday, November 4, 2011

Backdoor:OSX/DevilRobber.A Posted by Brod @ 07:13 GMT

We recently analyzed DevilRobber.A, a Mac OS X malware that has both backdoor and trojan-like capabilities. All the samples we've collected so far were from torrents uploaded by a single user account on The Pirate Bay website:

DevilRobber tpb

The files shared were legitimate Mac applications, but modified to include the malware's components. The samples we got had some variations in the components, which means that some samples (variants) had additional functionalities.

It seems that the malware author had varying purposes for each of his creations. One variant steals the Keychain of the infected machine and logs the number of files on the system with names matching the string "pthc" — which Graham Cluley speculates may be referring to "pre-teen hardcore pornography". It appears as though the malware author is trying to find illegal child abuse materials, by spotting which infected machine has the most pornography and using its credentials to gain access to the materials.

Other variants install applications related to Bitcoin mining. These applications use both the CPU and GPU computational power of the infected machines, which improves the mining operations at the computer owner's expense. Now that is greedy!

Below is a summary of the differences between the variants we've found as of this writing:

DevilRobber variants

In addition, all the variants we've seen log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet. All variants also perform the following:

  •  Opens a port where it listens for commands from a remote user.
  •  Installs a web proxy which can be used by remote users as a staging point for other attacks.
  •  Steals information from the infected machine and uploads the details to an FTP server for later retrieval.

Even here, there are differences between the variants. The specific port used by the web proxy depends on the variant (see Port Mapping column in the table above). The specific FTP server for data stealing also varies between samples. And DevilRobber's data stealing routine is repeated on a fixed interval — every 43200, 60000, or 100000 seconds, depending on the sample.

On a separate technical point, another interesting point observed is that DevilRobber adds a port mapping to UPnP-capable gateway devices, to allow its ports to be accessed from outside the network:

DevilRobber add port mapping

Which is something we've seen before in Conficker/Downadup.

More details about DevilRobber can be found in our description.