Moke Malware Hops Over From Windows And Linux To Threaten Mac OS X

Moke malware has wormed its way across from Windows and Linux and onto Mac OS X in the form of Backdoor.OSX.Mokes, threatening Apple’s operating system with malicious code.

Discovered by cyber security firm Kaspersky Labs back in January, the Moke family of malware can swipe all manner of data from an infected machine, such as key-strokes, documents, pictures and screenshots.

It also creates a backdoor into the operating systems to allow hackers to execute arbitrary commands on a targeted computer.

“After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL.” explained Kaspersky security researcher Stefan Ortloff.

Threatening Mac OS X

When Backdoor.OSX.Mokes is executed for the first time is makes copies of itself and spreads to a number of locations in a machine’s operating system library. It lurks in folders containing everyday software such as Apple’s App Store, Google Chrome, Skype and Dropbox.

From there it can tamper with the system to make a connection to a command and control centre server through an HTTP connection on TCP port 80. Once a connection is established the hacker in control of the command server can setup backdoor features that allow for data to be stolen using techniques such as monitoring removable storage on the infected machine and scanning the file system for documents.

Tracking the source of a Moke attack is also particularly tricky as it uses strong AES-256-CBC encryption to effectively hide its activities and communicate with the command server.

Backdoors in Mac OS X are not as common as they are in Windows machines, but they appear to be increasingly uncovered by security researchers. Kaspersky did not detail how widespread the Moke malware or how much of a threat it poses to Macs, but the security firm assumes it is out “in-the-wild” in the same ‘packed’ form as its Linux variant.