New Mac OS X Trojan Hides In Graphics Software

Newly identified Mac malware is being distributed in a pirated copy of GraphicConverter

Security researchers have uncovered yet another Mac Trojan in the wild, this time hiding inside pirated versions of the Mac OS X image editing application GraphicConverter.

The pirated copy of GraphicConverter 7.4 is being actively distributed on file-sharing networks and torrent sites like Pirate Bay and contains the DevilRobber Trojan, Sophos researchers reported on 29 October. Once on the Mac OS X, DevilRobber creates a backdoor for remote access and installs a Bitcoin miner that uses up spare system resources and steals the content of the user’s Bitcoin wallet, according to Sophos.

BitCoin attack

BitCoins are anonymous, decentralised virtual currency commonly used online among people interested in keeping their transactions secret. The BitCoin value is determined on an online electronic exchange and generally hovers around $14 (£9) to $17 per unit. While often used for illegal transactions, BitCoins are used for legitimate purposes as well, such as making donations to WikiLeaks.

“If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish,” Graham Cluley, senior technology consultant at Sophos, wrote on Naked Security.

Security firm Intego said the malware has been spotted in other pirated Mac applications, but declined to identify the titles on the Mac Security blog. The applications were generally being distributed by BitTorrent, and Mac users should download only from trusted sites, Intego warned.

If the user has Little Snitch, a popular network traffic blocker, installed on the Mac, the Trojan terminates, Intego said. Otherwise, it will launch on each reboot or log-in.

The application developers are “victims”, as criminals are using their popular software as a trap to infect Mac users who download software from unofficial sources, Cluley wrote.

Some BitCoin users get in the business of “mining”, or generating more of the currency to increase the pool of available funds. The mining is done with a specific application that runs mathematically intensive operations that require a lot of time and computer-processing resources. The DevilRobber Trojan “steals” processing power from infected Macs for this purpose.

Stealing computing time and data

“Yes, this Mac malware is stealing computing time as well as data,” Cluley wrote, noting that graphics processing unit (GPU) resources are much better than regular CPUs at performing intensive mathematical calculations required for Bitcoin mining.

The malware also collects system information such as shell and browser history, takes screen captures, opens a proxy port and waits for the user to enter the user name and password, performs a scan for private files on the system and on mounted encrypted volumes using Spotlight, posting data files and looking for other infected Macs.

The Trojan also hunts for any files that may contain adult content, but Sophos researchers were not clear whether it was distributing the material or acting as a vigilante to uncover objectionable material, according to Cluley.

The malware is “complex”, as it can perform tasks associated with several classes of malware, including a Trojan horse, backdoor, data-stealer and spyware, Intego said. Another variant uncovered by Intego saves the user’s keychain files.

“Clearly, Mac users – like their Windows cousins – should practice safe computing and only download software from official websites and legitimate download services,” Cluley said, adding that Mac users need to start practicing safe security instead of thinking the platform is impervious to malware.

Recently, security researchers uncovered a Mac Trojan that masqueraded as a Flash Player installer and another that hijacked Mac OS X systems to launch denial of service attacks against other computers.