New Mac virus skirts Gatekeeper, initiates creepy reverse-shell connection

By on February 19, 2013, 6:30 PM

A new trojan virus is targeting computers running Mac OS X and initiating an encrypted reverse-shell connection, allowing attackers potentially unfettered access to infected machines armed with basic, inbound-only firewalls. Security firm Intego appears to be the first to report on this malware and has named the backdoor virus "Pintsized".

As of 10.7 (Lion), Mac OS X employs an anti-malware feature named "Gatekeeper" which helps deflect the "installation" of malware by utilizing what is essentially a digital signature system. It appears Pintsized has the capability to defeat this security mechanism, although exactly how it does so remains unknown. Although Gatekeeper is enabled by default, it's worth noting it can also be disabled. Under normal circumstances, users who disable Gatekeeper would be afforded no protection against these types of attacks.

Once Pintsized is in, it phones home to hackers via an encrypted OpenSSH connection. Because the infected computer initiates the bi-lateral connection and not the remote server, Pintsized is able to bypass inbound-only firewalls, like the in-built Mac OS X firewall and the firewalls/NAT provided by most routers. This persistent shell access allows hackers to run remotely-issued commands on the infected system, some of which have been identified as clear-text Perl scripts. Thankfully for victims though, the malware author's use of obfuscated Perl scripting makes Pintsized conceivably simple to identify. 

Pintsized attempts to hide its components by posing as CUPS-related files -- the Unix printing system utilized by Mac OS X. The files Intego has seen the virus generate are:

  • com.apple.cocoa.plist
  • cupsd (Mach-O binary)
  • com.apple.cupsd.plist
  • com.apple.cups.plist
  • com.apple.env.plist

Presumably, infected machines would attempt to load infected files on start up. Users would likely want to check for signs of the above files in the following locations:

  • ~/Library/LaunchAgents (user launch area)
  • /Library/LaunchAgents 
  • /Library/LaunchDaemons
  • /System/Library/LaunchAgents
  • /System/Library/LaunchDaemons

The payload of the virus also remains unknown, but as with many attacks, there is likely a monetary incentive. An open SSH connection opens a whole world of devious possibilities though, so users will want to get rid of Pintsized as soon as they can.

Unsurprisingly, Intego says their VirusBarrier product picks up the virus. At the time of their writing though, the firm noted XProtect was unable to detect Pintsized.




User Comments: 12

Got something to say? Post a comment
ArthurZ ArthurZ said:

Thanks gains in popularity the mass-virusification of the iOS/MACs has started.

Classified1 said:

I was expecting it sooner or later lol.

Timonius Timonius said:

Uh oh...time to switch to Linux. ;p (depending on the distro - it can be very difficult for a casual user to allow things to get screwed up - ie installing crapware, bypassing admin level permission...)

Guest said:

Obviously any anti-virus developer is eager to inflate any fear of a virus on a Mac, but could anyone explain to me, how can a virus appear on my computer, if I don't install any unknown or pirated software? In the article it is unclear how the "virus" would get into a computer in the first place.

highlander84 said:

Uh oh...time to switch to Linux. ;p (depending on the distro - it can be very difficult for a casual user to allow things to get screwed up - ie installing crapware, bypassing admin level permission...)

I have yet to see a virus for Linux that can do any harm with out SU or root.... So unless your dumb enough to run as root, or allow something unknown root access...

Guest said:

Ever hear of drive-by infection?

There are many ways you can get infected without actually installing something yourself.

Guest said:

*nix is susceptible to exploits by allowing normal users to exploit out-dated or patch-less services, e.g., Sendmail.

Also, this hack was accomplished through a Java exploit, which is also exploitable on *nix.

spencer spencer said:

But macs don't get viruses

JK

Guest said:

A reverse shell is pretty bad. I'd consider that just as harmful as a virus.

SNGX1275 SNGX1275, TS Forces Special, said:

*nix is susceptible to exploits by allowing normal users to exploit out-dated or patch-less services, e.g., Sendmail.

Also, this hack was accomplished through a Java exploit, which is also exploitable on *nix.

The java exploit one is different from what am reading.

The one this article mentions has not been seen in the wild. It not being seen in the wild and being discovered by Intego can lead to some speculation on its origin. They also reported it as a targeted attack (although they didn't say who was targeted) so threat to the general public at this point is very low.

Win7Dev said:

A reverse shell is pretty bad. I'd consider that just as harmful as a virus.

You have to be already infected for the reverse shell to be accessed so...

Guest said:

Uh oh...time to switch to Linux.

I would rather stick with Mac than to switch to Linux. Why? I'm using Time Capsule, iPhone (with iTunes), and Final Cut Pro X on my Mac. Can Linux support those? No! Those three things are too important for me to give up for a security feature that is too superficial in comparison.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.