New Mac virus skirts Gatekeeper, initiates creepy reverse-shell connection

By Rick Burgess February 19, 2013, 18:30 12 comments

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

A new trojan virus is targeting computers running Mac OS X and initiating an encrypted reverse-shell connection, allowing attackers potentially unfettered access to infected machines armed with basic, inbound-only firewalls. Security firm Intego appears to be the first to report on this malware and has named the backdoor virus "Pintsized".

As of 10.7 (Lion), Mac OS X employs an anti-malware feature named "Gatekeeper" which helps deflect the "installation" of malware by utilizing what is essentially a digital signature system. It appears Pintsized has the capability to defeat this security mechanism, although exactly how it does so remains unknown. Although Gatekeeper is enabled by default, it's worth noting it can also be disabled. Under normal circumstances, users who disable Gatekeeper would be afforded no protection against these types of attacks.

Once Pintsized is in, it phones home to hackers via an encrypted OpenSSH connection. Because the infected computer initiates the bi-lateral connection and not the remote server, Pintsized is able to bypass inbound-only firewalls, like the in-built Mac OS X firewall and the firewalls/NAT provided by most routers. This persistent shell access allows hackers to run remotely-issued commands on the infected system, some of which have been identified as clear-text Perl scripts. Thankfully for victims though, the malware author's use of obfuscated Perl scripting makes Pintsized conceivably simple to identify.

Pintsized attempts to hide its components by posing as CUPS-related files – the Unix printing system utilized by Mac OS X. The files Intego has seen the virus generate are:

com.apple.cocoa.plist
cupsd (Mach-O binary)
com.apple.cupsd.plist
com.apple.cups.plist
com.apple.env.plist

Presumably, infected machines would attempt to load infected files on start up. Users would likely want to check for signs of the above files in the following locations:

~/Library/LaunchAgents (user launch area)
/Library/LaunchAgents
/Library/LaunchDaemons
/System/Library/LaunchAgents
/System/Library/LaunchDaemons

The payload of the virus also remains unknown, but as with many attacks, there is likely a monetary incentive. An open SSH connection opens a whole world of devious possibilities though, so users will want to get rid of Pintsized as soon as they can.

Unsurprisingly, Intego says their VirusBarrier product picks up the virus. At the time of their writing though, the firm noted XProtect was unable to detect Pintsized.

12 comments 567 likes and shares

Tech Jobs: Find the next step in your career

Related Stories

Featured on TechSpot