Bitcoin OSX

Backdoor:OSX/DevilRobber.A silently installs applications related to Bitcoin-mining; it may also harvest data from the infected machine and listen for additional commands from a remote user.

Disinfection & Removal

Manual Removal Instructions

The following instructions apply to the original version of DevilRobber:

  • 1. Delete this folder and all its contents: ~/Library/mdsa1331
  • 2. Delete this file: ~/Library/LaunchAgents/com.apple.legion.plist

The following instructions apply to the updated version of DevilRobber (DevilRobberV3):

  • Delete the folder and all its contents: ~/Library/Pixel_mator
  • Delete this file: ~/Library/LaunchAgents/com.apple.pixel.plist

Note: For both versions, subsequently continuing to use the bundled software will reinstall the malware.

Technical Details

The components of this malware are bundled together with (pirated) legitimate programs. At time of writing, these programs were being offered on the popular torrent-hosting website, The Pirate Bay.

An updated version of DevilRobber has been discovered, with minor changes in its distribution and operation. This version was discussed in a Labs Weblog post.

Unlike the original version, the updated one identified as DevilRobberV3 is distributed using the file name PixelMator; in addition, the distributed file does not itself contain the backdoor component, but on installation must download the actual backdoor installer package from a remote FTP server.

On execution, DevilRobberV3 will first drop the file, d_status.cfg, in the same directory where it was executed, then download the installer from the remote server and save it as binary.zip. The contents of the package are then extracted and executed.

In addition to the changed distribution method, DevilRobberV3 has the following changes in its information harvesting script:

  • It no longer captures a screenshot
  • It no longer checks for the existence of LittleSnitch (a firewall application)
  • It uses a different launch point name
  • It harvests the shell command history
  • It harvests 1Password contents (a password manager from AgileBits)
  • It now also harvests the system log file

The malware's routine of attempting to steal Bitcoin wallet contents remains unchanged.

Execution

Upon execution of the bundled software, the malware first checks if the following file is found in the system:

  • /System/Library/Extensions/LittleSnitch.kext

Little Snitch is a Mac OS X firewall program; if this is found, the malware will skip installation and proceed to execute the clean software as is.

It's being distributed through Cnet and MacUpdat

2014-02-12 14:44:40 by H_T_D

BWAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHAHA
SecureMac has discovered that variants of OSX/CoinThief are being actively distributed through CNET's Download.com, and were also being distributed through MacUpdate.com, exposing hundreds of Mac users to malware.
Upon running the program for the first time, the malware installs browser extensions for Safari and the Google Chrome web browser, without alerting the user. The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions

So what's your point?

2014-02-13 04:03:33 by H_T_D

There is Malware that must be downloaded and installed by Windows users as well.
No one said it didn't need to be downloaded.
It's funny though, because it wasn't that long ago when YOU used to spout how there was NOTHING that would EVER infect OSX, and you have been proven wrong in every case.
Are you saying that Mac users don't download and install software?
This is designed to specifically target Mac users who mine Bitcoin, which are by default users who have downloaded and installed something, are looking for a way to make a quick easy buck, and flirt with the fringe elements of the web, AND aren't all too bright

Bitcoin OTC

Bitcoin API net

30 Bitcoin to USD

Bitcoin 24/7

Bitcoin ads