Intego has discovered a new proof-of-concept malware it is calling OSX/Tored.A. This malware is an application created with RealBasic, a version of the BASIC programming language available for Mac OS X, Windows and Linux. The malware in question is a self-contained application, which contains RealBasic code and a runtime needed for that code to execute. The malware attempts to copy itself to the System folder and the System/Library/StartupItems folder, renaming itself “applesystem” or “systemupdate”. It obtains e-mail addresses from Address Book, and sends e-mails to recent recipients containing a copy of the malware, but does so with an SMTP server that is currently non-existent. This malware also attempts to create a botnet, and records some keystrokes, and attempts to copy itself to other disks that are mounted.
While this malware is currently not in the wild, Intego finds the use of RealBasic, and its runtime, to be a novel approach to malware. Because of this, Intego has created a new malware class for VirusBarrier X5. The code in this malware is faulty, however, and it does not work correctly, so there is no real threat from this malware.