Malware + Security & Privacy

Reports have been circulating about a new Mac “malware” or “Trojan horse”, usually under the name “OSX.Lamzev.A”, which is claimed to open a back door on compromised Mac OS X computers. Intego discovered this hacker tool in August 2008, and determined that it was not a serious threat. Unlike true malware and Trojan horses, OSX.TrojanKit.Malez requires that a hacker already have access to a Mac in order to install the code. As of the present, no Trojan horses or other means of replication have been found in the wild using this tool. In spite of recent reports, this represents no serious threat to Macintosh computers.

This hacker tool can be used to create a “backdoor” on a Mac OS X computer. This backdoor then gives a hacker remote access to the computer. The code is added to an unsigned third-party application that is installed manually on a Mac, and, when the application is run, the backdoor is activated. It creates a file named com.apple.DockSettings in ~/Library/LaunchAgents, and the backdoor is launched at each login. The binary of the original application is placed in ApplicationName.app/Contents/MacOS/2, and the binary of the backdoor is found in ApplicationName.app/Contents/MacOS/1. The tool modifies the application’s info.plist file so it points to the latter location.

There are therefore only two modes of transmission of this hacker tool: the first is if someone sends another user an infected application, either in a .zip archive or a disk image, and the second is when a hacker obtains network access to a Mac and replaces an existing application with an infected version.

Read the full security memo.