New Malware DevilRobber Grabs Files and Bitcoins, Performs Bitcoin Mining, and More
Posted on by Peter James
Intego has discovered a new malware called DevilRobber.A. This malware, which has been found in several applications distributed via BitTorrent trackers, steals data and Bitcoin virtual money, and uses CPU and GPU time on infected Macs to perform “Bitcoin mining.”
This malware is complex, and performs many operations. It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.
DevilRobber has been found in a small number of Mac applications that are distributed via BitTorrent trackers, including a popular graphic program.
DevilRobber then launches a proxy on port 34522, and waits for a user to enter their user name and password; if this happens, it records these credentials, and sends them to a remote server. The malware continues performing other operations, such as posting data to a remote server, looking for the infected Mac’s external IP address, scanning the local network the Mac is on, searching for child pornography, and more.
One of the main tasks of this malware is to perform “Bitcoin mining.” This procedure is a way of defrauding the Bitcoin virtual money service by making calculations and generating Bitcoins. (Learn more about how to protect your Mac from unwanted Bitcoin mining.)
While this malware is fairly sophisticated in its actions, it is not very widespread. For now, Intego has only seen DevilRobber in a handful of Mac applications distributed via BitTorrent trackers. Mac users should avoid downloading software from untrusted sites, notably those that distribute software illegally, such as BitTorrent trackers. If possible, always download software from the publishers’ web sites, or from trusted download sites.
Intego’s the threat filters for VirusBarrier dated October 28, 2011 or later, will spot and block this malware as OSX/DevilRobber.A.