Video Screencast Help

OSX.Macontrol Back at It Again

Created: 03 Jul 2012 22:05:01 GMT • Updated: 23 Jan 2014 18:14:19 GMT • Translations available: 日本語
Val S's picture
+2 2 Votes
Login to vote

Contributor: Joseph Bingham

If you were to compare the percentage of Mac users with the percentage of Windows users, the Windows user base still eclipses the Mac user base by a large margin. At the time of this blog post, one usage statistics aggregator reports on its website that the Windows market share is a commanding 84.13 percent of the population compared to Macintosh at 14.80 percent. However, statistics vary by research firm and this particular data was collected within the United States only.

So, what does all this have to do with malware you ask? In essence, the theory that operating systems other than Windows are safe from being compromised by malware has already been proven incorrect. From a malware author’s perspective, being able to exploit a large user base will provide a greater install base for various reasons. The increased popularity of the Mac platform and the potentially less mature state of Apple security practices have made it a viable target. This has led to more attacks on the Mac platform than ever before.

Let’s think about the statistic of 14.80 percent for a second. The estimated population of the United States is currently around 309 million. Assuming everyone in the U.S. owns a computer, it is around 43 million users who are potential victims.

For the first half of 2012, we have seen an increase in the number of Mac based threats. Earlier this year, we saw a new variant of OSX.Flashback appear in April (first seen in 2011), and a newly discovered threat, OSX.Sabpab (first seen in April 2012).

Most recently, we have come across a new variant of OSX.Macontrol (first seen in March 2012). This current sample appears to spread through targeted email and has a low distribution rate. The binary [md5 - e88027e4bfc69b9d29caef6bae0238e8] is small in size (75 KB) and provides little functionality other than a back door to a remote host (61.178.77.16x). The Web server appears to be a custom HTTP command-and-control server that can collect and modify system settings. HTTP command-and-control allows the attacker to evade detection by sending commands that appear to be clean, normal Web traffic.

OSX.Macontrol has the ability to:

  • Close the connection to the remote location and end the threat
  • Collect information regarding the compromised computer and send it back to the remote server
  • Send the process list of the compromised computer to the remote server
  • End processes
  • Fork running processes
  • Retrieve the install path of the Trojan
  • Delete files
  • Run files
  • Send files to the remote server
  • Send user status and information to the remote server
  • Log-out the current user
  • Put the compromised computer to sleep
  • Restart the compromised computer
  • Shut down the compromised computer

It has the ability to open a shell:
 


 

It sends an encrypted GET request to receive communication:

/h.gif?pid =113&v=130586214568 HTTP/1.
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive
 


 

Figure 1. Various calls used to obtain data about compromised systems
 

During the course of our research we noticed activity from the 61.178.77.16x address, beginning around February 2012, with multiple unique versions of malware coming from this IP range. Our data confirms that this IP address is not just serving Mac Malware, but Windows malware as well.

To ensure that you are protected, please make sure your antivirus definitions are always up to date. Also, please do not download or open attachments from senders that you do not recognize.

Note: We were able to connect with Apple and they stated that they updated their OS X malware definitions recently to address this version of Macontrol.