1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: OSX.Seadoor Activity

System Infected: OSX.Seadoor Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects OSX.Seadoor activity on compromised machine.

Additional Information

Once executed, it does following:

Copies itself as following:
/Users/Shared/UserEvent.app

It creates entry on following in order to execute itself when computer boots.
~/Library/LaunchAgents/UserEvent.System.plist

It opens DSC00117.jpg file in its body.

Then the threat connects to a command and control server to receive commands:
servicemsc.sytes.net on TCP port 7777

It may receive following commands:

Get System Information(version, memory size, machine type, disk size, serial number)
Get User name
Get process list
Terminate process
Delete file
Create tar archive
Obtains name or path of Login Item, including hidden Login Item.
Delete Login Item.
Create new hidden Login Item.
Change audio volume.
Download file as /User/Shared/up.zip

Affected

  • Mac OS X
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube