The Trojan is shared through BitTorrent and is bundled in a .zip file as a crack with a copy of the Adobe Photoshop application.
The above bundle has the following file name and is 1,059,954,851 bytes (1,010 MB) in size:
Adobe Photoshop CS4 11.0 Extended (Mac OS X) Includes Crack+serial (Works 100%).zip
The bundle contains the following legitimate copy of the Adobe Photoshop application:
Adobe Photoshop CS4 11.0 Retail.dmg
It also contains the following files:
Adobe CS4 Crack(intel)
PS CS4 Serial Number *(Mac).pdf
When 'Adobe CS4 Crack(intel)' is executed, the Trojan extracts its main component to the following location:
/var/temp/[RANDOM FILE NAME]
It will then prompt the user for root credentials in order to execute it.
The Trojan will then open the real crack for the Adobe Photoshop application.Note:
The malicious file is a Universal Binary designed to run both on PowerPC and x86 architectures.
Next, the Trojan determines if the session is running with root privileges. If not, the threat exits.
The Trojan creates the following folder if it did not execute from the DivX file:
The Trojan copies itself as the following file:
It modifies the following files so that it runs every time the computer starts:
Next, the Trojan restarts itself from the /System/Library/StartupItems/DivX/DivX folder and decrypts its configuration file which is encrypted with the AES algorithm.
It then opens a back door on the compromised computer and may contact the following hosts in order to receive further commands from the remote attacker:
The remote attacker may use the following remote commands:
The network traffic is encrypted with AES.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":