"Devil Robber" Trojan Infects Macs, Leeches Their GPUs for Bitcoin Profit
November 1, 2011 10:59 AM
comment(s) - last by
It just works -- except when you're infected
Apple, Inc. (AAPL) has long maligned the Windows PC
as being virus laden
, while promoting its own Mac computers as being immune to such evils. But despite this "It just works" publicity campaign, recent OS X malware [
] has forced Apple onto the defensive,
silently rolling out tools
to remove malicious programs from users' computers.
I. Malware Enslaves Unwitting Mac Users' GPUs
Now another piece of malware has struck unsuspecting Mac owners. The new multiplatform trojan, reported in the wild by security firms Sophos Security and Intego, is much more sophisticated than most of the past malware to hit the Mac platform.
The malicious program installs as part of infected torrent downloads from sites such as
The Pirate Bay
. Thus far the malware has been primarily found to be piggybacking on pirated copies of the image editing app GraphicConverter version 7.4 (whose authors are not involved in the screen and do not approve of the pirating in the first place). The onboard malware is officially known in security circles as OSX/Miner-D, and is nicknamed the "DevilRobber".
Mac torrenters may find themselves the victim of a clever new trojan -- as usual Apple remains silent on the issue. [Source: iQuid]
Once installed on the victim's machine, the malware opens a back-door to the OS X system, allow remote command-and-control. It also monitors your computer, attempting to steal personal information like credit cards.
The malware targets multiple platforms -- including the Mac. [Source: Intego]
To do this it takes screenshots. It also periodically dumps confidential information from various applications -- such as truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history -- into the creatively named file
. It also records your username and passwords via monitoring using a proxy server (on port 34522 in the most common variant, but likely to change).
But its biggest target is the crypto-currency "bitcoins".
The DevilRobber trojan uses screen captures to steal your password and private information. [Source: Sophos]
Bitcoins are a nation agnostic cyber-currency, beloved by hackers, internet aficionados, and libertarians (among others). In order to seed the initial distribution of "wealth" on the market, people can use computing resources to "mine" Bitcoins, via clients.
The key part of DevilRobber is a Bitcoin mining Java program which the core trojan executes. The trojan enslaves the target's GPU to harvest Bitcoins. Due to the hard-to-trace nature of the cryptocurrency, the malware's authors can successfully obfuscate their identity and safeguard their profits.
The mining program is often how the infection is first noticed, as it makes the system respond sluggishly, given the load it places on the GPU.
As a secondary tactic, the core trojan also attempts to access any unencrypted Bitcoin wallets it can find. It is unknown whether it contains code to access encrypted wallets, but it is reasonable to assume that future updates could deliver the ability to "crack" weakly encrypted wallet files. Compromised wallets transfer their Bitcoin riches to the attacker.
Curiously, the trojan also deletes any files leading pthc. This acronym is associated in internet forums with the phrase "pre-teen hardcore pornograph", aka child porn. It almost appears that the trojan writers have attempted to do a bit of good amid all the evil they have created.
II. Lessons Learned
The new attack illustrates some of the issues surrounding both Apple computers and Bitcoins.
[Sources: Bitcoin Forum (left); Nerd Merit Badges (right)]
For Apple, it's yet another indication that company's public effort to feign ignorance on malware is harming customers. While tech-savvy Mac users understand their platforms are just as susceptible to infections as PCs, in theory if not in practice, less tech-savvy users often believe their Mac is magically immune to infection. This belief is perpetuated by Apple's advertisements and the company's technicians, which were revealed to be
under orders to lie to customers
-- feigning ignorance of infections. This approach has led to at least some of Apple's customers being victimized by the hacking community.
This situation is only likely to get worse, as Apple refuses to publicly acknowledge the danger, as Microsoft has, for risk of losing its "it just works" public image. But
currently in third place
in computer sales by vendor, and with what some hackers say are
weaker protections than Windows 7
, interest in malicious Mac hacking is trending upwards.
As for Bitcoins, the cryptocurrency
holds great promise
, as it is formulated to prevent local government corruption, double spending, inflation, and ineffectual government monetary regulation. However, the Bitcoin market has been dealt a series of setbacks, both via the
entrance of cybercriminals as large-scale miners
, and from account breaches.
Bitcoin's largest exchange recently hacked
, the currency's proponents have
raced to safeguard
their brainchild. More work clearly needs to be done to exclude cybercriminal miners, or Bitcoin risks being intimately associated with illegality.
This article is over a month old, voting and posting comments is disabled
RE: Same old crap
11/1/2011 11:16:10 PM
Here, let me fix that for ya, Tony...
Same old crap.
A security firm 'discovers' a new malware threat to Macs, usually a trojan. The Tony Swash goes ape shit, a minority of aware Apple defenders piss their pants with fright. Relevant and factual data is released about actual infections and the new threat is reported in the media as it is a major problem in the real world that does affect Mac users. Time passes. Not a lot of time, a week or two. The story fades, as the majority of Mac fans delude themselves into thinking this has no effect on their machine. A few weeks later Tony Swash writes a wall of text about how it turned out that no mac users are aware of a real world Mac malware event, mistakenly assuming the usual Mac fan ignorance automatically means there is no problem. Later still the original story, the one about the Trojan that infected Mac machines but did not get reported because most mac users do not understand what is going on, get's used in a forum comment by some switched on tech savvy user (or Windows fan - they do tend to be) to prove that 'Macs are just as insecure as Windows - worse even!!'
A security firm 'discovers' a new malware threat to Macs, usually a trojan. The Tony Swash goes ape shit, a minority of aware Apple defenders piss their pants with fright. Relevant and factual data is released about actual infections...
Insanity: doing the same thing over and over again and expecting different results.
- Albert Einstein
No need to thank me, Tony.
"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser
GPU Roaring? You May Be Infected With a Bitcoin Trojan Says Symantec
August 17, 2011, 4:47 PM
Analysts: Apple Now Has More Than 10 Percent of the U.S. PC Market
July 14, 2011, 1:52 PM
Bitcoin Giant Mt. Gox Promises to Change Post-Hack
June 22, 2011, 2:21 PM
Inside the Mega-Hack of Bitcoin: the Full Story
June 19, 2011, 6:40 PM
Cracking the Bitcoin: Digging Into a $131M USD Virtual Currency
June 12, 2011, 7:35 PM
Cortana, Xbox App, OneDrive Apps/Settings Backup Added to Windows 10 Build
December 15, 2014, 3:43 PM
Quick Note: Windows Phone Finally Gets Candy Crush Saga
December 13, 2014, 2:03 PM
Next Windows 10 Test Build Likely to Land on Jan. 21, Press Event Announced
December 11, 2014, 5:49 PM
New FourSquare App Hits Windows Store, WinPhone Gets Official Minecraft App
December 10, 2014, 2:15 PM
RIP, Microsoft Clip Art (1993 to 2014), You'll be Missed (Sort of)
December 3, 2014, 3:54 PM
Quick Note: Monday is Last Day for Half Off (or More) Square Enix Games
December 1, 2014, 5:30 AM
Most Popular Articles
Miyamoto: Nintendo is Prepping Successor to Troubled Wii U
December 22, 2014, 6:28 PM
Amazon's Kindle Fire HDX 8.9 Drops to $299 (30 Percent Off) for a Day
December 22, 2014, 10:57 AM
Android-Powered BLU Studio 7.0 Claims to be the "World's Largest Smartphone"
December 19, 2014, 2:40 PM
Airbus A350 XWB Passenger Jet Takes Off, First Unit Delivered to Qatar Airlines
December 22, 2014, 1:22 PM
Mississippi AG Drops Anti-Google Subpoena After Dirty MPAA Ties Are Revealed
December 22, 2014, 9:51 AM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information