SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

OSX/CoinThief Manual Identification and Removal Instructions

Updated: February 12, 2014

OSX/CoinThief has been distributed under four different names so far: BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker.

BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. Both app names appear to have been taken from legitimate apps in the Mac App Store. The malicious payload was not found in Mac App Store copies of these apps.

When run, the malware installs a browser extension in Chrome, Safari, and Firefox, which will appear in those apps as "Pop-Up Blocker 1.0.0" with the description "Blocks pop-up windows and other annoyances." There are some indications that this name and description were also taken from a legitimate browser extension. The browser extensions watch your web traffic, looking for specific headers for bitcoin-related websites. They communicate with the background process, which will periodically connect to a remote server (currently offline) to exfiltrate login credentials.

The background process is set to be constantly running via a launchd task. Additionally, the background process will check for the presence of Bitcoin-Qt, and appears to be modifying components of Bitcoin-Qt, possibly with the intent of leaking private keys.

To check for the presence of the malware on your system:

  1. Take a screenshot of these instructions or print them out, and disconnect your system from the internet until you've verified that your system is clean.
  2. Open Activity Monitor (located in your Utilities folder), and look for a process called "com.google.softwareUpdateAgent."

    Note that this is a specific name that is currently known to be used by the malware.
  3. Open Chrome, Safari, and Firefox (if installed on your system), and check for the presence of the "Pop-Up Blocker" extension.
  4. If you see either the "com.google.softwareUpdateAgent" process or the browser extensions, continue on to the removal instructions.

To manually remove the malware from your system:

Manual removal is going to require entering a few terminal commands. The commands must be entered exactly as they are listed below, so copy and paste them in if need be.

Before entering the terminal commands, delete the apps from your system (BitVanity, StealthBit, Bitcoin Ticker TTM, or Litecoin Ticker) by dragging them to the Trash and emptying the Trash. Make sure to quit the apps before attempting to delete them.

  1. Open the Terminal (located in your Utilities folder), and type the following command:
    • launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist
    • Press the return key after entering the command. This command will unload the launchd task, and stop the malware from constantly running in the background If you see a message stating "No such file or directory, nothing found to unload," the launchd task was not loaded on your system.
  2. Next, you're going to enter a command to unhide the malware file itself, and move it to your Desktop. From there, you will manually drag it to the Trash. This will serve to avoid accidentally removing the wrong file. Type the following command, again pressing the return key after entering the command:
    • mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent

      In the above command, pay close attention – there is a period before the first instance of com.google.softwareUpdateAgent.
  3. Next, you're going to do the same for the file that starts the launchd task, and move it to the Desktop. Type the following command, again pressing the return key after entering the command:
    • mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist
  4. Drag the com.google.softwareUpdateAgent and com.google.softwareUpdateAgent.plist files that should now be present on your Desktop to the Trash, and empty the Trash.
  5. Open your web browsers, and delete the "Pop-Up Blocker" extensions.
  6. Backup your wallet and reinstall Bitcoin-Qt.
  7. Change your password information for accounts you have on any bitcoin-related websites either from a system that you know is clean, or after you have ensured removal of the malware.

About SecureMac - SecureMac has been at the forefront of Apple system security offering news, advisories and reviews for all security relating to Apple and Macintosh systems since 1999. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience secure and trouble free. SecureMac is also the creators of award winning security and privacy software MacScan and PrivacyScan protecting Mac OS X users against threats.



Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners