BlackHole RAT

 SecureMac Security Bulletin

Posted: February 25th, 2010
Updated: March 31st, 2011

Security Risk: Low

Update: A new version of BlackHole RAT 2.0 has been discovered.

A new trojan horse is targeting Mac OS X, and SecureMac has identified multiple variants of the threat. The trojan horse, created by a hacker calling himself Das_Virus, appears to originate from Germany.

As first discovered and described by Methusela “Meths” Cebrian Ferrer on her Macintosh security and threat research blog at http://ithreats.net/2011/02/25/rat-blackhole/, there is a new trojan horse targeting Mac OS X. This trojan appears to be in the early stages of development, but seems to be in an active development cycle, with multiple updates to the trojan added by the author as documented on a popular hacker site.

The current mode of infection is for the attacker to trick the victim into downloading the server component of the software and running it on their Mac. The server component can be disguised as a different program to hide the malicious intent. SecureMac has found websites currently distributing the trojan disguised as Safari, Apple’s popular web browser software for OS X, as well as disguised as an updater for Java, a cross-platform software development environment from Sun Microsystems.

Java was recently in the news for Mac OS X security as the underlying language for the cross-platform Boonana trojan horse, discovered by SecureMac in October 2010, which affected Mac OS X, Microsoft Windows, and Linux.

The creator of the new trojan posted on a hacker bulletin board as far back as early October asking other hackers for information and help in creating malware to attack Mac OS X, but did not release the malware for a number of months. Through the following months, the hacker appeared to be programming a new trojan to target both Mac OS X and Microsoft Windows by using the REALbasic programming language. The author of the trojan horse also posted videos on YouTube documenting his progress and new features while developing the malware.

The hacker released an alpha version of the malware on February 13th, 2011, listing the following features:

•    Trojan is added to startup items
•     Trojan requests the administrator password and stores it to file
•     Ability to execute shell scripts
•     Ability to “erase Activity Window”
•     Ability to “change permission of activity window”
•     Flood the infected hard drive with random data
•     Shut down the infected computer
•     Disable the display on the infected computer
•     Take a snapshot with the iSight camera on an infected computer

Not all of the features appear to be active in the current release, but the author seems to be actively developing these features.

The latest variant of this trojan was created earlier this month, so it is likely that more variants will be released in the coming weeks targeting Mac users.

MacScan has been updated to detect this new threat, which is detected as BlackHole RAT 1.0a, BlackHole Rat 1.0b, and BlackHole Rat 1.0c, for the three new variants discovered by SecureMac. As proven by our discovery and analysis of the cross-platform Boonana threat in October 2010, SecureMac will remain vigilant in protecting users against threats to Mac OS X.

About MacScan

MacScan quickly detects, isolates and removes malware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later.

Since 1999, SecureMac has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.