Intego Security Memo: OSX.TrojanKit.Malez Hacker Tool Can Create Trojan Horses
November 2008 by Intego Security Alert
Exploit: OSX.TrojanKit.Malez Hacker Tool
Discovered: August 27, 2008
Risk: Very low
Description: Reports have been circulating about a new Mac “malware” or “Trojan horse”, usually under the name “OSX.Lamzev.A”, which is claimed to open a back door on compromised Mac OS X computers. Intego discovered this hacker tool in August 2008, and determined that it was not a serious threat. Unlike true malware and Trojan horses, OSX.TrojanKit.Malez requires that a hacker already have access to a Mac in order to install the code. As of the present, no Trojan horses or other means of replication have been found in the wild using this tool. In spite of recent reports, this represents no serious threat to Macintosh computers. This hacker tool can be used to create a “backdoor” on a Mac OS X computer. This backdoor then gives a hacker remote access to the computer. The code is added to an unsigned third-party application that is installed manually on a Mac, and, when the application is run, the backdoor is activated. It creates a file named com.apple.DockSettings in /Library/LaunchAgents, and the backdoor is launched at each login. The binary of the original application is placed in ApplicationName.app/Contents/MacOS/2, and the binary of the backdoor is found in ApplicationName.app/Contents/MacOS/1. The tool modifies the application’s info.plist file so it points to the latter location. There are therefore only two modes of transmission of this hacker tool: the first is if someone sends another user an infected application, either in a .zip archive or a disk image, and the second is when a hacker obtains network access to a Mac and replaces an existing application with an infected version.
Means of protection: The best way to protect against this exploit is to run Intego VirusBarrier X5; the program’s virus definitions dated September 3, 2008 or later detect this hacker tool. Intego VirusBarrier X5 eradicates the malicious code and prevents the Trojan horse from being installed. Intego recommends that users never download and install software from untrusted sources or questionable web sites.