16 comments

[ 2.3 ms ] story [ 104 ms ] thread
Posts like this annoy me. It only gives details about the symptoms of the virus and gives zero details of the infection vector. What does this virus exploit? How does it take control of the computer? Is it a root kit? Does it have a C&C server associated with it allowing it to become a botnet?

It is especially frustrating because although I am not a Mac user I like to keep up to date on threats against the Mac platform since exploits on the Mac are easier to port to other *nixs. Does anyone have actual details on this trojan?

I couldn't agree more. I'm guessing they assume the reader is familiar with the Windows trojan.[1]

I posted because I still thought HN would find it interesting.

[1] http://www.darkcomet-rat.com/

Did the article give you the distinct impression this is only a GUI to ssh meant to amuse kids?

Everything mentioned in the article can be accomplished with ssh and the osascript command. The only interesting part of this software would be the rootkit used to hide it from an admin.

What rootkit? This is OS X, not Windows. You can't hide processes here the same way, or even to the same extent, you can under ntoskrnl.
Sure you can. If you have root access to Mac OS X and can thus load stuff into the kernel you can easily disguise applications that are running by modifying the process tables, or replacing the ps binary by one that does filtering.

Look at some of the BSD rootkits for inspiration on how to accomplish a task like that.

Apparently, it's not a virus, it's a trojan. Vector is human: article says "Trojans like this are frequently distributed through pirated software". Same player shoot again.
My impression is that it's an application you have to agree to install. Which means the only thing noteworthy here is that it mimics a Windows trojan. There is no security exploit which allows it to be installed with the user unaware. Nothing special here it seems...
It would make perfect sense for Sophos to develop software like this. As long as they don't get caught.
It never ceases to amaze me how virus/malware/phishing authors blow holes in their efforts by failing to correctly reproduce simple sentences.

"Finder Requires You Administrator Password"

Really? You couldn't do a 30 second web search to find the correct phrase? On a different note, Vista/Win7's way of darkening the entire desktop when asking for an admin password, which is difficult if not impossible to emulate, is a very clever technique.

Don't forget the "Abort" button.
Not only that, but the Details arrow is pointing down, which indicates that there is more information available at the bottom that describes the program that is requesting the information.

The entire window is off.

The creator of the RAT, if it is the same creator as DarkComet isn't English and is very bad at it. This is very good news for the Black-hat community. I'm gonna try and talk to him and probably him with the project.
I found the original source of the malware release. If anyone wants to look at it, Googling for "Blackhole RAT" and visiting the result titled "Blackhole Rat Problem" will return the same result I found. You'll have to change your UserAgent string to GoogleBot or similar because it is a registered forum.
"Fortunately our products can detect and remove Trojans like this, and for home use they're free! If you would like to install Sophos Anti-Virus for Mac Home Edition, click on the banner below."

Hmm.

I honestly wonder if the security companies are making crap like this in an attempt to get OSX users into the virus-fear market. Trojans are incomprehensibly simple things to write, but whenever one comes up for a Mac security companies go absolutely nuts and try to sell you something to get rid of it.

Wake me when there's a worm with rights escalation that installs itself without my approval or notice. As long as you have to put in your password and run their application, I'm safe, and it's hardly a virus so much as mere malware. Everything you need for malware has been around forever, and is already on your system: rm -rf *

edit: ran it and experimented. The only interesting thing about this is the password pop-up window, which looks fake and has a non-functioning abort button (!). I'm guessing it somehow resists focus while looking like it's focused and handling input, because it always looks like it's coming from the application you last had active. That is clever and an attack vector, the rest of this is child's play.

But, but just ask a MacOS fanboi, they don't suffer from trojans/malware! So this must be a mistake </sarcasm>