McAfee Labs

BlackHole RAT Eats Into Mac OS X

By on Mar 01, 2011

BlackHole RAT is a backdoor Trojan targeting Mac OS X. It’s written in REALbasic, and it was discovered in December 21, 2010. But it was only recent days that it has gained the attention of security experts and the media.

This is not the first backdoor Trojan for OS X. Perhaps you remember HellRaiser (OSX/HellRTS), which is also written in REALbasic and has several options for performing actions on the victim’s computer. This Trojan was detected earlier in 2010.

BlackHole RAT has the classic client-server architecture. The server (the Trojan itself) works only on Intel-based OS X machines, while the client works also on Microsoft Windows.

How Does It Work?

Getting the Trojan on the victim’s machine usually requires social engineering. The author of BlackHole RAT has created an installation manual, which suggests changing the server application icon (to the Finder icon, for example). Once the server is installed, the attacker can use the client to connect to the victim’s machine on port 7777 and perform various actions (see below). The server will also open ports such as 10005, 10004, 10001, 10000, 9999, 7781, 7782, 7780, and 7779. However, once the victim has restarted the computer, the attacker will lose control. In the author’s words, “You have to add the Server manually to startup items via System Preferences (you don’t need admin privileges).” This is not a complicated task and can be easily automated using AppleScript.

Let’s take a look at the Mac client. The client for Windows has the same look and feel and the same options. When the attacker runs the executable file, it will prompt for a password.

The client opens port 7778 to accept incoming connections. Further analysis might reveal that the client is also a Trojan.

Once the attacker enters the correct password, a new window with a disclaimer appears: “Note, this is a Remote Administration Tool. You can do much things with it. I am not responsible for any damage or illegal things you do with this Programm. Do NOT use it for illegal purpose. You are warned.”

The attacker clicks on the “I Accept” button, and the main window appears.

Now the attacker can connect to the victim’s computer. Note that “Your IP” is sent to the Trojan server, which will reconnect to the client to send the data.

Once the attacker connects to the Trojan server, he or she can perform several actions:

  • Use a shell (with the current logged-in user’s privileges)
  • Open a web page with the default browser
  • Send a message that will be displayed on the victim’s screen
  • Create a text file on the victim’s desktop
  • Shut down, restart, and sleep
  • Request an admin login. (This will display a faked request for admin privileges and will send the name and password entered to the attacker.)

One of the most interesting actions that the attacker can perform is to request the administrator’s credentials, using a fake Finder’s prompt.

Mac users are accustomed to requests like this one. A victim might not pay attention and input credentials, thus compromising the system. But a careful reader will note some clues: The “Details” option doesn’t work, “you Administrator…” is misspelled, and we see an “Abort,” rather than a “Cancel,” button.

When the victim enters a name and password, they are sent to the client.

What’s Next?

The author of BlackHole has now created a new Trojan, this time with versions for Mac OS X for Intel and for PowerPC machines. The alpha release includes an application the author calls Virus Configurator, which can take a snapshot of the victim’s screen, shut down the computer, display a message, ask for administrator username and password, execute commands, etc. There are configurators for Windows and OS X (on Intel). Here’s a screenshot of the configurator application for Windows:

This new Trojan could be more dangerous because the Mac client includes a hard-disk erase feature. It also might be able to upload a file to the victim’s machine, flood the disk with random files, etc. Here’s a screenshot of the possible new version of the client:

How Do I Keep This Trojan Off My Mac?

If you think you have been infected by this Trojan, launch a Terminal and issue the “ps aux” command to look for suspicious processes and kill them. Run “netstat -p tcp -an” and look for ports such as those I mentioned earlier. You can also run “sudo lsof -I” and search for ports 7780, 10004, 10005, etc. In the first column you will see the name of the application using those ports; look it up in the processes table (for example, ps aux | grep BlackHole). Kill the application, and delete it from the hard disk.

Also check startup items (system preferences, accounts, login items) for any suspicious entry. Take note of its location (secondary click, Reveal in Finder) and remove it. Using the Finder’s window you’ve just launched, delete it from the hard disk too. Finally, restart your machine.

As always, of course, I advise you to be careful with files in your inbox and when installing applications from unknown places. Stay away from pirated software and from malicious websites.

Make sure that your security software is up to date. (McAfee Internet Security for Mac receives the latest definitions automatically, but you can also do an update on demand by going to the McAfee Console and selecting “Update” from the menu on the left.) McAfee detections are OSX/BlackRAT and BlackRAT (for Windows).

This Trojan hasn’t yet been seen in the wild, although it might be distributed with pirated software. The application itself is not finished. It’s very rudimentary and the author doesn’t seem to be experienced in the malware business. However, it can still damage Mac OS X users’ systems, steal sensitive information, and become the entry point for other types of malware.

McAfee Labs has already predicted growth in malware for the Mac, so we expect to see more applications like this one.