New Mac OS X Backdoor Trojan (BlackHole RAT) in Development [Updated]

A ‘trojan’ targeting Mac OS X users, dubbed BlackHole RAT, appears to be in development. It’s a variant of a well-known series of malware called Remote Access Tools (RAT) that primarily targeted Windows. It should be noted that on its own, the trojan does not exploit OSX, instead relying on the user to unknowingly ‘install’ it. This is often done under the guise of pirated software, video plugins on porn sites, or from other non-reputable software sources. Although the details are not entirely clear, it appears like your computer needs to be directly accessible from the internet.

This ‘trojan’ (note the intended air quotes) has been blown out of proportion and does not pose a significant level of risk. Macs are not ‘less secure’ because of this tool, as it’s something that could be coded by any 14-year old with a relatively basic knowledge of programming. It’s essentially a normal application whose purpose is to accept connections from its owner, and allow them to perform actions on your computer, etc.

Hit the jump for the full details, a video and download link.

[Updated 28/02/2011] I’ve discovered that this trojan is written in REALbasic, a well known cross-platform software development environment. The trojan (server) is Mac OS X-only, with clients (controller) for Mac OS X and Windows. Sophos are currently the only vendor that detect BlackHole RAT. I have to say that this ‘trojan’ is really more of a Remote Administration Tool, albeit quite suspicious. From the ‘trojan’ perspective it is really primitive and poses a very low threat. Just don’t run suspicious software, and keep your Mac behind a router/firewall. My guess is the creator of BlackHole RAT is a German kid learning to hack/code.

Note: some sites have alluded that this is a Mac port of the DarkComet trojan. I don’t know where they got this info, but BlackHole RAT is nothing like DarkComet. It’s been programmed in REALbasic, and does not make use of any original DarkComet code.

Both the client and server for the trojan are available here (BEWARE when handling malware. Do not download it if you don’t know what you’re doing), and the password to activate the tool is “PassAufWasDuMachst!”. Check the bottom of this post for a video demo of the current development version of BlackHole RAT 2.

Sophos, who have dubbed this trojan OSX/MusMinim-A, have determined that its functionality is fairly limited, and can perform the following actions:

• Placing text files on the desktop
• Sending a restart, shutdown or sleep command
• Running arbitrary shell commands
• Placing a full screen window with a message that only allows you to click reboot
• Sending URLs to the client to open a website
• Popping up a fake “Administrator Password” window to phish the target

As more and more users adopt Mac OS X, we’re going to start seeing increasing amounts of malware like this. As usual, users should beware of the software they install, and not execute unknown programs that are sent to them. Antivirus vendors admit that their products don’t yet protect from that many viruses on OSX, but if you’re concerned, there are some decent free antivirus from Sophos and ClamXav (although ClamXav doesn’t detect this trojan yet).