Black Hole RAT (RAT stands for remote access trojan) has been around since the middle of Feb, but is now in the wild - mainly through infected software on popular download sites.



It is similar to a Windows trojan, called darkComet, but the author of Black Hole RAT (or MusMinim as Sophos calls it) denies any relationship to the Windows trojan.

The trojan can:

• create files on the desktop
• send the contents of the clipboard home
• shutdown, restart or sleep the Mac
• run shell commands
• displays a full screen message, which can only be dismissed by clicking the reboot button
• Send URLs to the web browser to open pages
• Display a fake Administrator password dialog, to trick users into divulging their passwords

Sophos clicky
Heise.de clicky (German)
Edit: heise security clicky (English)
The author calls it a "beta", with limited functionality, but the program is being updated with more features...

Interestingly, the trojan is written in RealBASIC for OS X. The current copy of Heise's "c't" magazine covers a more detailed piece on the trojan, but that content is not available on their website, until the next issue is published.

Interesting.

If it made it here, my first action would be to unplug from the internet...

What I'd do then, I'm not certain. Thankfully, I tend not to download from sites I don't already trust, though that's not a guarantee of immunity. I guess the time is approaching when the Mac OS will require some kind of AV. Still, a decade without it so far is worthy of note.

I’ve been running ClamXV on mine for a while. Nothing flagged to date. Giving Sophos Home Edition a spin - it’s scanning everything.

i have run clamXav for some time and have it looking at the download folder
any infected downloads are auto deleted i also scan the home folder the first Sunday of every month

as of yet no threats have been found on the home folder but i have had a couple of downloads deleted ...

How many times a day do ClamAV release new definitions? They used to be pretty bad, only offering a couple of updates a week, but I couldn't find anything about their definition update policy on their website, looking at the virus db, it looks like daily updates.

It is funny, a couple of year ago, companies were panned, because they didn't offer daily updates, now the AV software is considered useless, unless it gets updates at least every 2 hours.

The last test in the German Chip magazine gaves its detection performance as 4,6, "Mangelhaft"(inadequate or disfunctional).

@ Heather, a reputable site is no guarantee. The New York TImes was caught distributing a keylogger last year, as were several other high profile web sites, through specially crafted adverts slipped into their advertising networks.

Likewise, the massive SQL Injection vulnerabilities last month (hundreds of thousands of sites affected), would allow attackers to put malicious code and links on a site, including downloading malware through a perfectly legitimate site. You, unfortunately, can't be too careful these days.

Might be worth checking if the security update Apple issued last night blocked this nasty.

Jon

As Heather's post shows, this is a fix for a 3 month old actively exploited man-in-the-middle attack.

The update doesn't do anything to protect against the trojan. Patching the OS to recognise an exploit also ins't a long term solution, as exploits for OS X gain in popularity, Apple would have to release a couple of hundred patches a day, to stay on top of the situation.

Edit: Sorry, that is a fix for some fradulent certificates. The general SSL man-in-the-middle vulnerability hasn't been addressed.

I'm afraid I find your post a little self-contradictory. You seem to be saying that OS patching to block exploits is a futile activity, then are complaining that a particular exploit hasn't been patched yet.

The idea that an OS would need 'hundreds of patches a day' is patently false - that would only be the case if hundreds of different exploits a day were being found. It may possibly be that there could be hundreds of pieces of malware, but that doesn't mean each one would require an individual OS patch, if that's the approach you decided to take. Many malwares exploit the same security hole, or at least fall back though several known security holes. Removing one or two vulnerabilities might render hundreds of pieces of malware inert.

In any case, the best barrier for trojans is always an educated, careful user.

Jon

Blocking malware and patching for exploits are 2 totally different things. The Comodo update protects the system against a security breach.

The trojan, on the other hand doesn't use any exploits. It just needs to be mistakenly downloaded and run, probably by a user who thought they were downloadong alegitimate app from a legitimate site. These sorts of malware appear by the thousand every week. OS X users have been lucky so far, with the number of malware programs in the wild still in double digits.

If Apple patched the OS to recognise such malware, they would need to release a new patch every time a new piece of malware appeared. That is why good AV software uses heuristics and doesn't rely solely on its signature database.

i thought it just was me, some time ago, banging on about AV for OS X ...