Microsoft Discovered Backdoor for Mac OS X 'Backdoor:MacOS_X/Olyx.A'

Microsoft Malware Protection Center revealed that they have discovere a backdoor for Mac which is detected as "Backdoor:MacOS_X/Olyx.A" was found in an package named "PortalCurrent events-2009 July 5.rar", anonymously submitted through VirusTotal (SHA1 1c100e7f3bda579bb4394460ef530f0c6f63205c)."The package suggests that the content was extracted from Wikipedia community portal current events 2009 July 5 page ; although, the revision […]

Microsoft Malware Protection Center revealed that they have discovere a backdoor for Mac which is detected as "Backdoor:MacOS_X/Olyx.A" was found in an package named "PortalCurrent events-2009 July 5.rar", anonymously submitted through VirusTotal (SHA1 1c100e7f3bda579bb4394460ef530f0c6f63205c).

"The package suggests that the content was extracted from Wikipedia community portal current events 2009 July 5 page ; although, the revision history shows that the last edited version was a year ago. However, if this is true, the update to the package could be an attempt to slip in a backdoor. The content folder includes photos from events on June 15th 2011. Alongside are two malicious binary executable files (with SHA1s 90EBC867D3E69F10FC45E28DC87789B1C7092C5F and 0B0CA1263DF13E124A8DB0B744F8A6462E41FE44):

  • Video-Current events 2009 July 5.exe (205,480 bytes) PE EXE
  • Current events 2009 July 5 (50,956 bytes) Mach-O I386

The MMPC says that the "Mach-O binary file targets Mac OS X users. It installs and runs in the background without root or administrator privileges. It disguises itself as a Google application support file by creating a folder named "google" in the /Library/Application Support directory, where the backdoor installs as "startp". It also keeps a copy in the temporary folder as "google.tmp". It creates "www.google.com.tstart.plist" in the /Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in - this applies to all accounts on the system."

"The backdoor initiates a remote connection request to IP address 121.254.173.57, where it continues to make attempts until established. Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory," informs MMPC.

Furthermore, "another interesting observation here is that the feature set and the code found in this backdoor appear to be similar to that of Gh0st RAT 3.6, also known as "Ghostnet". We detect the Ghostnet backdoor as Backdoor:Win32/Remosh.A," added MMPC.

For more detail, have a look at the Backdoor:MacOS_X/Olyx.A description in the Microsoft encyclopedia.

[Source: MMPC]