Intego Security Memo: HellRTS Backdoor Can Allow Malicious Remote Users to Control Macs
April 2010 by Intego Security Alert
Malware: OSX/HellRTS.D
Discovered: April 14, 2010
Risk: Low
Description: Intego has discovered a new variant of a malware for Mac, called
HellRTS, which, when installed on computers running Mac OS X, opens a backdoor
that allows remote users to take control of infected Macs and perform actions on them.
Intego identifies this backdoor as OSX/HellRTS.D, a variant of an early Mac OS X
malware first spotted in 2004.
HellRTS, built in RealBasic, and a Universal Binary able to run on both PowerPC- and
Intel-Based Macs, is able to perform a number of operations if installed on a Mac. It
sets up its own server and configures a server port and password. It duplicates itself,
using the names of different applications, adding the new version to a user’s login
items, to ensure that it starts up at login. (These different names can make it hard to
detect, not only in login items, but also in Activity Monitor.) It can send e-mail with its
own mail server, contact a remote server, and provide direct access to an infected Mac.
It can also perform a number of operations such as providing remote screen-sharing
access, shutting down or restarting a Mac, accessing an infected Mac’s clipboard, and
much more.
This backdoor requires installation on a Mac, which could be carried out via a Trojan
horse, or by exploiting a vulnerability in a program that accesses the Internet (such as a
web browser). While Intego has not found any instances of Macs being infected by this
in the wild, the fact that this malware is being distributed on a number of forums shows
that it will be accessible to a large number of malicious users who may attempt to use it
to attack Macs.
Means of protection: Intego VirusBarrier X6 detects and eradicates this malware,
which it identifies it as OSX/HellRTS.D, with its threat filters dated April 15, 2010 or
later.