Panda Security: New backdoor for MacOS
June 2008 by Panda Security
PandaLabs has detected a new backdoor, OSX/AsTHT.A, designed to affect Apple operating systems such as MacOS, Leopard or Tiger.
When run, the backdoor uses an Apple Remote Desktop Agent vulnerability to gain privilege escalation and administrator permissions. It then copies itself onto the system and sends a mail to its creator reporting the infection. It also associates the victim’s IP address to a Dynamic DNS service to continue having access to the infected computer even if the address is modified.
OSX/AsTHT.A accesses the computer through a VNC server (Vine Server) it includes, and through SSH. It also enables a Web server where the remote control tool is hosted.
This malicious code drops a keylogger on the system which can capture images through the ¡Sight integrated camera (an Apple webcam). This way, it steals email passwords, banking passwords, etc.
Additionally, if more than one user is registered on the PC, it tries to guess their credentials using a brute-force program. It is also designed to disable the firewall and disable, delete and modify several system log files to prevent leaving traces and impede detection.