{"id":1144,"date":"2013-02-21T12:28:54","date_gmt":"2013-02-21T17:28:54","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=1144"},"modified":"2013-02-21T12:28:54","modified_gmt":"2013-02-21T17:28:54","slug":"new-mac-virus-skirts-gatekeeper-initiates-creepy-reverse-shell-connection","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/02\/21\/new-mac-virus-skirts-gatekeeper-initiates-creepy-reverse-shell-connection\/","title":{"rendered":"New Mac virus skirts Gatekeeper, initiates creepy reverse-shell connection"},"content":{"rendered":"

\"\"<\/a><\/p>\n

A new trojan virus is targeting computers running Mac OS X and initiating an encrypted reverse-shell connection, allowing attackers potentially unfettered access to infected machines armed with basic, inbound-only firewalls. Security firm Intego appears to be the first to report on this malware and has named the backdoor virus “Pintsized”.
\nAs of 10.7 (Lion), Mac OS X employs an anti-malware feature named “Gatekeeper” which helps deflect the “installation” of malware by utilizing what is essentially a digital signature system. It appears Pintsized has the capability to defeat this security mechanism, although exactly how it does so remains unknown. Although Gatekeeper is enabled by default, it’s worth noting it can also be disabled. Under normal circumstances, users who disable Gatekeeper would be afforded no protection against these types of attacks.
\nOnce Pintsized is in, it phones home to hackers via an encrypted OpenSSH connection. Because the infected computer initiates the bi-lateral connection and not the remote server, Pintsized is able to bypass inbound-only firewalls, like the in-built Mac OS X firewall and the firewalls\/NAT provided by most routers. This persistent shell access allows hackers to run remotely-issued commands on the infected system, some of which have been identified as clear-text Perl scripts. Thankfully for victims though, the malware author’s use of obfuscated Perl scripting makes Pintsized conceivably simple to identify.
\nPintsized attempts to hide its components by posing as CUPS-related files — the Unix printing system utilized by Mac OS X. The files Intego has seen the virus generate are:
\ncom.apple.cocoa.plist
\ncupsd (Mach-O binary)
\ncom.apple.cupsd.plist
\ncom.apple.cups.plist
\ncom.apple.env.plist
\nPresumably, infected machines would attempt to load infected files on start up. Users would likely want to check for signs of the above files in the following locations:
\n~\/Library\/LaunchAgents (user launch area)
\n\/Library\/LaunchAgents
\n\/Library\/LaunchDaemons
\n\/System\/Library\/LaunchAgents
\n\/System\/Library\/LaunchDaemons
\nThe payload of the virus also remains unknown, but as with many attacks, there is likely a monetary incentive. An open SSH connection opens a whole world of devious possibilities though, so users will want to get rid of Pintsized as soon as they can.
\nUnsurprisingly, Intego says their VirusBarrier product picks up the virus. At the time of their writing though, the firm noted XProtect was unable to detect Pintsized.
\nvia New Mac virus skirts Gatekeeper, initiates creepy reverse-shell connection – TechSpot<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A new trojan virus is targeting computers running Mac OS X and initiating an encrypted reverse-shell connection, allowing attackers potentially […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[2,7,9],"tags":[455,638,655,785,1167],"class_list":["post-1144","post","type-post","status-publish","format-standard","hentry","category-apple","category-security","category-software","tag-hacking","tag-mac","tag-malware","tag-os-x","tag-virus"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-is","jetpack-related-posts":[{"id":8157,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/29\/researcher-claims-that-attackers-can-easily-bypass-current-osx-security-tools\/","url_meta":{"origin":1144,"position":0},"title":"Researcher claims that attackers can easily bypass current OSX security tools","author":"NCCT","date":"April 29, 2015","format":false,"excerpt":"Most Mac users feel as though they are impenetrable to viruses and malicious software, but according to one researcher that is not the case. While Apple has its fair share if security measures in place, recent data has surfaced suggesting those tools are \u201ctrivial\u201d for any attacker to bypass. For\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6142,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/06\/department-of-homeland-security-warns-retailers-of-backoff-pos-malware-techspot\/","url_meta":{"origin":1144,"position":1},"title":"Department of Homeland Security warns retailers of ‘Backoff’ POS malware – TechSpot","author":"NCCT","date":"August 6, 2014","format":false,"excerpt":"The Department of Homeland Security yesterday issued an alert about a point-of-sale malware that was used in a string of recent attacks by cyber criminals. Dubbed Backoff, the malware has been witnessed on at least three separate forensic investigations since late 2013 and continues to operate today. According to US-CERT,\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3156,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/09\/hand-of-thief-banking-trojan-doesnt-do-windows-but-it-does-linux\/","url_meta":{"origin":1144,"position":2},"title":"\u201cHand of Thief\u201d banking trojan doesn\u2019t do Windows\u2014but it does Linux","author":"NCCT","date":"August 9, 2013","format":false,"excerpt":"Signaling criminals' growing interest in attacking non-Windows computers, researchers have discovered banking fraud malware that targets people using the open-source Linux operating system. Hand of Thief, which was recently discovered by researchers from security firm RSA, sells for about $2,000 in underground Internet forums and boasts its own support and\u2026","rel":"","context":"In "Linux"","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":9655,"url":"https:\/\/nccomputertech.com\/techtalk\/2021\/03\/09\/fuquay-varina-and-holly-springs-computer-repair\/","url_meta":{"origin":1144,"position":3},"title":"Fuquay Varina and Holly Springs Computer Repair","author":"NCCT","date":"March 9, 2021","format":false,"excerpt":"Welcome to our blog. NC Computer Tech services Fuquay Varina, Holly Springs, and surrounding NC areas. We offer prompt, professional, courteous service with over twenty years of experience dealing with residential and small business clients offering them solutions and fixing their computer and network issues at reasonable rates. Our services\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3175,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/13\/security-team-pries-open-secrets-of-chinese-hacker-gang\/","url_meta":{"origin":1144,"position":4},"title":"Security team pries open secrets of Chinese hacker gang","author":"NCCT","date":"August 13, 2013","format":false,"excerpt":"A Chinese hacker gang whose malware targeted RSA in 2011 infiltrated more than 100 companies and organizations, and was so eager to steal data that it probed a major teleconference developer to find new ways to spy on corporations, according to researchers. The remote-access Trojan, or RAT, tagged as \"Comfoo\"\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":8210,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/05\/05\/this-terrifying-malware-destroys-your-pc-if-detected\/","url_meta":{"origin":1144,"position":5},"title":"This terrifying malware destroys your PC if detected","author":"NCCT","date":"May 5, 2015","format":false,"excerpt":"A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims. The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1144"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1144\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}