{"id":1144,"date":"2013-02-21T12:28:54","date_gmt":"2013-02-21T17:28:54","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=1144"},"modified":"2013-02-21T12:28:54","modified_gmt":"2013-02-21T17:28:54","slug":"new-mac-virus-skirts-gatekeeper-initiates-creepy-reverse-shell-connection","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/02\/21\/new-mac-virus-skirts-gatekeeper-initiates-creepy-reverse-shell-connection\/","title":{"rendered":"New Mac virus skirts Gatekeeper, initiates creepy reverse-shell connection"},"content":{"rendered":"

\"\"<\/a><\/p>\n

A new trojan virus is targeting computers running Mac OS X and initiating an encrypted reverse-shell connection, allowing attackers potentially unfettered access to infected machines armed with basic, inbound-only firewalls. Security firm Intego appears to be the first to report on this malware and has named the backdoor virus “Pintsized”.
\nAs of 10.7 (Lion), Mac OS X employs an anti-malware feature named “Gatekeeper” which helps deflect the “installation” of malware by utilizing what is essentially a digital signature system. It appears Pintsized has the capability to defeat this security mechanism, although exactly how it does so remains unknown. Although Gatekeeper is enabled by default, it’s worth noting it can also be disabled. Under normal circumstances, users who disable Gatekeeper would be afforded no protection against these types of attacks.
\nOnce Pintsized is in, it phones home to hackers via an encrypted OpenSSH connection. Because the infected computer initiates the bi-lateral connection and not the remote server, Pintsized is able to bypass inbound-only firewalls, like the in-built Mac OS X firewall and the firewalls\/NAT provided by most routers. This persistent shell access allows hackers to run remotely-issued commands on the infected system, some of which have been identified as clear-text Perl scripts. Thankfully for victims though, the malware author’s use of obfuscated Perl scripting makes Pintsized conceivably simple to identify.
\nPintsized attempts to hide its components by posing as CUPS-related files — the Unix printing system utilized by Mac OS X. The files Intego has seen the virus generate are:
\ncom.apple.cocoa.plist
\ncupsd (Mach-O binary)
\ncom.apple.cupsd.plist
\ncom.apple.cups.plist
\ncom.apple.env.plist
\nPresumably, infected machines would attempt to load infected files on start up. Users would likely want to check for signs of the above files in the following locations:
\n~\/Library\/LaunchAgents (user launch area)
\n\/Library\/LaunchAgents
\n\/Library\/LaunchDaemons
\n\/System\/Library\/LaunchAgents
\n\/System\/Library\/LaunchDaemons
\nThe payload of the virus also remains unknown, but as with many attacks, there is likely a monetary incentive. An open SSH connection opens a whole world of devious possibilities though, so users will want to get rid of Pintsized as soon as they can.
\nUnsurprisingly, Intego says their VirusBarrier product picks up the virus. At the time of their writing though, the firm noted XProtect was unable to detect Pintsized.
\nvia New Mac virus skirts Gatekeeper, initiates creepy reverse-shell connection – TechSpot<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A new trojan virus is targeting computers running Mac OS X and initiating an encrypted reverse-shell connection, allowing attackers potentially […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[2,7,9],"tags":[455,638,655,785,1167],"class_list":["post-1144","post","type-post","status-publish","format-standard","hentry","category-apple","category-security","category-software","tag-hacking","tag-mac","tag-malware","tag-os-x","tag-virus"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-is","jetpack-related-posts":[{"id":9655,"url":"https:\/\/nccomputertech.com\/techtalk\/2021\/03\/09\/fuquay-varina-and-holly-springs-computer-repair\/","url_meta":{"origin":1144,"position":0},"title":"Fuquay Varina and Holly Springs Computer Repair","author":"NCCT","date":"March 9, 2021","format":false,"excerpt":"Welcome to our blog. NC Computer Tech services Fuquay Varina, Holly Springs, and surrounding NC areas. We offer prompt, professional, courteous service with over twenty years of experience dealing with residential and small business clients offering them solutions and fixing their computer and network issues at reasonable rates. Our services\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9930,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/05\/16\/fbi-says-toss-your-old-router\/","url_meta":{"origin":1144,"position":1},"title":"FBI Says Toss Your Old Router","author":"NCCT","date":"May 16, 2025","format":false,"excerpt":"https:\/\/youtu.be\/scR199zRjvA On Security Now, Steve talks about the FBI's suggestion that we should be tossing out our old routers.","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/scR199zRjvA\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9940,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/05\/16\/the-blue-and-the-gray-m4-macbook-air-m4-max-mac-studio-apple-intelligence\/","url_meta":{"origin":1144,"position":2},"title":"The Blue and the Gray – M4 MacBook Air, M4 Max Mac Studio, Apple Intelligence","author":"NCCT","date":"May 16, 2025","format":false,"excerpt":"https:\/\/youtu.be\/e_K-4_7i08k Is Apple's 'Sky Blue' really blue? Apple is delaying its 'more personalized Siri' Apple Intelligence features. Is anyone excited about RollerCoaster Tycoon coming to Apple Arcade? And Dropbox now supports Live Photos! ... after ten years. \u2022 Sky (blue)\u2019s the limit: M4 MacBook Air offers lower price, improved camera,\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/e_K-4_7i08k\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9320,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/08\/this-week-in-tech-661-the-ant-man-canon\/","url_meta":{"origin":1144,"position":3},"title":"This Week in Tech 661: The Ant Man Canon","author":"NCCT","date":"April 8, 2018","format":false,"excerpt":"https:\/\/youtu.be\/BOkNYwQ_k1Y Facebook issues the latest in a long string of apologies.YouTube shooter and the lure of fame. Apple plans its own chips for 2020, Mac Pro for 2019. Is Amazon spending too much on video? Terry Myerson out at Microsoft - the end of the Windows era. FBI seizes Backpage.com.","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/BOkNYwQ_k1Y\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9430,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/05\/the-prosecco-experience-this-week-in-tech-691\/","url_meta":{"origin":1144,"position":4},"title":"The Prosecco Experience – This Week in Tech 691","author":"NCCT","date":"November 5, 2018","format":false,"excerpt":"https:\/\/youtu.be\/9Pm9vDm1-sg Apple\u2019s new Macs and iPads, CIA\u2019s not-so-secret websites, Twitter voter suppression, and more. -- Apple announces new MacBook Air and Mac Mini, then blows them both away with its new iPad Pro. -- Apple will no longer tell us how many iPhones it sells. -- How to kill an\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/9Pm9vDm1-sg\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9812,"url":"https:\/\/nccomputertech.com\/techtalk\/2024\/11\/08\/slow-and-steady-m4-macbook-pro-apple-q424-pixelmator\/","url_meta":{"origin":1144,"position":5},"title":"Slow and Steady – M4 MacBook Pro, Apple Q424, Pixelmator","author":"NCCT","date":"November 8, 2024","format":false,"excerpt":"https:\/\/youtu.be\/etW5-oInyGA As expected following the end of last week's MacBreak Weekly, Apple announced the new M4, M4 Pro, and M4 Max MacBook Pros. Jason recaps the results of Apple's Q424. And Apple acquires Pixelmator. \u2022 Early Apple M4 Pro and M4 Max benchmarks hint at a massive performance boost. \u2022\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/etW5-oInyGA\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1144"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1144\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}