OSX/MusMinim-A is a Remote Access Trojan (RAT) for the OSX platform, which is also known as "BlackHole RAT".
OSX/MusMinim-A's main threat component is a backdoor, which acts as the server half of a client-server pair of applications.
"BlackHole RAT Client.app"
and
"BlackHole RAT Server.app"
Both the server and the client components are detected by Sophos as OSX/MusMinim-A.
OSX/MusMinim-A includes functionality to provide a remote attacker with the following capabilities:
* place a text file on the desktop
* send a restart, shutdown or sleep command
* run an arbitrary shell command
* place a full screen window with a message that only allows you to click reboot
* send a URL to be opened on the infected machine
* display a fake "Administrator Password" window to phish the administrator credentials on the infected machine
Systems infected by 'BlackHole Rat Server.app', can be directed to any arbitrary url as commanded by an operator connected to the server via 'BlackHole Rat Client.app'.
Note: folder's with a .app extension are treated specially on OS X. '.app' folders are actually 'Application bundles'. On OS X, most 'Applications' in the /Applications directory, are 'Application Bundle' directories themselves. When a user double clicks on a .app directory ( or `open`'s them via Terminal ) - the loader knows to 'launch' the executable within these folders, instead of showing the folders contents.
( If you wish to see the contents of these directories, you can navigate into these directories by 'cd'ing into them via Terminal, or right-click->"Show Package Contents". )
The the actual file that contains the executable code, lies contained somewhere inside of that directory.
(The actual file that's executed is specified in 'Contents/Info.plist'. This is a special type of xml file that provides
information about this 'Application bundle' - including what file to
execute when this bundle is launched. )
For 'BlackHole RAT Client.app' the executable is:
'BlackHole RAT Client.app/Contents/MacOS/BlackHole RAT Client'
which is a Mach-O i386 executable ( developed using RealBasic )
For 'BlackHole RAT Server.app' the executable is:
'BlackHole RAT Server.app/Contents/MacOS/BlackHole RAT Server'
which again, is a Mach-O i386 executable ( developed using RealBasic )
( More information about application bundles can be found at:
http://en.wikipedia.org/wiki/Application_bundle
http://developer.apple.com/library/mac/#documentation/CoreFoundationConceptual/CFBundles/Introduction/Introduction.html )
When running, systems infected with the server component may have the following ports open:
tcp:7777
tcp:7779
tcp:7780
tcp:7781
tcp:7782
tcp:9999
tcp:10000
tcp:10001
tcp:10004
tcp:10005
OSX/MusMinim-A lacks even basic authentication or encryption between the client and the server. As a result, any text sent to port tcp:7782 on the server, will result in the server presenting that text in a pop-up on the infected system.
If the server is running on a NAT'd network, the corresponding client component could only connect from the local network.
This threat does not spread or 'install itself'... So unless an attacker has specifically added a startup script, cron, etc... simply restarting your system will likely terminate any running
instances. The server component may be listed in a processes list as "BlackHole". Any unknown process either named "BlackHole" or with open file handles to files containing "BlackHole" in the path, should be considered suspicious.
As this threat is still in it's infancy ( The samples seen so far even refer to themselves as "under development". ), users are unlikely to encounter this threat in the wild, and thus the risk is exceptionally low.
Examples of OSX/MusMinim-A include:
Example 1
File Information
- Size
- 1.9M
- SHA-1
- 19fecf7222a893fe21842b7e401c34413bd69360
- MD5
- ca671ada26dd5aedb487b9b2c826672c
- CRC-32
- 5ae47a27
- File type
- Unspecified binary - probably data
- First seen
- 2011-02-25
Example 2
File Information
- Size
- 2.1M
- SHA-1
- 5ab55f35d81e9c69c4f7fef1e8f9c7ab43ff25b7
- MD5
- 2bd19c94feee24ebcf94e94a2f88889c
- CRC-32
- 6b9b31a0
- File type
- Unspecified binary - probably data
- First seen
- 2011-02-25
Example 3
File Information
- Size
- 2.2M
- SHA-1
- 5c90b9db383d42d59794903fa45ded7d8791b9d2
- MD5
- beb357e4ab23637d07d3842efd5422a6
- CRC-32
- e48beb5d
- File type
- Unspecified binary - probably data
- First seen
- 2011-02-25
Further information
There is more information about OSX/MusMinim-A on the blog article
Mac OS X backdoor Trojan, now in beta?.