OSX/MusMinim-A

Category: Viruses and Spyware Protection available since:25 Feb 2011 19:40:03 (GMT)
Type: Trojan Last Updated:18 Dec 2012 14:02:46 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

OSX/MusMinim-A is a Remote Access Trojan (RAT) for the OSX platform, which is also known as "BlackHole RAT".

OSX/MusMinim-A's main threat component is a backdoor, which acts as the server half of a client-server pair of applications.

"BlackHole RAT Client.app"
and
"BlackHole RAT Server.app"

Both the server and the client components are detected by Sophos as OSX/MusMinim-A.


OSX/MusMinim-A includes functionality to provide a remote attacker with the following capabilities:
* place a text file on the desktop
* send a restart, shutdown or sleep command
* run an arbitrary shell command
* place a full screen window with a message that only allows you to click reboot
* send a URL to be opened on the infected machine
* display a fake "Administrator Password" window to phish the administrator credentials on the infected machine

Systems infected by 'BlackHole Rat Server.app', can be directed to any arbitrary url as commanded by an operator connected to the server via 'BlackHole Rat Client.app'.

Note: folder's with a .app extension are treated specially on OS X.  '.app' folders are actually 'Application bundles'.  On OS X, most 'Applications' in the /Applications directory, are 'Application Bundle' directories themselves. When a user double clicks on a .app directory ( or `open`'s them via Terminal ) - the loader knows to 'launch' the executable within these folders, instead of showing the folders contents.

( If you wish to see the contents of these directories, you can navigate into these directories by 'cd'ing into them via Terminal, or right-click->"Show Package Contents". )

The the actual file that contains the executable code, lies contained somewhere inside of that directory.

(The actual file that's executed is specified in 'Contents/Info.plist'. This is a special type of xml file that provides 
information about this 'Application bundle' - including what file to
execute when this bundle is launched. )


For 'BlackHole RAT Client.app' the executable is:
'BlackHole RAT Client.app/Contents/MacOS/BlackHole RAT Client'
which is a Mach-O i386 executable ( developed using RealBasic )


For 'BlackHole RAT Server.app' the executable is:
'BlackHole RAT Server.app/Contents/MacOS/BlackHole RAT Server'
which again, is a Mach-O i386 executable ( developed using RealBasic )

( More information about application bundles can be found at:
http://en.wikipedia.org/wiki/Application_bundle
http://developer.apple.com/library/mac/#documentation/CoreFoundationConceptual/CFBundles/Introduction/Introduction.html )


When running, systems infected with the server component may have the following ports open:
tcp:7777
tcp:7779
tcp:7780
tcp:7781
tcp:7782
tcp:9999
tcp:10000
tcp:10001
tcp:10004
tcp:10005

OSX/MusMinim-A lacks even basic authentication or encryption between the client and the server. As a result, any text sent to port tcp:7782 on the server, will result in the server presenting that text in a pop-up on the infected system.

If the server is running on a NAT'd network, the corresponding client component could only connect from the local network.

This threat does not spread or 'install itself'... So unless an attacker has specifically added a startup script, cron, etc... simply restarting your system will likely terminate any running 
instances. The server component may be listed in a processes list as "BlackHole". Any unknown process either named "BlackHole" or with open file handles to files containing "BlackHole" in the path, should be considered suspicious.


As this threat is still in it's infancy ( The samples seen so far even refer to themselves as "under development". ), users are unlikely to encounter this threat in the wild, and thus the risk is exceptionally low.

 

Examples of OSX/MusMinim-A include:

Example 1

File Information

Size
1.9M
SHA-1
19fecf7222a893fe21842b7e401c34413bd69360
MD5
ca671ada26dd5aedb487b9b2c826672c
CRC-32
5ae47a27
File type
Unspecified binary - probably data
First seen
2011-02-25

Example 2

File Information

Size
2.1M
SHA-1
5ab55f35d81e9c69c4f7fef1e8f9c7ab43ff25b7
MD5
2bd19c94feee24ebcf94e94a2f88889c
CRC-32
6b9b31a0
File type
Unspecified binary - probably data
First seen
2011-02-25

Example 3

File Information

Size
2.2M
SHA-1
5c90b9db383d42d59794903fa45ded7d8791b9d2
MD5
beb357e4ab23637d07d3842efd5422a6
CRC-32
e48beb5d
File type
Unspecified binary - probably data
First seen
2011-02-25

Further information

There is more information about OSX/MusMinim-A on the blog article Mac OS X backdoor Trojan, now in beta?.

download Try Sophos products for free
Download now