This article is more than 1 year old
EasyDoc malware adds Tor backdoor to Macs for botnet control
Smugness levels cut among Apple fanbois
Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor.
The software, called EasyDoc Converter.app, is supposed to be a file converter but doesn't do its advertised functions. Instead it drops complex malware onto the system that subverts the security of the system, allowing it to be used as part of a botnet or to spy on the owner.
"This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," said Tiberius Axinte, Technical Leader, Bitdefender Antimalware Lab.
"For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless."
The malware, dubbed Backdoor.MAC.Eleanor, sets up a hidden Tor service and PHP-capable web server on the infected computer, generating a .onion domain that the attacker can use to connect to the Mac and control it. Once installed, the malware grants full access to the file system and can run scripts given to it by its masters.
Eleanor's controllers also uses the open-source tool wacaw to take control of the infected computer's camera. That would allow them to not only spy on the victim, but also take photographs of them, opening up the possibility of blackmail.
The addresses the malware uses to communicate with its controllers are stored on a Pastebin account. Unfortunately, these details are encrypted using RSA.
Mac malware isn't that common, although it's a good idea to use security tools – such as the freely available BlockBlock – to catch software nasties.
"[The malware] could be serious for users who ran the program, but of course the lesson (as always) is to be careful what you install on your computer," computer forensics expert Jonathan Zdziarski told The Register.
"Running BlockBlock supposedly would catch this as an attempt to install a persistent daemon, although there are other ways that backdoors could be added that BlockBlock would not catch." ®