Trend Micro Advanced Threats Researcher Ivan Macalintal reports of a new malware affecting Mac OS. Detected as OSX_LAMZEV.A, this malicious file could allow hackers to take control of an infected system.
Mac users may be infected when they access remote websites hosting this backdoor. The backdoor may also be disguised as a legitimate application and may be installed and executed on systems.
When executed, OSX_LAMZEV.A prompts users to select an application and a port above 1024. These are Internet Assigned Numbers Authority (IANA) registered ports and are used by vendors for proprietary applications.
The backdoor creates the file /tmp/com.apple.DockSettings and copies this file in the location ~/Library/LaunchAgents. This file is then deleted once it has been loaded to allow this backdoor to execute everytime the system starts up. The application selected by the infected user is copied by this backdoor to a certain location too. It then creates another backdoor component that executes whenever the said Mac application is executed.
These malware routines compromise security, as remote malicious users may gain access to an affected system. OSX_LAMZEV.A also has autostart features, so turning one’s infected Mac on automatically runs the backdoor.
Interestingly in November last year, another notable Mac malware hit users. Detected by Trend Micro as OSX_DNSCHAN.A, this older Trojan dropped malicious script files and came in two versions, one for Windows and another for Mac, depending on the Web browser and operating system used to download it.
There are not many but their number keeps growing. Other Mac threats are documented in the following blog entries:
The Trend Micro Smart Protection Network already detects OSX_LAMZEV.A and provides solutions for its cleanup and removal.