Mac OS X,  Mac Security

HellRaiser

A new variant of HellRaiser is now out there. It is being called OSX/HellRTS.D and in order to get infected you would have to run a server daemon, shown below.

HellRaiser is a RealBasic-based trojan horse that gives control of a Mac OS X system to an attacker. This can include searching through the file system and then transferring files, viewing the clipboard, sending audio, sending chats, viewing the screen, showing pictures, viewing spotlight indexes, controlling mail and rebooting (see the tabs below).

A number of products will detect the OSX/HellRTS.D. trojan horse when using the latest definition updates, including the following (which links to the HellRaiser entry for each vendor):

HellRaiser is not widely distributed and so most users have a pretty low risk of being infected. However, be wary of files you get from untrusted sources (especially the ones called HEYI’MATROJANPLEASEDOWNLOADME from BitTorrent;) and run some form of anti-virus on your systems. It’s pretty easy to take the HellRaiser application, customize it to your liking and then distribute it (let’s just say as part of a bundle of iChat Smileys or a fake iLife download). If you find yourself infected (again, a low risk that this will happen) and don’t have any anti-virus, just kill the launchd item that’s invoking it, but first do me a favor and enable ipfw and then ipfw logging for the port that it’s attempting to connect over (by default it’s 24745). Then let me know the address… If you’re not sure whether you’ve been infected, just look for an item running that has a broken File menu (I guess it’s hard to program menus… not) and greyed out preferences. It would need to be recompiled if it was going to have a different quit menu, so you might even see Quit HellRaiser (followed by the version number).

Overall, this isn’t nearly as dangerous as having an SSH server or a client/server remote screen sharing tool that you don’t know about running on your machine. If anything is dangerous it’s the idea that there’s a GUI toolkit for this type of stuff floating around for Mac OS X (and has been since 2004) and that a small 0-day (happens all the time for platforms) could turn into a mass infection fairly easily…