Follow:

 

Backdoor:MacOS_X/Olyx.A


Backdoor:MacOS_X/Olyx.A is a backdoor trojan that allows remote unauthorized access and control of an affected computer. The backdoor has been distributed in a Mach-O (i386) binary format, which specifically affects Mac OS X users.



What to do now

 
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product.

Threat behavior

Backdoor:MacOS_X/Olyx.A is a backdoor trojan that allows remote unauthorized access and control of an affected computer. The backdoor has been distributed in a Mach-O (i386) binary format, which specifically affects Mac OS X users.

Installation

Backdoor:MacOS_X/Olyx.A does not require root or administrator priviledges in order to install.

When executed, the backdoor trojan copies itself to the temporary folder as follows:

/tmp/google.tmp

It installs the backdoor component "startp" by creating a folder named "google" in the Application support directory:

/Library/Application Support/google/startp

It then executes this file, which runs in the background.

To ensure the backdoor automatically launches on the victim's computer, it installs a 'Launchd' property list file in the LaunchAgents directory as follows:

/Library/LaunchAgents/www.google.com.tstart.plist

This file specifies that the backdoor runs only once when the user logs in. This applies to all accounts on the system.

Payload

Allows backdoor access and control

Backdoor:MacOS_X/Olyx.A initiates a remote connection request to IP address 121.254.173.57, where it continues to make attempts every 5 seconds until established.

Once connected, the backdoor sends the machine name and IP address as login information for the backdoor.

Using this backdoor, a remote attacker may peform the following actions:

  • Create folder
  • Delete directory
  • Download file/s
  • Open file
  • Rename file
  • Search directory
  • Gather information such as logical drive and a list of files on the system. It may also gather file information such as file size, attributes and directory location
  • Send or upload files to remote server
  • Open a bash shell, which allows the remote attacker to execute remote commands
Additional information

The data packet sent uses the LZO compression algorithm.

Analysis by Methusela Cebrian Ferrer


Symptoms

 
System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    /Library/Application Support/google/startp
    /tmp/google.tmp
    /Library/LaunchAgents/www.google.com.tstart.plist



Prevention


Alert level: Severe
First detected by definition: 1.107.998.0
Latest detected by definition: 1.107.998.0 and higher
First detected on: Jul 04, 2011
This entry was first published on: Jul 04, 2011
This entry was updated on: Jul 18, 2011

This threat is also detected as:
No known aliases