Backdoor:MacOS_X/Olyx.B is a backdoor trojan that allows an unauthorized user to access and control your computer. It affects computers using the Mac OS X operating system.
Installation
Backdoor:MacOS_X/Olyx.B may copy itself as the following files:
- ~/Applications/Automator.app/Contents/MacOS/DockLight
- ~/Library/Audio/Plug-Ins/AudioServer
To make sure it automatically runs, it installs a "Launchd" property list file in the "LaunchAgents" folder as follows:
- ~/Library/LaunchAgents/com.apple.DockActions.plist
This property list file has the label "com.apple.docserver", and is defined to run at least once when you log in.
Distributed via...
Malicious Word documents
Backdoor:MacOS_X/Olyx.B is embedded in a specially-crafted Microsoft Word for Mac document that exploits a vulnerability. the vulnerability was resolved with the release of Microsoft Security Bulletin MS09-027. The malicious Word document is detected as Exploit:MacOS_X/MS09-027.A.
Java applets
Backdoor:MacOS_X/Olyx.B has also been observed being dropped by other malware that exploit Java vulnerabilities, such as the following:
Payload
Allows backdoor access and control
Backdoor:MacOS_X/Olyx.B connects to any of the following servers to allow an unauthorized user access to your computer:
- 2012.slyip.net
- avira.suroot.com
- dns.assyra.com
- mail.hiserviceusa.com
Once connected, Backdoor:MacOS_X/Olyx.B creates a pseudo-terminal. It checks for the name "tty", and may set the environment variable to "HILLSET=F" or "TME=R".
It also performs the following actions:
- Searches the computer's files and folders
- Gather information about the computer and send it to the server
- Send or upload files to the server
- Open a bash shell command, which allows the unauthorized user to execute commands
Additional resources
More information about this threat is available in the MMPC blog post "Backdoor Olyx - is it malware on a mission for Mac?".
Analysis by Methusela Cebrian Ferrer
