Backdoor:MacOS_X/Olyx.A is a backdoor trojan that allows remote unauthorized access and control of an affected computer. The backdoor has been distributed in a Mach-O (i386) binary format, which specifically affects Mac OS X users.
Installation
Backdoor:MacOS_X/Olyx.A does not require root or administrator priviledges in order to install.
When executed, the backdoor trojan copies itself to the temporary folder as follows:
/tmp/google.tmp
It installs the backdoor component "startp" by creating a folder named "google" in the Application support directory:
/Library/Application Support/google/startp
It then executes this file, which runs in the background.
To ensure the backdoor automatically launches on the victim's computer, it installs a 'Launchd' property list file in the LaunchAgents directory as follows:
/Library/LaunchAgents/www.google.com.tstart.plist
This file specifies that the backdoor runs only once when the user logs in. This applies to all accounts on the system.
Payload
Allows backdoor access and control
Backdoor:MacOS_X/Olyx.A initiates a remote connection request to IP address 121.254.173.57, where it continues to make attempts every 5 seconds until established.
Once connected, the backdoor sends the machine name and IP address as login information for the backdoor.
Using this backdoor, a remote attacker may peform the following actions:
- Create folder
- Delete directory
- Download file/s
- Open file
- Rename file
- Search directory
- Gather information such as logical drive and a list of files on the system. It may also gather file information such as file size, attributes and directory location
- Send or upload files to remote server
- Open a bash shell, which allows the remote attacker to execute remote commands
Additional information
The data packet sent uses the LZO compression algorithm.
Analysis by Methusela Cebrian Ferrer