An Introduction to DevilRobber Trojan

An Introduction to DevilRobber TrojanRuomu GuoCPSC 620 Presentation

What is DevilRobber Trojan1: Transmission: Bit Torrent Seed

2: Function: access users computer steel users private information generate Bitcoin virtual currency

The Principle of Trojan Trojan Application consists of two parts 1: Server Part (Server) 2: Controller Part (Client)

Interaction Open clients ports to send data back to the specified server Hackers could take advantage of such ports to enter OS X

The Principle of Trojan Operation Trojan horse programs cannot operate automatically Embedded in some documents or files users may be interested in Trigger Must open infected files or implement infected application

Categories Universal VS Transitive

Analysis of DevilRobber TrojanOperation System Platform Mac OS X Based on UNIX Mac OS X application such as Graphic Converter software Function Steal users sensitive information and private data Control GPU to generate BitCoin virtual currency automatically Monitoring computers activities

Analysis of DevilRobber Trojan Copy TrueCrypt and its relevant data Copy Safari browsing history Copy users Bash_history to dump.txt

Analysis of DevilRobber TrojanUnusual Features take advantage of GPU to automatically generate Bit-coins Bits-coins also can be used for exchange for real current currency. One Bit currency is equivalent to about $ 3.00

New Version of DevilRobber TrojanDispersal Old Version: Disguise as a popular image editing program such as PixelMator New Version: Disguise as download tools and contact with some FTP server

New Version of DevilRobber TrojanCircumvention Not trying to capture a screenshot sent back to the remote server No longer check the Little Snitch firewall

Confuse User Little Snitch users can authorize the Trojans to communicate with an external server without their known.

How to Avoid DevilRobber infectionCheck source of download files Trust of source of download

Various types of DevilRobber Trojan Disguise as a PDF file Disguise as Adobe Flash update installation

Vulnerability Fixed and SolutionEnhance Mac OS X Security Apple has released update package for users to download Virus Feature Definition XProtect.plist

Reference1What Apple's sandboxing means for developers and usershttp://news.cnet.com/8301-1009_3-57318099-83/what-apples-sandboxing-means-for-developers-and-users/

2 Mac Trojan poses as PDF to open botnet backdoorhttp://arstechnica.com/apple/news/2011/09/mac-trojan-poses-as-pdf-to-open-botnet-backdoor.ars

3 Apple kills code-signing bug that threatened iPhone usershttp://www.theregister.co.uk/2011/11/10/apple_iphone_security_bug.html

Lecture EndThanks