{"id":10727,"date":"2013-02-18T11:41:34","date_gmt":"2013-02-18T19:41:34","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=10727"},"modified":"2016-10-06T11:49:09","modified_gmt":"2016-10-06T18:49:09","slug":"pint-sized-backdoor-for-os-x-discovered","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/","title":{"rendered":"Pint-Sized Backdoor for OS X Discovered"},"content":{"rendered":"<p><strong>Updated February 19, 2013 to include more information<\/strong><\/p>\n<p>_____<\/p>\n<p>A new backdoor which affects OS X\u00a0has been announced to an AV industry mailing list. Details are fairly limited right now, and the components we have indicate a fairly small, simplistic but efficient threat. It&#8217;s believed that this was a targeted attack, perhaps dropped by an exploit. At the time of writing, all of the network components have been sinkholed so it&#8217;s unable to receive commands.<\/p>\n<p>From what we&#8217;ve seen, this threat likely starts with an exploit to get it past Gatekeeper. Once on a system, it sets up a reverse shell. That is to say, rather than announcing to the controller that the machine is infected (because the machine has been targeted and they already know where it is), the controller periodically contacts the infected machine to perform commands. Initiating the contact from outside the affected machine potentially helps it get past firewalls. This part of the threat is comprised of clear text Perl scripts, which means it&#8217;s fairly easy to spot if someone knows what to look for.<\/p>\n<p>So that&#8217;s where the second part of this threat comes in. The binary component uses a modified version of existing tools (namely OpenSSH 6.0p1) for creating a secure connection to encrypt the traffic so that it is much better hidden. The tool is further hidden by placing the file in a directory that is usually used for printing, so that if anyone sees a list of processes contacting the network, it will appear as if the affected machine is simply printing from a networked printer. This version of the tool also has been modified so that it will not save a log of its command histories.<\/p>\n<p>The threat encrypts traffic with the command and control channel by use of an RSA key.<\/p>\n<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-10751\" title=\"RSAprivkey\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/02\/RSAprivkey.png\" alt=\"\" width=\"600\" height=\"347\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/02\/RSAprivkey.png 600w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/02\/RSAprivkey-150x86.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/02\/RSAprivkey-300x173.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>The filenames as they were reported are:<\/p>\n<ul>\n<li>com.apple.cocoa.plist<\/li>\n<li>cupsd (Mach-O binary)<\/li>\n<li>com.apple.cupsd.plist<\/li>\n<li>com.apple.cups.plist<\/li>\n<li>com.apple.env.plist<\/li>\n<\/ul>\n<p>One of the (sinkholed) network addresses that the threat contacts is &#8220;corp-aapl.com.&#8221; It&#8217;s been noted that this is a misspelling of Apple, but it is the <a href=\"http:\/\/www.google.com\/finance?q=AAPL\">stock symbol for Apple<\/a>.<\/p>\n<p><a href=\"https:\/\/www.intego.com\/virusbarrier\">Intego VirusBarrier<\/a> users with up-to-date virus definitions will detect the backdoor as OSX\/Pintsized.A. At the time of writing, XProtect does not protect against this threat.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated February 19, 2013 to include more information _____ A new backdoor which affects OS X\u00a0has been announced to an AV industry mailing list. Details are fairly limited right now, and the components we have indicate a fairly small, simplistic but efficient threat. It&#8217;s believed that this was a targeted attack, perhaps dropped by an [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":8763,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,5],"tags":[30,86,168,2785],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Updated February 19, 2013 to include more information _____ A new backdoor which affects OS X\u00a0has been announced to an AV industry mailing list. Details\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pint-Sized Backdoor for OS X Discovered - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"Updated February 19, 2013 to include more information _____ A new backdoor which affects OS X\u00a0has been announced to an AV industry mailing list. Details\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-18T19:41:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-10-06T18:49:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lysa Myers\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg\",\"width\":\"400\",\"height\":\"260\",\"caption\":\"Malware Alert from Intego\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/\",\"name\":\"Pint-Sized Backdoor for OS X Discovered - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#primaryimage\"},\"datePublished\":\"2013-02-18T19:41:34+00:00\",\"dateModified\":\"2016-10-06T18:49:09+00:00\",\"description\":\"Updated February 19, 2013 to include more information _____ A new backdoor which affects OS X\\u00a0has been announced to an AV industry mailing list. Details\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Pint-Sized Backdoor for OS X Discovered\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/12b11624d5a648c576d8dce6f93b230a\"},\"headline\":\"Pint-Sized Backdoor for OS X Discovered\",\"datePublished\":\"2013-02-18T19:41:34+00:00\",\"dateModified\":\"2016-10-06T18:49:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#webpage\"},\"wordCount\":389,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg\",\"keywords\":[\"Backdoor\",\"Malware\",\"OS X\",\"Pint-Sized\"],\"articleSection\":[\"Malware\",\"Security News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/12b11624d5a648c576d8dce6f93b230a\",\"name\":\"Lysa Myers\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/783af524dca7753ceb3cd9a576398a0e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/783af524dca7753ceb3cd9a576398a0e?s=96&d=mm&r=g\",\"caption\":\"Lysa Myers\"},\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/lysam\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Updated February 19, 2013 to include more information _____ A new backdoor which affects OS X\u00a0has been announced to an AV industry mailing list. Details","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/","og_locale":"en_US","og_type":"article","og_title":"Pint-Sized Backdoor for OS X Discovered - The Mac Security Blog","og_description":"Updated February 19, 2013 to include more information _____ A new backdoor which affects OS X\u00a0has been announced to an AV industry mailing list. Details","og_url":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/","og_site_name":"The Mac Security Blog","article_published_time":"2013-02-18T19:41:34+00:00","article_modified_time":"2016-10-06T18:49:09+00:00","og_image":[{"width":"400","height":"260","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Lysa Myers","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg","width":"400","height":"260","caption":"Malware Alert from Intego"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/","name":"Pint-Sized Backdoor for OS X Discovered - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#primaryimage"},"datePublished":"2013-02-18T19:41:34+00:00","dateModified":"2016-10-06T18:49:09+00:00","description":"Updated February 19, 2013 to include more information _____ A new backdoor which affects OS X\u00a0has been announced to an AV industry mailing list. Details","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Pint-Sized Backdoor for OS X Discovered"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/12b11624d5a648c576d8dce6f93b230a"},"headline":"Pint-Sized Backdoor for OS X Discovered","datePublished":"2013-02-18T19:41:34+00:00","dateModified":"2016-10-06T18:49:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#webpage"},"wordCount":389,"commentCount":2,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg","keywords":["Backdoor","Malware","OS X","Pint-Sized"],"articleSection":["Malware","Security News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/pint-sized-backdoor-for-os-x-discovered\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/12b11624d5a648c576d8dce6f93b230a","name":"Lysa Myers","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/783af524dca7753ceb3cd9a576398a0e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/783af524dca7753ceb3cd9a576398a0e?s=96&d=mm&r=g","caption":"Lysa Myers"},"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/lysam\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert-intego.jpg","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-2N1","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/10727"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=10727"}],"version-history":[{"count":22,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/10727\/revisions"}],"predecessor-version":[{"id":13155,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/10727\/revisions\/13155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/8763"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=10727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=10727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=10727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}