{"id":33103,"date":"2014-10-23T13:45:41","date_gmt":"2014-10-23T20:45:41","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=33103"},"modified":"2016-02-12T10:47:31","modified_gmt":"2016-02-12T18:47:31","slug":"ventir-trojan-intercepts-keystrokes-from-mac-os-x-computers","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/ventir-trojan-intercepts-keystrokes-from-mac-os-x-computers\/","title":{"rendered":"Ventir Trojan Intercepts Keystrokes from Mac OS X Computers"},"content":{"rendered":"

\"Ventir<\/a><\/p>\n

Intego has seen an eyebrow-raising upward trend in the number of malicious files discovered targeting Mac OS X in the past few years, and it has many security experts concerned. Virus hunters have unveiled yet another modular malware for Mac OS X, called the Ventir Trojan.<\/p>\n

Ventir uses a dropper program (e.g. Trojan horse) that can leave a backdoor, a keylogger and other malicious files behind on an infected Mac. These can be used for spying and stealing information from the victim\u2019s Mac.<\/p>\n

We currently do not know how the malware is distributed. Ventir is a Trojan horse, so it\u2019s likely being picked up when downloading pirated software from peer-to-peer websites, such as BitTorrent.<\/p>\n

The primary feature of Ventir is that it integrates a legitimate component for intercepting keystrokes that is freely available on code sharing websites.<\/p>\n

Infection Vector<\/h3>\n

The keystroke logger makes use of an open source software package freely available from GitHub, called LogKext. Given the recent scares about hacked accounts, the thought of software that watches what you type and sends it to the bad guys is particularly unnerving.<\/p>\n

LogKext has three files that function to intercept keystrokes (updated.kext<\/strong>), match the codes of the keys pressed by the victim to the characters associated with these codes (Keymap.plist<\/strong>), and log the keystrokes along with some system events (EventMonitor agent<\/strong>).<\/p>\n

Fortunately, LogKext hooks on to the OS X kernel only if the dropper is successful in obtaining elevated privilges to the victims Mac.<\/p>\n

It\u2019s also worth noting that some of the keylogger components (Keymap.plist and updated.kext) are previously detected by Intego VirusBarrier<\/a> as OSX\/logKext.E<\/strong> and OSX\/logKext.D<\/strong>.<\/p>\n

How it installs on Mac OS X computers<\/h3>\n

The Ventir Tojan is delivered through a dropper that, when launched, checks whether it has root access to the machine\u2014this is critical because that affects where the malware can install itself.<\/p>\n

The result of the check for root access determines how much Ventir can run and the path where the Trojan\u2019s files will be installed on the victims Mac.<\/p>\n

Where Ventir installs files<\/strong><\/p>\n

It\u2019s important to distinguish the two install directories: \/Library\/.local<\/strong> and ~\/Library\/.local<\/strong> (\u201c~\u201d stands for the path to the current user\u2019s home directory). The malware will install to the home\u00a0directory if the installer does not have root access.<\/p>\n

With root access<\/strong><\/p>\n

If it has root access, the Trojan\u2019s files will be installed in \/Library\/.local and \/Library\/LaunchDaemons. The Ventir malware downloads additional backdoor components if it has full privileges to the victims Mac.<\/p>\n

Without root access<\/strong><\/p>\n

If it does not have root access, the files will be installed in ~\/Library\/.local and ~\/Library\/LaunchAgents. The EventMonitor spying component is downloaded to the affected machine only if elevated privileges are not obtained.<\/p>\n

\u201cAll files of the Trojan to be downloaded to the victim machine are initially located in the \u2018__data\u2019 section of the dropper file,\u201d wrote<\/a> Mikhail Kuzin over at Securelist.<\/p>\n

\"Ventir

Image credit: Securelist<\/p><\/div>\n

After the dropper determines where the Trojan\u2019s files will be installed, it hides the following files on the infected machine:<\/p>\n

    \n
  1. Library\/.local\/updated \u2013 re-launches files update and EventMonitor in the event of unexpected termination.<\/li>\n
  2. Library\/.local\/reweb \u2013 used to re-launch the file updated.<\/li>\n
  3. Library\/.local\/update \u2013 the backdoor module.<\/li>\n
  4. Library\/.local\/libweb.db \u2013 the malicious program’s database file. Initially contains the Trojan’s global settings, such as the C&C address.<\/li>\n
  5. Library\/LaunchAgents (or LaunchDaemons)<\/em>\/com.updated.launchagent.plist \u2013 the properties file used to set the file Library\/.local\/updated to autorun using the launchd daemon.<\/li>\n
  6. Depending on whether root access is available:\n