A new Mac OS Trojan has been caught in the wild and this time, instead of just stealing sensitive information from infected computers, it also surreptitiously steals processing power from the computer in order to mine bitcoins. Across the Bitcoin community, GPUs are commonly leveraged for their calculation power in order to mine future coins and many people join into mining pools with their computers in order to make their own of the valuable virtual cryptocurrency.
The Trojan, dubbed DevilRobber, is named such because it packages a Java-based bitcoin miner named DiabloMiner. The malware has been found in the wild distributed with certain infected BitTorrent downloads including GraphicConverter version 7.4, an image editor for Mac OS X.
“This malware is complex, and performs many operations,” security researchers from Mac antivirus vendor Intego warned. “It is a combination of several types of malware: It is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.”
According to the security blog Naked Security by Sophos, the underlying mechanism of the malware is extremely sophisticated. It takes screenshots of activity on the computer while keylogging in attempts to steal passwords; it also seeks out information on what encrypted volumes the user might have (such as Truecrypt); and even pokes around the hard drive looking for financial information.
Add this with the inclusion of a Bitcoin miner.
It’s obvious that the writers of this program expected that some of the people they might hit would be enthusiasts of cryptography—with the TrueCrypt volume scanning portion—and it’s true that many fans of the cryptocurrency also understand the basics of computer security. Keylogging and attempting to grab cryptographic information means that this Trojan sits nearer the top of the food chain for capturing sensitive information. This is possibly because security-conscious Bitcoin miners will encrypt their wallet.dat files for extra protection.
The capability to distribute processing power for mining Bitcoins into the cloud and the nature of the multitude of viruses that infected computers every day seems like an extremely lucrative venue for malware programmers. As they’re semi-anonymous, miners imbedded in Trojans could be a lot more lucrative than DDoS zombies; however, they would produce constant traffic and system load as they did their mining which would make them easier to detect.
As always, scan files taken from less-than-reputable sources—that means especially BitTorrent—before executing them on any system. This is not to say it’s the fault of GraphicConverter or BitTorrent directly, one is a legitimate product repurposed by criminals and the other is essentially a digital swap meet where anything may appear on the tables.
Practice safe downloading and safe computing.