OSX/DevilRobber [Threat Name] go to Threat
OSX/DevilRobber.A [Threat Variant Name]
| Category | trojan |
| Size | 39168 B |
| Signature database version | 6587 (Oct 30, 2011) |
| Aliases | Backdoor.OSX.Miner.a (Kaspersky) |
| OSX.Coinbitminer (Symantec) | |
| Backdoor:OSX/DevilRobber.A (F-Secure) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan uses the hardware resources of the infected computer for mining the Bitcoin digital currency.
Installation
The trojan is usually bundled within installation packages of various legitimate software.
The trojan does not create any copies of itself.
The trojan is usually found in the following folder:
- %home%/Library/mdsa1331/
Its filename may be one of the following:
- mdsa
Information stealing
The trojan collects the following information:
- a list of recently visited URLs
- shell command history
- screenshots
- Bitcoin wallet contents
- external IP address of network device
- network parameters
- number of files containing specific text strings
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) FTP addresses. The TCP, FTP, SSDP protocol is used.
It can execute the following operations:
- set up a proxy server
- send files to a remote computer
- capture screenshots
- send gathered information
The trojan opens some ports:
- 34123
- 34321
- 34522
The trojan may create the following files:
- 1.png
- s.txt
Then the trojan deletes these files.
The trojan creates the following files:
- dump.txt
- abc.lck
- %variable1%_%variable2%_%variable3%.zip
Then the trojan deletes these files.
A string with variable content is used instead of %variable1-3% .
The trojan executes the following files:
- polipo
- miner.sh
- acab.sh