|BlackHole RAT 2.0 Mac OS X Trojan Horse Discovered and Detected|
|Friday, 01 April 2011|
Mac OS X Trojan Horse BlackHole RAT 2.0 Discovered
The SecureMac team today announced a new version of the BlackHole RAT 2.0 Trojan Horse for Mac OS X has been discovered. This new version should be not confused with an older variant from back in February already detected by SecureMac and other anti-malware software.
SecureMac has discovered a new version of BlackHole RAT trojan horse as labeled by the hacker as 2.0 for Mac OS X. This new version should not be confused with an older variant already detected back in February by SecureMac as BlackHole RAT 1.0c that has recently been in the news called OSX/BlackHoleRAT.B.
Upon first release of BlackHole RAT 1.0, SecureMac identified three variants of the trojan horse, including one disguised as Apple's Safari web browser. At that time, it was noted that the trojan horse appeared to be a work-in-progress, and that further variants would probably appear in the future.
SecureMac's prediction proved to be correct, as there is a brand new version of the trojan horse currently being passed around on hacker message boards. This new version of the trojan horse is substantially different than previous variants, and is described as version 2.0 by the hacker who created it.
The new version of the trojan horse adds itself as a login item disguised as Java, has a more believable prompt for username and password, slows down the computer by tying up the CPU with a loop function, executes shell commands, and can attempt to erase the hard drive.
In the version analyzed by SecureMac, the author states that the trojan horse is unstable, but an upcoming version will improve stability. It appears that development of this program is ongoing, and the author recently posted to a hacker message board that the new version has been completed and is currently in testing, so we expect that it will soon be distributed in a more widespread fashion.
This new version of the trojan horse is detected by MacScan as "BlackHole RAT 2.0a" in the spyware definitions update released on March 31st, 2011. A 30-day free trial of MacScan can be downloaded by visiting http://macscan.securemac.com/.
The original SecureMac security bulletin about BlackHole RAT 1.0 trojan horse can be found here: http://www.securemac.com/blackholerat-bulletin.php