Home / malware Backdoor:MacOS_X/Olyx.B
First posted on 11 July 2012.
Source: MicrosoftAliases :
Backdoor:MacOS_X/Olyx.B is also known as Backdoor.OSX.Lasyr.d (Kaspersky), Backdoor.OSX.Lasyr.a (VirusBuster), MACOS/Lamadai.A (Avira), MAC.OSX.Trojan.Lamadai.A (BitDefender), BackDoor.Lamadai.1 (Dr.Web), OSX/Lamadai.A trojan (ESET), Backdoor.OSX.Olyx (Ikarus), OSX/Olyx (McAfee), OSX/AftDr-B (Sophos), OSX.Olyx (Symantec), OSX_RHINO.AE (Trend Micro).
Explanation :
Backdoor:MacOS_X/Olyx.B is a backdoor trojan that allows an unauthorized user to access and control your computer. It affects computers using the Mac OS X operating system.
Installation
Backdoor:MacOS_X/Olyx.B may copy itself as the following files:
- ~/Applications/Automator.app/Contents/MacOS/DockLight
- ~/Library/Audio/Plug-Ins/AudioServer
To make sure it automatically runs, it installs a "Launchd" property list file in the "LaunchAgents" folder as follows:
- ~/Library/LaunchAgents/com.apple.DockActions.plist
This property list file has the label "com.apple.docserver", and is defined to run at least once when you log in.
Distributed via...
Malicious Word documents
Backdoor:MacOS_X/Olyx.B is embedded in a specially-crafted Microsoft Word for Mac document that exploits a vulnerability. the vulnerability was resolved with the release of Microsoft Security Bulletin MS09-027. The malicious Word document is detected as Exploit:MacOS_X/MS09-027.A.
Java applets
Backdoor:MacOS_X/Olyx.B has also been observed being dropped by other malware that exploit Java vulnerabilities, such as the following:
- Exploit:Java/CVE-2012-0507
- Exploit:Java/CVE-2011-3544
Payload
Allows backdoor access and control
Backdoor:MacOS_X/Olyx.B connects to any of the following servers to allow an unauthorized user access to your computer:
- 2012.slyip.net
- avira.suroot.com
- dns.assyra.com
- mail.hiserviceusa.com
Once connected, Backdoor:MacOS_X/Olyx.B creates a pseudo-terminal. It checks for the name "tty", and may set the environment variable to "HILLSET=F" or "TME=R".
It also performs the following actions:
Additional resources
- Searches the computer's files and folders
- Gather information about the computer and send it to the server
- Send or upload files to the server
- Open a bash shell command, which allows the unauthorized user to execute commands
More information about this threat is available in the MMPC blog post "Backdoor Olyx - is it malware on a mission for Mac?".
Analysis by Methusela Cebrian Ferrer
Last update 11 July 2012
