Home / malware Trojan.AppleScript.THT.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.AppleScript.THT.A is also known as Backdoor.Mac.Hovdy.b, Exploit.OSX, MacOSX/Hovdy.A, OSX/Hovdy.
Explanation :
This malware comes in the form of a malicious applescript which can reach a system either by social engineering (where the attacker tricks the user to run it) or by means of an exploit.
Once executed it takes the following actions:
- tries to copy itself in "/Library/Caches"
- modifies SystemLoginItems.plist to be run at startup
- disables System Accounting
- disables logging
- changes syslog.conf to disable logging
- deletes logs "utmp" and "wtmp" to hide it's presence
- stops OSX firewall and disables it from running at startup
- disables Norton Antivirus Update
- disables Software Update
- installs and activates logKext (keylogger)
- enables web server (Apache)
- installs phpshell
- get Open Firmware Password
- gets password hashes for all user accounts
- tries to brute-force passwords for the user accounts
- kills Little Snitch (firewall software)
- enables ssh
- enables ARD and VNC
- saves local and public IP addresses
- tries to send a mail to the malware writer with information
* username
* password
* ip address
* user accounts hashesLast update 21 November 2011
