Mac OS X backdoor uncovered

Following the news that a sophisticated Mac OS X backdoor has been uncovered, Anton Tyurin, the Head of Attack Detection Software Department, Positive Technologies offered @DFMag the following expert comment.

“There is nothing unusual. A malware with similar functionality was detected in 2012 by Dr.Web. Dubbed BackDoor.DaVinci.1, this cross-platform Trojan can gain full control over computers running both Windows and Mac OS X, or even destroy your OS.

“If we compare Backdoor.OSX.Mokes with its versions for Windows and Linux, we will find nothing new, because developers initially aimed at cross-platform malware retaining all features. Of course, the mechanism of malware persistence in the system was changed for Mac OS X. By the way, not only antiviruses can detect that kind of malware behavior, but also persistence monitoring tools such as BlockBlock (

“OSX/Keydnap has a mechanism for gathering and retrieving passwords and keys stored in the OS (Keychain). This is probably the main idea of that malware. OSX/Mokes captures audio and video from a webcam, takes screenshots every 30 seconds, logs keystrokes, and monitors removable storage devices. More serious spy, so to say.

“Both Trojans are able to execute commands on a victim’s computer remotely – and both could be detected by its communication methods. OSX/Keydnap uses TOR to connect to the C&C server, this could be easily tracked by modern IDS systems.

“OSX/Mokes uses 443 port to transmit the AES-encrypted data, this is alarming incompliance: 443 port is used by default for HTTPS connections with TLS cryptographic protocol.

“It is classic: do not visit suspicious websites, do not open suspicious files (especially from root), update your antiviruses and your OS. Using Mac OS X does not guarantee security: it is widely used now, so malware authors will create more programs for it.

“The delivery vector of Mokes malware is unclear: it could be delivered by email or a faked application (from untrusted websites) run by users themselves, or it could come by vulnerability exploitation in Flash/Java/Safari (previously unknown vulnerabilities? Why not!).

“We can also guess who the user of this backdoor is and what resources he possesses to be able to store and analyze large amount of data stolen from victim computers (audio and video). Is it industrial espionage, or some state intelligence agency?”