130 likes | 196 Vues
An Introduction to DevilRobber Trojan. Ruomu Guo CPSC 620 Presentation. What is DevilRobber Trojan. 1: Transmission: Bit Torrent Seed 2: Function: access user’s computer steel user’s private information generate Bitcoin virtual currency.
E N D
An Introduction to DevilRobber Trojan Ruomu Guo CPSC 620 Presentation
What is DevilRobber Trojan • 1: Transmission: Bit Torrent Seed • 2: Function: access user’s computer steel user’s private information generate Bitcoin virtual currency
The Principle of Trojan • Trojan Application consists of two parts 1: Server Part (Server) 2: Controller Part (Client) • Interaction Open clients’ ports to send data back to the specified server Hackers could take advantage of such ports to enter OS X
The Principle of Trojan • Operation Trojan horse programs cannot operate automatically Embedded in some documents or files users may be interested in • Trigger Must open infected files or implement infected application • Categories Universal VS Transitive
Analysis of DevilRobber Trojan • Operation System Platform Mac OS X （Based on UNIX） Mac OS X application such as Graphic Converter software • Function Steal user’s sensitive information and private data Control GPU to generate BitCoin virtual currency automatically Monitoring computers’ activities
Analysis of DevilRobber Trojan CopyTrueCrypt and its relevant data Copy Safari browsing history Copy users’ Bash_history to dump.txt
Analysis of DevilRobber Trojan • Unusual Features take advantage of GPU to automatically generate Bit-coins Bits-coins also can be used for exchange for real current currency. One Bit currency is equivalent to about $ 3.00
New Version of DevilRobber Trojan • Dispersal Old Version: Disguise as a popular image editing program such as PixelMator New Version: Disguise as download tools and contact with some FTP server
New Version of DevilRobber Trojan • Circumvention Not trying to capture a screenshot sent back to the remote server No longer check the Little Snitch firewall • Confuse User Little Snitch users can authorize the Trojans to communicate with an external server without their known.
How to Avoid DevilRobber infection • Check source of download files Trust of source of download • Various types of DevilRobber Trojan Disguise as a PDF file Disguise as Adobe Flash update installation
Vulnerability Fixed and Solution • Enhance Mac OS X Security Apple has released update package for users to download Virus Feature Definition XProtect.plist
Reference 1：What Apple's sandboxing means for developers and users http://news.cnet.com/8301-1009_3-57318099-83/what-apples-sandboxing-means-for-developers-and-users/ 2： Mac Trojan poses as PDF to open botnet backdoor http://arstechnica.com/apple/news/2011/09/mac-trojan-poses-as-pdf-to-open-botnet-backdoor.ars 3： Apple kills code-signing bug that threatened iPhone users http://www.theregister.co.uk/2011/11/10/apple_iphone_security_bug.html
Lecture End Thanks