OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Has GetShell been trojanized?

Published March 11th, 2013 at 7:44 PM EDT , modified March 11th, 2013 at 7:44 PM EDT

An interesting file was posted to VirusTotal today: a Mac disk image file containing what appeared to be a copy of Adium. This file was recognized by a small handful of anti-virus engines as the GetShell malware, however. This surprised me a bit, as GetShell had previously (as far as I know) only been installed as a drive-by download through Java vulnerabilities. So I decided to do a little investigation.

GetShell trojan and Adium icons

GetShell trojan and Adium icons

It turns out that the app was a modified version of Adium 1.3.10. Some of the app contents had been removed, and the executable file had been replaced. The executable file, when submitted to VirusTotal, was recognized as GetShell by a significantly larger group of anti-virus engines. (Most probably didn’t know how to get inside a .dmg file. VirusTotal itself didn’t appear to know what a .dmg file was.) One other noticeable difference is that the icon was a closed-eyed duck, unlike the normal open-eyed duck icon. (I am not very familiar with Adium, so I don’t know if the closed-eyed duck might be some normal Adium icon, perhaps used in the Dock to represent an inactive status.)

Trying to run the app in Mac OS X 10.8.2 (running safely in a virtual machine, of course) was unsuccessful, due to Gatekeeper. Bypassing Gatekeeper, however, allowed the app to open just fine. As GetShell has not (to my knowledge) been trojanized before, it makes sense that it would not have been added to XProtect definitions before. (I have reported this to Apple, so hopefully we will see an addition to XProtect soon.)

Once open, the app appeared to get stuck in a loop. It simply stayed bouncing in the Dock, never becoming responsive. Monitoring with fseventer and Little Snitch showed that it never wrote any files to the system, as one would expect a trojan to do, nor did it try to connect to any network resources. It would appear that this copy of the app is non-functional.

There is no information available as to where this file was found or who found it, so it’s impossible at this point to say much about what this means. This could represent an unsuccessful attempt to trojanize Adium, or it could be a damaged or intentionally disabled copy of a successful GetShell trojan. In any case, though, this not only means that GetShell would appear to still be under active development and distribution, but also that Mac users may have a new trojan to worry about. It remains increasingly important not to disable Gatekeeper. Every recent trojan has been successfully blocked by Gatekeeper, unless intentionally bypassed.

Tags: , ,

22 Comments

  • Someone says:

    What is Adium, exactly?

  • Greg says:

    Actually, the closed eye icon is used for Adium when it’s closed and the open eye icon is used when Adium is open.

  • aalien says:

    I have used Adium a lot for years but I stopped using “MSN type systems” two years ago and since then only use Skype due to “user compatibilities”… Basically they are all the same in my perspective (because the protocol/port they use in the PC) but Skype seams to be more secure and more video conference related… Also almost all my friends have Skype so…

    It’s a shame this happening with such great app has this can break Adium reputation.
    I’m very curious about were this submission was found…

  • Arnold says:

    Hi,

    What is gate keeper? Is it in OS 10.8.3?

    Thanks.

    • Thomas says:

      I’ve been meaning to write something up about that this week. Until I do, see:
      http://www.thesafemac.com/mmg-builtin/

      • Someone says:

        But, to answer your question now, and for anyone who wants to know without reading Thomas’s response elsewhere (it is a pretty long response): Gatekeeper is a new feature of Mac OS X 10.8 (Mountain Lion). It is included in all versions of 10.8 (10.8, 10.8.1, 10.8.2, and 10.8.3). Essentially, it is a way for a user (i.e. you) to control what apps you can download and open. The most restrictive option is to only allow apps from the Mac App Store. These apps are sandboxed by Apple – in other words, certain features of the app may have been removed that could cause problems on the computer, etc. The middle option is “Mac App Store and registered developers.” “Registered developers” are app creators/developers that have paid to get their apps digitally signed with Apple approval. Apple can revoke their approval if the app proves to be signed malware/crapware. This middle option is a good safe option for the average user. The final option, “Anywhere” basically turns off Gatekeeper’s functions. However, even with Gatekeeper turned off, XProtect still protects you. To learn about XProtect, use Thomas’s link, as it does an excellent job explaining that.

  • Alex says:

    what makes you think it now has new (trojan) capabilities? Could it just be that the malware is looking at new ways of spreading by disguising itself as a a legit app?

    • Thomas says:

      Disguising itself as a legit app is the definition of what a trojan is. Previously, this malware had only used Java vulnerabilities to sneak onto machines.

      • Someone says:

        However, out of curiosity, what capabilities were you considering “trojan” capabilities? I would guess, thanks to Thomas’s definition of trojan, that said characteristics would not have anything to do with the app being a trojan, but I’d still like to know your thinking…

  • Someone says:

    Another question: What does GetShell do?

  • aalien says:

    I think the main and FOCUS point here is WERE you get the app.

    If you get it trough the official website most possibly you will have the clean version.

    People don’t forget the app tested by Thomas was not download from the offical website and I think the description “GetShell trojan and Adium icons” is not politically corrected because those icons are from the Official application.

    The application in question was a anonymous submission in the TotalVirus website. It is the same if I use “Messages” (application that comes with OSX) or “Google Talk” apps and play with them, change the core and submit it to TotalVirus. What then? Will the Messages and Google Talk icons be the malware icons? No. And mostly you will not have the Trojanized application because you get it from the right place the OSX dvd or google website, and not from me.

    The main focus here is to download ALWAYS from the official developers and not ANY other provider, such has cnet, softonic, softpedia, etc…

    People should not flag the app just because some kid decided to play with it and test the results in a public virus database…

    The description bellow the image (i think) it’s not fair and is misleading people. It’s a great app, believe me!

    • Someone says:

      aalien, Thomas isn’t telling people that Adium is a bad app. It’s a perfectly fine app, I’m sure (I’m unfamiliar with it, but I’ll take your word for it that it’s a good app). What Thomas is saying (and Thomas, you can correct me if I’m wrong) is exactly what you said: Beware of downloading what appears to be a legit app (i.e. Adium) unless it is from the official website.

      However, since the modified copy of Adium was recognized as GetShell, an already known malware, by AV engines etc., this tells me that the person/people/company/whatever who changed the code somehow made some part of it identical to GetShell, which tells me that it had something to do with the GetShell developers, and not, as you put it, “some kid.”

      • Thomas says:

        Absolutely correct. There’s absolutely nothing wrong with the real Adium, and you shouldn’t JUST be worried about rogue Adium apps. Any app, downloaded from the wrong place, could be a trojan in disguise.

      • aalien says:

        I have answered to you but it appears Thomas didn’t like my comment as it was not approved.
        Well, will not explain you the “some kid” statement and speak about cores and c language manipulation again. If it was not approved the first time will not be approved the second time.
        It’s a shame I think it’s useful information.
        Best regards

        • Thomas says:

          I can’t recall not approving anything from you. Perhaps it got stuck in the spam filter for some reason? I get a LOT of blog spam, so filtering it has to be automated.

        • Someone says:

          IMHO it’s not fair to Thomas or, quite frankly, to me, for you to assume that since Thomas agreed with my comment (or rather, assured me that I correctly interpreted what he said), he’s going to purposefully not approve your response.

          Also, I have to apologize. I don’t think I made it clear, but I was guessing about the some kid thing. I don’t actually know, and it would be much appreciated if either Thomas or you would clarify. I’m sure that it is “useful information.”

          Best regards to you as well.

This post is more than 90 days old and has been locked. No further comments are allowed.