Has GetShell been trojanized?
Published March 11th, 2013 at 7:44 PM EDT , modified March 11th, 2013 at 7:44 PM EDT
An interesting file was posted to VirusTotal today: a Mac disk image file containing what appeared to be a copy of Adium. This file was recognized by a small handful of anti-virus engines as the GetShell malware, however. This surprised me a bit, as GetShell had previously (as far as I know) only been installed as a drive-by download through Java vulnerabilities. So I decided to do a little investigation.
It turns out that the app was a modified version of Adium 1.3.10. Some of the app contents had been removed, and the executable file had been replaced. The executable file, when submitted to VirusTotal, was recognized as GetShell by a significantly larger group of anti-virus engines. (Most probably didn’t know how to get inside a .dmg file. VirusTotal itself didn’t appear to know what a .dmg file was.) One other noticeable difference is that the icon was a closed-eyed duck, unlike the normal open-eyed duck icon. (I am not very familiar with Adium, so I don’t know if the closed-eyed duck might be some normal Adium icon, perhaps used in the Dock to represent an inactive status.)
Trying to run the app in Mac OS X 10.8.2 (running safely in a virtual machine, of course) was unsuccessful, due to Gatekeeper. Bypassing Gatekeeper, however, allowed the app to open just fine. As GetShell has not (to my knowledge) been trojanized before, it makes sense that it would not have been added to XProtect definitions before. (I have reported this to Apple, so hopefully we will see an addition to XProtect soon.)
Once open, the app appeared to get stuck in a loop. It simply stayed bouncing in the Dock, never becoming responsive. Monitoring with fseventer and Little Snitch showed that it never wrote any files to the system, as one would expect a trojan to do, nor did it try to connect to any network resources. It would appear that this copy of the app is non-functional.
There is no information available as to where this file was found or who found it, so it’s impossible at this point to say much about what this means. This could represent an unsuccessful attempt to trojanize Adium, or it could be a damaged or intentionally disabled copy of a successful GetShell trojan. In any case, though, this not only means that GetShell would appear to still be under active development and distribution, but also that Mac users may have a new trojan to worry about. It remains increasingly important not to disable Gatekeeper. Every recent trojan has been successfully blocked by Gatekeeper, unless intentionally bypassed.