OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New Mac malware GetShell discovered

Published July 10th, 2012 at 10:07 PM EDT , modified March 11th, 2013 at 7:19 PM EDT

F-Secure has discovered new malware that is capable of installing via drive-by download on Mac, Windows and Linux systems. This is accomplished through a Java applet that requests access to your system, and if granted, it then detects the OS being used and installs the malware that is appropriate for that system.

The Mac version of this malware is, apparently, PowerPC code only, however. This means it will only work on systems up to Mac OS X 10.5, or on 10.6 if Rosetta has been installed (which is optional, but many people using 10.6 did that). It will not work at all on Mac OS X 10.7 (Lion). In addition, most people running 10.6 or later have, thanks to the attention drawn to the issue by Flashback, updated Java, meaning that the vulnerabilities this malware relies on are closed.

Some have commented that this is a sign that the author of this malware was not particularly savvy. However, I have a different take on the matter. Many people (though by no means all) who are still using older PowerPC machines at this point may be less-savvy users.  As such, these users may make a better target for a social exploit like this one.  Whether this idea is actually accurate is debatable, but is undoubtedly worth some experimentation by hackers.

F-Secure, first to announce discovery, has named this malware GetShell (names vary, but always containing the word GetShell, depending on the component detected). Intego detects it as OSX/SET.gen. I’m sure other AV companies will come up with their own unrelated names as well.

Tags: , ,

5 Comments

  • R says:

    Thank you for an excellent website. This is a valuable resource I commonly come to for OS X vulnerabilities. Your efforts do not go unnoticed.

    Thanks again,

    R

  • Vaughn says:

    Ditto – great coverage and yet to be proven inaccurate! I am almost at the point of protecting my MacBook Air with Intego just to be sure …

  • Jim Cooper says:

    I made a comment under a different heading, inappropriately it seems. The “get shell” discription you gave seems to match my experience with the Scottrade applet by Java.
    Could tell me how I can remove this virus? I am among the less knowledgeable users of Mac OSX.5 or .6?

    Jim

  • Jim Cooper says:

    Thomas,

    Thank you for your response. I will give a try.
    I appreciate having your expertise at hand.

    Jim

This post is more than 90 days old and has been locked. No further comments are allowed.