The Safe Mac

Mac Malware Catalog

Below is a list of the Mac trojans that I know of. If I have left anything off this list, pleaseĀ let me know. Due to the extreme rarity of Mac malware, it’s often difficult to find good information about it… very few people have actually ever seen any of it.

Update: I have removed the threat level information. This information was not only badly outdated, but it always highly subjective. The true threat level for an individual depends on things like the version of Mac OS X being used, whether you are using outdated and vulnerable third-party software and how risky your online behavior is, among many other factors. Most of the malware mentioned here should be considered extinct at this point, though.

1990s, Word macro viruses

These viruses have been around long before Mac OS X, and could infect both Mac and Windows through Microsoft Office products. These viruses were written in a scripting language that allowed automated tasks to run when opening a Word, Excel or PowerPoint file. They were once the most prevalent and dangerous of all Mac viruses, and even played a significant role in the retirement of Disinfectant in the pre-X days. However, the scripting language they relied on was removed from MS Office 2008, and in Office 2004 you would be warned by default when opening a file with a macro.

Unfortunately, the re-introduction of that scripting language in Office for Mac 2011 has re-opened this old can of worms for Mac users. In the Security pane of Word’s preferences, you should make sure to check the box labeled “Warn before opening a file that contains macros.” If you think you may have contracted a Word macro virus, see Microsoft’s instructions for dealing with the virus.

early 2004, MW2004

First seen in early 2004, this AppleScript trojan pretended to be an installer for Microsoft Word 2004, but actually did its best to delete the user’s home folder. In my opinion, anyone stupid enough to try to download pirated software got what they deserved with this one. It is extremely unlikely anyone will encounter this malware by now.

late 2004, Renepo, aka Opener

This trojan is a shell script that must be intentionally run by someone with root privileges. Once installed, it would open up some backdoors to allow a hacker access to your machine. If this malware can still be found by now, it is certain the hackers behind it are no longer active (or have moved on to other things), so there’s nobody waiting to come in the back door!

April 2005, Cowhand

Described only in a very vague way by Sophos, it’s unclear exactly what this malware might have been. I suspect, since it’s difficult to find any references to Cowhand other than ones related to Sophos’ report, that it was a proof-of-concept trojan that was never actually seen in the wild.

2006, Exploit.OSX.Safari, aka OSX.Exploit.Metadata

This malware relied on a vulnerability in Safari that was closed by Security Update 2006-001 almost as soon as it was discovered.

early 2006, Leap, aka Oompa Loompa

This trojan pretends to be a picture but is actually an application. Although it is a trojan, once launched it will try to spread itself through iChat like a virus. It is extremely unlikely anyone will encounter this malware in the wild at this point. In addition, if you did, quarantine will tip you off that it’s not actually a document.

early 2006, Inqtana

A proof-of-concept virus that was dead before it was ever seen in the wild, thanks to an update to the Mac OS that closed the vulnerability it relied on.

mid-2006, OSX.Exploit.Launchd

A proof-of-concept virus, which was never actually seen in the wild, this would provide an attacker with root access to your computer… unless you’re running Mac OS X 10.4.7 or later, which no longer have the vulnerability it relied on.

late 2006, Macarena

Macarena was a proof-of-concept virus. It consisted of source code and instructions on compiling it, meaning that the user would have to compile and run it with full knowledge of what they were doing to become infected. It did not actually do anything other than copy itself, as a demonstration that such things were possible on a Mac. It was never seen as an actual virus in the wild.

late 2007, RSPlug, aka DNSChanger, aka Jahlav, aka Puper

This trojan was downloaded by people who visited adult websites and were told they needed to download a “video codec” to view adult videos. The “plugin” that was installed was actually a trojan horse. More recently, RSPlug has been seen masquerading as more innocent things, including a free game, and thus may be easier to fall for now than it was initially. RSPlug changes the DNS server settings (and installs a script to make sure it stays changed). Infected machines will use a malicious DNS server instead, which will redirect requests for certain banking sites, eBay, etc to phishing servers, in an attempt to steal account passwords that can be used to make money. This trojan is protected against by quarantine in Mac OS X 10.6 or later.

Addendum (6/17/2012): Since the gang behind this trojan was caught late last year, I have downgraded the threat level to “None.”

January 15, 2008, MacSweeper, aka Immunizator

MacSweeper was classified as “the first rogue application” for Mac OS X by F-Secure, who announced its discovery. It is very similar to the later MacDefender series of malware. Neither it nor the MacSweeper web site are still in existence.

mid-2008, AsTHT, aka Hovdy, aka AplS.Saprilt

This was an AppleScript that used a vulnerability in ARDAgent to take over a computer remotely. This vulnerability was closed soon thereafter by Security Update 2008-005.

mid-2008, PokerStealer, aka Corpref

Pretending to be a poker game, this trojan will ask for a password using a non-standard interface. (The typical Mac OS account password prompt is the only one you should give your account password to!) It would then use that password to give an attacker remote access to your Mac. As it apparently took advantage of the same vulnerability as AsTHT, which has been fixed, it is no longer a threat.

late 2008, Lamzev, aka Malev

This is not actually malware, but a hacker tool that can be used to create a backdoor in your system, giving a hacker access. The catch: the hacker must have access to the system already in order to use this tool to create a backdoor. If a hacker has physical access to your machine, you have bigger problems, and it’s very unlikely that Lamzev would be the current hacker tool of choice anyway.

early 2009, iServices, aka iWorkServices, aka Krowi

Perhaps the most common of all Mac malware, this trojan masquerades as pirated software (initially iWork, as the name would suggest, but later variants pretended to be other programs), typically distributed over peer-to-peer sharing networks. Infected machines become part of a botnet (a group of hijacked computers) and used to attack web sites. This trojan is protected against by quarantine in Mac OS X 10.6 or later.

mid-2009, Tored

A trojan that spreads like a virus by attaching itself to e-mail. However, it was quite poorly written and riddled with bugs, so it does not actually do what it was meant to do. It is not considered a threat. Security experts called it “lame.”

late April 2010, HellRTS, aka Pinhead, aka Hellraiser

This trojan was quietly added to the Mac OS X quarantine definitions in Apple’s mid-June 2010 release of Mac OS X 10.6.4. It was apparently first seen in the wild in late April as an installer for iPhoto, though Sophos reported at the time that none of their customers had encountered it (as far as they knew). Very little information about this trojan can be found other than what is available from the various Mac anti-virus firms, and that information tends to vary from mildly to seriously biased. In any case, as long as you’re not dumb enough to try to download an illegal copy of iPhoto, you’re safe whether you’ve upgraded to 10.6.4 or not.

June 1, 2010, OpinionSpy, aka Premier Opinion, aka Spynion

OpinionSpy, also called Premier Opinion, was announced as spyware by Intego on June 1, 2010. According to Intego, it is distributed with a number of screensavers (all sold by one company, 7art) and one video converter. The full list can be seen here. However, it’s poor spyware indeed that warns you that it is installing, tells you it’s going to collect your personal information, and then requires you to agree to install it. On March 21, 2011, Apple added it to the Mac OS X quarantine definitions.

October 2010, Koobface, aka Boonana

Koobface – a malicious Java applet commonly found on social networking sites like Facebook and Twitter – has been around in the Windows world since 2009. Unfortunately, as of October 2010, it has also made its entry into the Mac world. It appears in the browser as a request to view a video, often with the question “Is this you in this video?” Initial reports from Intego indicated that this malware was too buggy to work, but subsequent reports from other security companies reveal that fully functional versions are being encountered in the wild. Worse, this trojan does not require an admin password to install. Although you do have to click the Allow button in an alert that tells you the applet is trying to access your computer, users who are not tech-savvy may assume that it’s okay to do so. I highly recommend that you turn off Java (not JavaScript, which is different) if you are afraid you might agree to something you shouldn’t.

Update: Downgrading threat to “none” due to lack of Koobface sightings in quite some time.

February 2011, BlackHole RAT, aka MusMinim, aka DarkHole

BlackHole RAT (Remote Administration Tool) is a sophisticated exploit kit. It is typically distributed from malicious web sites that use a variety of different vulnerabilities to install malicious code. It is capable of infecting a Mac, if that system has vulnerabilities used by Blackhole. If you keep your system and all third-party web plugins (Java, Flash, etc) updated (or, better, disabled), your risk is minimal. Currently, a Mac with properly-updated system and software will have no vulnerabilities for Blackhole to take advantage of.

April 30, 2011, MacDefender, aka MacSecurity, aka MacProtector, aka MacGuard, aka MacShield, aka Defma

MacDefender is a trojan for Macs that is downloaded from fake anti-virus web sites claiming to have detected viruses on your Mac. These sites are reached via malicious JavaScripts that are injected into legitimate web sites and that redirect you to the malicious “anti-virus” site (often called something like Apple Security Center). Clicking a button on the malicious site results in downloading of an installer. On machines where Safari’s Open “safe” files after downloading option is turned on, the installer launches automatically, but requires user action to proceed with the installation. Users of Safari are advised to turn this option off immediately. (It is found at the bottom of the General pane of Safari’s preferences.) Once installed, this trojan begins opening porn sites in Safari every few minutes, “proving” that there’s a virus and fooling people into spending money on the software to “remove” the “virus.” For detailed accounts on this virus, see the coverage of MacDefender on The Safe Mac. Numerous variants of MacDefender are currently recognized by XProtect.

Addendum (9/26/2011): Since the folks behind the credit card processing have been caught and put in Russian prison, there have been no more reports of MacDefender infections to my knowledge. For this reason, I’m downgrading the threat level to Low.

Addendum (10/17/2012): And still no more sightings, so I’m downgrading the threat to None.

August 1, 2011, QHost, also HostMod-A

This trojan, announced by F-Secure on August 1, 2011, masquerades as a Flash player installer. The program does not actually install Flash, instead making modifications to the /etc/hosts file that can be used to customize DNS lookups. A number of different Google domains are added to that file, mapped to a malicious IP address. Although the malicious server was non-functional for a while, new variants have been spotted that do redirect to working sites.

Note that Sophos detects the modified hosts file as OSX/HostMod-A. This is not separate malware.

September 23, 2011, Revir, aka Imuler, aka Muxler

Discovered by F-Secure on September 23, 2011, this two-part trojan pretends to be a PDF file. When opened, Revir.A – which is an application, and not really a PDF file – opens a PDF file to keep the user from catching on, and in the background installs the second part, Imuler.A. This process remains running on your Mac, providing backdoor access through a malicious server that it attempts to contact. At this time, however, that server does nothing. Because of that, there is currently little risk from this trojan, but that could change at any time. For more information, including removal instructions, see More broken Mac malware.

September 26, 2011, Flashback, aka Flashfake

See About the Flashback malware.

Addendum (6/17/2012): I have degraded the threat level to low, based on the fact that I haven’t seen any new Flashback infections in more than a month, and the fact that Apple has patched all vulnerabilities that it relied on and released updates that removed the malware from infected machines. Anyone infected at this point has been infected for a while and hasn’t been installing updates. Of course, this could always come back using newly-discovered vulnerabilities (like the ones Apple patched on June 12) or in a new version of the older trojan variants, so I can’t say the threat is gone entirely.

Addendum (10/17/2012): Still no further Flashback sightings, so I’m downgrading the threat level to “none.”

October 28, 2011, DevilRobber, aka Miner-D

On October 28, 2011, Intego announced discovery of a trojan they call DevilRobber. A good description of its actions can be found in Intego’s article, and my take on it can be found in my blog post, New DevilRobber trojan. I consider the risk very low, not because this trojan isn’t dangerous, but because at this time only people who download pirated software are at risk. Such people deserve what they get, and are of no concern to me, but if you have a child or relative who might download stolen software, do not allow them to use an admin account on your computer.

November 2011, FinFisher

FinFisher is a surveillance tool designed for law enforcement or government use. I have wrestled with whether or not to add this to my list of malware, but finally decided to. After all, it’s being sold by a private company, and who knows if they don’t have any deals going on the side with less legitimate people.

For more information about FinFisher, see FinFisher vulnerability closed.

January 20, 2012, FileSteal, Hackback, KitM

Apple quietly added a definition for FileSteal to XProtect, but nothing could be found about it anywhere. None of the security companies were talking about it publicly. It puzzled me, and some colleagues, until more than a year later, when F-Secure announced the discovery of something they called KitM, which they said appeared to be related to something called “Hackback.” Another unfamiliar malware name! It finally came out that FileSteal/Hackback was a trojan that would upload files of a particular type to a command and control server. The newer KitM malware, which took screenshots and uploads them to a server, is a variant of this older malware.

This malware appears to be very tightly targeted at specific people, so most will never see it.

March 2012, Tibet, aka MacControl, aka MaControl, aka MacKontrol

Tibet.A installs itself in a very similar manner to recent variants of Flashback, relying on Java vulnerabilities, and at the time of this writing has only been used to target Tibetan activist organizations. Beyond that, little is known about what it does, thanks to security companies either ignoring the Mac version of the trojan or citing few details in order to sell anti-virus software. In any case, though, the malware can be avoided easily: turn off Java in your web browser. If that is not an option, users of Mac OS X 10.6 and up should install all Java updates available in Software Update to patch the vulnerabilities this malware’s installation depends on. Users of Mac OS X 10.5 and earlier do not have those patches available, and are at higher risk of infection if Java is left turned on.

April 13, 2012, Sabpab, aka Sabpub, aka Mdropper, aka Lamadai, aka Olyx

Sabpab, like the Flashback and Tibet malware, sneaks in through vulnerabilities in older versions of Java or Microsoft Office, requiring no user interaction. Although the vulnerabilities it relies on have been patched already, many users do not keep up with security updates as they should. However, it appears to have limited distribution; indications are that it may be used mostly to target Tibetan activists, like the Tibet malware. Sabpab installs a backdoor that can take screen captures, upload or download files and execute any code the hacker wants remotely. The Mdropper name, apparently, is applied to a malicious Microsoft Office document that installs Sabpab.

April 23, 2012, FkCodec/Codec-M
April 23, 2012, Maljava

Announced by Symantec, Maljava is a web-based drive-by downloader that uses the same Java vulnerabilities as Flashback to install malware. It apparently works on either Mac or Windows machines, dropping appropriate malware for the system. Specifics on what it does are unclear, and thus far I’ve seen no reports about this from anyone other than Symantec.

July 9, 2012, GetShell, aka SET.gen, aka ShellCode, aka MetaData, aka TESrel

GetShell uses a social exploit to get permission to access your computer, and installs a backdoor on Mac, Windows or Linux. Although the first variant only worked on machines capable of running PowerPC applications, the second variant included native Intel code, eliminating this limitation. Turning off Java in your web browser is recommended.

July 24, 2012, Crisis, aka Morcut, aka DaVinci

Crisis appears to be a government-sponsored trojan (which government is unknown), installed through Java-based social exploits, that is used to spy on a specific group of Moroccan journalists. It is almost certainly not a threat to anyone else, but if you’re a Moroccan journalist, or might be under the scrutiny of the same government that might be watching them, you would be well-advised to turn Java off in your web browser!

See the coverage of Crisis in my blog.

August 22, 2012, NetWeird, aka Wirenet

NetWeird is a rather lame remote access kit and trojan, for sale on the black market for $60. Although at this time it is extremely poorly made, and may not even actually be in the wild, it’s still possible some people may see this. For more information, see my blog coverage of NetWeird.

October 30, 2012, Jacksbot

Jacksbot is a Java application, possibly installed as a malicious Minecraft mod, that can infect multiple platforms including the Mac. Its main focus appears to be stealing Minecraft passwords, although it does appear to include other remote access capabilities. (Some of which may or may not work on the Mac, as the malware appears to be focused primarily on Windows, despite being written in a cross-platform language like Java.) If you don’t play Minecraft, you’ll probably never see this. If you don’t have Java installed and enabled on your computer, you’ll definitely never see it.

November 30, 2012, Dockster

Dockster is a backdoor app that is installed using the same Java vulnerabilities that Flashback used. Those vulnerabilities have been closed for some time now, but not everyone keeps their machines properly updated. It has only been spotted on a web site devoted to the Dalai Lama at this point.

December 11, 2012, SMSSend

SMSSend is a fake installer for legitimate software. It asks for a cell phone number during installation, and then charges a fee to that cell phone account for “service,” similar to many other texting scams. For more information, see my posts about SMSSend.

January 30, 2013, Pintsized

This malware is installed via Java vulnerabilities and opens a back door to allow hackers to access your Mac. It was named and described by Intego, and may be responsible for a number of high-profile security breaches.

February 13, 2013, CallMe

CallMe is a trojan that targets Tibetan activists, and installs a backdoor through a malicious Microsoft Word document. Installation relies on a Microsoft Office vulnerability (CVE-2009-0563) that was fixed in June of 2009. Few people are likely to ever see this malware, and even fewer are likely to still have a vulnerable version of Microsoft Office installed.

March 1, 2013, Minesteal

Trojan that pretends to give powerful in-game capabilities to Minecraft players, but actually steals passwords. Not a threat if you don’t download it, and it cannot be opened if you don’t have Java installed. For more information, see New Minecraft password-stealing trojan.

May 16, 2013, KitM

The first Mac malware to take advantage of code signing to allow it to get past Gatekeeper in Mountain Lion (Mac OS X 10.8). This malware would take screenshots at a constant rate and upload them to a server. It is no longer a threat, since Apple revoked the certificate used to sign the code, making future infections impossible.

For more information, see New Mac spyware found at freedom conference.

July 15, 2013, Janicab

Janicab uses code signing to get past Gatekeeper, and is disguised as a PDF file. The trojan takes screenshots and records audio, and uploads the captured files to a server. Within 24 hours of its discovery, Apple had revoked the developer certificate used to sign the app, making further infections impossible.

For more information, see New signed malware called Janicab.

August 2013, ClickAgent

ClickAgent is a malicious Safari extension that pretends to be Adobe Flash Player. In reality, it is adware that injects unwanted advertisements (often of a pornographic nature) into web pages. For more information, see my coverage of ClickAgent.

September 17, 2013, Leverage

A trojan that pretends to be an image file. See New Mac malware discovered: OSX/Leverage.

September 25, 2013, Icefog

A trojan disguised as graphics program Img2icns. The Mac version is a new variant of the Windows version, which has been used in targeted attacks since 2011, mainly in Japan and South Korea. For more information, see New Mac malware discovered: Icefog.

January 21, 2014, LaoShu

LaoShu is a trojan that is distributed via fake delivery notice e-mails. The e-mail contains a link that it instructs the user to click, which downloads what appears to be a PDF file. It is actually an application, however. Once installed, it will mine the infected system for data and send it off to a command and control server. For more information, see my coverage of LaoShu.

February 10, 2014, CoinThief

This malware disguised itself as a legitimate Bitcoin payment app, but actually stole the user’s bitcoins. For more information, see The Safe Mac’s coverage of CoinThief.

At this point, CoinThief is blocked by the built-in anti-malware protection in Mac OS X.

September 2014, XSLCmd

XSLCmd is malware ported from Linux to Mac OS X. How it is used is mostly unknown. No “dropper” is known, which may mean that this malware is only used in attacks against specific individuals, given physical access or some other such capabilities. It is not widespread, and will probably never be seen by the majority of Mac OS X users.

For more information, see the FireEye Labs report.

September 2014, iWorm
October 16, 2014, Ventir

Malware count: 51

<- Back to Mac Malware Guide