Incident Response, Malware, TDR

Modular malware for OS X includes backdoor, keylogger components

Researchers have discovered Mac malware, dubbed “Ventir,” which includes several malicious components, including a backdoor, keylogging and trojan module.

Kaspersky Lab's Mikhail Kuzin revealed last week that the malware's keylogging module notably makes use of open source keylogger software, LogKext, for OS X platforms. In his blog post, Kuzin likened the malware's modular structure to another Mac trojan Kaspersky first warned users about in July 2012, called “Morcut.”

He wrote that, as soon as the Ventir trojan dropper component is launched on a victim's computer, it checks whether it has root access to the system, in order to determine where to install the trojan's files.

Ventir's backdoor module, its program database file, and other files are among those installed by the malware, Kuzin said. If root access is available to the malware, “the dropper loads the logging driver into the kernel using the standard utility OS X kextload,” Kuzin wrote. “After that, Trojan-Dropper.OSX.Ventir.a launches the file reweb and removes itself from the system.”

The backdoor component of Ventir is capable of updating itself, restarting the backdoor, and sending user data to an attacker operated server, among other feats. Sensitive data, like user logins and passwords for email accounts, for instance, can be instantly logged by the trojan as victims' type, Kuzin warned.

“This threat is especially significant in view of the recent leaks of login and password databases from Yandex, Mail.ru and Gmail. It is quite possible that malware from the Ventir family was used to supply data to the databases published by cybercriminals,” he wrote.

In Monday email correspondence with SCMagazine.com, Roman Unuchek, senior malware analyst at Kaspersky Lab, said that, so far, only a few Ventir infections have been detected in China, and that its command-and-control server is hosted in the country as well. But, he added, the most troubling characteristic of the trojan is its modular structure.

“It has different modules which are dangerous even alone. But all together they are even more of a threat,” Unuchek wrote.

In his blog post, Kuzin added that discovery of Ventir demonstrates that such malware will only become more prevalent as time passes – particularly as “open-source software makes it much easier for cybercriminals to create new malware," he said.

“This means we can safely assume that the number of Trojan-Spy programs will only grow in the future,” Kuzin wrote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.