EasyDoc Malware Adds Tor Backdoor To Macs For Botnet Control

An anonymous reader writes: Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor. The software, called EasyDoc Converter.app, is supposed to be a file converter but doesn't do its advertised functions. Instead it drops complex malware onto the system that subverts the security of the system, allowing it to be used as part of a botnet or to spy on the owner. "This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," said Tiberius Axinte, Technical Leader, Bitdefender Antimalware Lab. "For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless." The malware, dubbed Backdoor.MAC.Eleanor, sets up a hidden Tor service and PHP-capable web server on the infected computer, generating a .onion domain that the attacker can use to connect to the Mac and control it. Once installed, the malware grants full access to the file system and can run scripts given to it by its masters.A report on AppleInsider says that malware can also control the FaceTime camera on a victim's computer. But thankfully, Apple's Gatekeeper security prevents the unsigned app from being installed.

Gatekeeper

[tripleevenfall]

Nice to see the security features of an *nix based OS working here. Gatekeeper will prevent most from installing it, and for those who disable security features, you ought to know what you are doing anyway.

And - unwritten in TFA is the fact that there will probably be a fix for this post haste.

Re:Gatekeeper

[guruevi]

Security has always been a factor in Unix, the freaking thing came out of an era where everybody shared the same resource (the CPU), was connected through terminals and networks and shouldn't be able to see into each other's business. Windows is the only OS still existent that was only geared towards the workstation or the single computer and thus didn't require permission levels, not even locally.

Re:Gatekeeper

[tripleevenfall]

Its more like "Nice to see Apple defaulting to only allowing developers who pay them rent to be able to install applications"

You can install any developer's things onto an OSX machine. You just have to uncheck a checkbox to do it.

Re:Gatekeeper

[tlhIngan]

Its more like "Nice to see Apple defaulting to only allowing developers who pay them rent to be able to install applications"

Well, the default can be overridden on a per-app basis by holding down a key and double-clicking. It will let you force-run the app.

The option to allow unsigned apps to run freely is going away in Sierra apparently - the only way to run unsigned apps is to Ctrl-double-click each app you want to run to add an exception for that app.

And it's less rent, and more developer accountability - Apple has revoked several signing certificates already because they were used to sign malware (the apps then act unsigned, not that the apps are permanently blocked from running).

I believe the main reason the option went away is developers not only set it fully open, but then they themselves got infected with malware because of it, and that's who their signing certificates got stolen - malware authors realize that the least secure machines are developer machines, and those machines are the ones with access to valuable Apple signing certificates.

Re:Gatekeeper

[macs4all]

Nice to see the security features of an *nix based OS working here. Gatekeeper will prevent most from installing it, and for those who disable security features, you ought to know what you are doing anyway.

And - unwritten in TFA is the fact that there will probably be a fix for this post haste.

It's also nice that in more recent version of OS X/macOS, Gatekeeper only lets you be completely unprotected for a certain time period, and then reverts back to the middle-level of security. So you can only be stupid for awhile...

Re:Gatekeeper

[macs4all]

Its more like "Nice to see Apple defaulting to only allowing developers who pay them rent to be able to install applications" This has nothing to do with UNIX. (Which had a terrible security model to begin with considering security was not even remotely a factor in the design. Linux ppl have had to constantly work to bypass that shitty design.)

But it helps Apple that useful idiots like you who have absolutely zero knowledge about kernel design and won't ever have it, continue to suck dick for them.

You don't have to pay Apple "rent" for any such thing, hater.

Apple now will hand out for FREE a Developer Cert. to anyone who Registers. No "rent" required.

Been there, haven't done that

[rickb928]

I get this download offered a lot when I'm on dodgy file sites. I never trust these anyways, and a moment's research on Google brings up lots of complaints.

But I'm there, on this dodgy site, and I expect they will try to fling poo at my machine. So I have always avoided it.

And having a Windows machine, everything wants to infect it, even Windows Update.

Re:Been there, haven't done that

[DamonHD]

The ads smelt so badly of deception that I just blocked them all (and there were a lot of variants) in my AdSense account to protect my visitors and my sites' reputation.

And I'll keep doing it to any ad that offers clearly deceptive generic 'download now' ads/buttons that are intended to confuse visitors into thinking that they are downloading from the host site.

Rgds

Damon

Re:Been there, haven't done that

[techno-vampire]

What's really funny is running across one of those fake virus scan malwares when you're running Linux and watching it claim to find all sorts of virus infections in folders that not only don't exist on your machine, they can't because the paths are malformed for Linux. And, even if they try to download and execute their payload it doesn't work because the files aren't marked executable by default. Linux isn't perfect, by any means, but at least it's immune to that kind of attack.

Re:Been there, haven't done that

[techno-vampire]

Holy cow, you guys are such fanboys... you don't even realize what this software is trying to do.

Yup! It's trying to use social engineering to get around the system's built-in protections. As of now, Linux still has better protections (Even if you let a malware program run it can't get at your system files unless you're stupid enough to run as root) but I'll gladly admit that Windows is much better now than it was ten years ago, even without the third-party protections that Linux doesn't need. And, I'm sure that there are attack vectors against Linux, even holes in things like SELinux or AppArmor. I was just pointing out that this particular way of infecting a machine is nothing more than a moment's entertainment on Linux.

Re:Hosts also "stop the drop" of botnet malware

Hello APK. didn't you want to leave this site after you've had a quarrel with whipslash?In fact you claimed to have made your "last post ever" on this site!

Play Stupid Games, Win Stupid Prizes

[Penguinisto]

"Go ahead - download that iffy software from some random pr0n site advert so you can see your b00bie pictures better... it'll be fine..."

Re:Hosts also "stop the drop" of botnet malware

"souled-out to admen"

Total fail. My 11-year old wouldn't make this ridiculous spelling error.

Re:Gatesleeper

[macs4all]

Yeah, gatekeeper prevents it from being installed... Unless the user right-clicks and clicks open in the menu there... Then it's game-on.

And if that wan't allowed, the entire innertubes would be ablaze about how the Mac is not allowing software from anywhere but the App Store.

So tell me, how EXACTLY does Apple "win" here?

Re:Hosts also "stop the drop" of botnet malware

[Coren22]

Users banning other users? What crack are you on?

I can set someone as foe and make all foes show as -6 moderation, but that only shows for me, not everyone else. You can also be down-modded for trolling or posting off topic and get bad karma which makes it harder to make good posts, but that isn't banning either.

You don't have an account for the same reason APK refuses to use his account; you don't want to be held accountable for what you post.

Re:Hosts also "stop the drop" of botnet malware

[Coren22]

Well, TBH, Macs have hosts files too, and they are just as useless for what APK wants everyone to do.

Re:Hosts "stop the drop" of botnet malware

[Coren22]

Because posting your garbage three times will make people see the light of day?

Grow up APK, your software and solution totally suck, and don't protect half as well as a proper solution of DNS or Ad blocking software.

Re:Hosts "stop the drop" of botnet malware

[Coren22]

Four times now? No wonder Whipslash wants to get rid of you, I guess it is the same as everyone else. Spam is annoying when it comes in through email, where it is simple to just delete, but on Slashdot, you just piss off the audience, you don't even get through to the people you are targeting.

Re:Coren22, as usual, "EAT YOUR WORDS"

[Coren22]

How exactly does that in any way refute what I said?

No one wants to be advertised to, you try to make a living from blocking people advertising to others...by advertising. You are pissing off people who don't want to see advertising, to try to get them to pay money for your product that blocks advertising. How about a product that will block your advertising, I'd pay for that!

You are not winning people over to your side by spamming Slashdot, you just piss people off, and make them remark on your possible mental illness.

Re:Hosts "stop the drop" of botnet malware

[Coren22]

Except, APK, you have in no way made a fool of me. You have instead repeatedly displayed your unfathomable ignorance of technology, and human interaction.

Whipslash is the face of Slashdot, he doesn't fear your hosts file software in any way, he fears losing users because you drive them off with your spam, which is far worse than any ad they run on this site. The ads on this site are quite tasteful, and targeted well at the audience. If you don't like them, block them. They used to have a "turn off advertising" checkbox for people who contribute well to Slashdot's discussions, however that stopped working properly under Dice as far as I have heard. Whipslash I believe said he wanted to fix that checkbox, but I could be misremembering that conversation.

You however, there is no way to block. You spam the hell out of so many discussions because you think you are helping things. You also for some reason believe you are being persecuted against, even though the down modding is because you are spewing garbage, not because people dislike you.

Re:Coren22, same way this refutes you

[Coren22]

Again, you haven't refuted anything I said, just provided more evidence of your lack of reading abilities.

Re:Coren22, as usual, "EAT YOUR WORDS"

[Coren22]

So, APK (you...), advertising a software product for Windows hosts file manipulation, in response to a piece of malware that your hosts file wouldn't be able to stop, that is only for MacOS. Yeah, totally on topic, congratulations on your off topic masterpiece!
 

Re:Coren22, as usual, "EAT YOUR WORDS"

[Coren22]

Get on topic, APK, you are so far off topic it isn't even funny. Keep railing away at me, I have all day.

So, since output of your software will work on a Mac, how does a Mac owner use your software? Running your software just to get a hosts file which will slowdown the computer's network access by a considerable amount...again, the worst solution ever, that won't block anything about this malware.

APK, trying to claim I am offtopic when I am responding directly to what you posted makes you looks like a pot. I am only a black kettle if you are a black pot. As you seem to think a WINDOWS only solution, that generates a hosts file that WOULDN'T stop this malware, is on topic, why are you telling me to stay on topic (which I am entirely)?

Oh, and as far as native MacOS, use Safari to download the hosts files from the internet, use cat [files] | sort | unique > hosts. Wow, that is a HARD solution. I guess that makes me the Ultimate Programmer and Security expert just like you APK!

Re:Coren22, as usual, "EAT YOUR WORDS"

[Coren22]

Wow, it looks like I touched a nerve, does diddums need to have a cry?

I'm sorry that you are such an incompetent programmer that I can write out what your program does in 10 seconds. It must burn you up that you can't actually program worth a damn, so have to hide your source code.

Re:Coren22, as usual, "EAT YOUR WORDS"

[Coren22]

I wrote it, therefore it is my code.

See, the thing is, I have never claimed to be an epic programmer, yet you have, without proving yourself even once.

You know you fail when trying to prove yourself as an expert, because you aren't. You are a wanna-be with no credentials trying to act all big and tough and demand other's credentials without ever giving your own.

I have written something in 10 seconds that does everything your crapware does. I have proven my ability, but you still haven't proven yourself anything more than a blowhard.

Have fun in your incompetence, I am not giving you my credentials until you provide your own.