Updated 11:18 am ET, Tuesday, November 1, 2011
One of the advantages of being a Mac user (full disclosure, this was post was written on a Mac) is that the platform is supposedly safer than Windows from the malware that abounds around the Web.
But now, just in time for Halloween, cybersecurity blogs are reporting that a strange and sophisticated new Mac OS X malware has sprung up masquerading as a pirated image editing program called GraphicConverter version 7.4, available for download on torrent websites.
Called “DevilRobber,” (Or more accurately, “DevilRobber.A”) the trojan accesses and steals an infected user’s “bash history file (this is a history of commands run in the Terminal application), saves the user’s Safari history file, takes a screenshot and saves that, and, if the user has a Bitcoin wallet, saves that as well,” Intego reports.
But the chief function of the device appears to be hijacking the infected users’ computers’ graphics processing unit (GPU) to turn it into a Bitcoin miner, installing a “legitimate” Bitcoin program called DiabloMiner.
Bitcoin is of course the intensely controversial alternative virtual, peer-to-peer currency system that was launched in 2009 by international man of mystery Satoshi Nakamoto.
Bitcoin burst onto the mainstream and saw a sudden upswing in popularity when Gawker‘s Adrian Chen reported in June that it was the primary currency of an illicit online marketplace called Silk Road, accessible by anonymizing software Tor, where users traded in illegal drugs.
The report caught the attention of U.S. Sen. Chuck Schumer (D-NY) and Sen. Joe Manchin (D-WVA), who days later wrote to Attorney Gen. Eric Holder asking the Justice Department to investigate and shutdown both the website and the currency. Both still operate freely.
Bitcoin and Nakamoto were recently the subject of a long treatment by The New Yorker. Meanwhile the value of the bitcoin currency itself suffered a severe crash, losing over half its value. One Bitcoin was equivalent to $3.36 USD at the time of this post, compared to its all-time high of $32 in June.
The new trojan takes advantage of two alleged positive attributes of the Bitcoin currency: The fact that it isn’t tied to any other world currency or market value (although it can be converted into U.S. dollar-equivalent values and can be purchased with real world currencies) and that it is a “crypto-currency,” that is, each Bitcoin is actually represented by a random series of 33 letters and numbers generated by a publicly available algorithm.
The system allows anyone with sufficient time, computational knowledge and power to generate their own Bitcoins out of thin air, aka Bitcoin mining, at least for the time being. Once 21 million Bitcoins are issued, the market will stop issuing new ones.
But generating Bitcoins from scratch requires more computation power than most average users have on their personal computers, hence the rise of Bitcoin malware, designed to hijack unwilling users’ machines and turn them into Bitcoin miners.
As Sophos security blogger Graham Cluley explains, “GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.”
Indeed, Bitcoin mining via malware has become something of a micro-industry in-and-of itself over the past year (2011), with reports of various Bitcoin malware popping up around the Web and the world. One employee of the Australian Broadcasting Company was even reportedly caught using his employer’s computer servers to mine for Bitcoins.
But this instance appears to be the first of a Mac OS X specific Bitcoin trojan known.
Sophos and Intego have both updated their anti-virus software to detect and protect against the threat. TPM has contacted Bitcoin’s programmers about what they’re doing in response to the threat and will update when we receive a response.
Late update: Intego spokesman Peter James emailed TPM to confirm that the DevilRobber is a new breed. As James wrote, “This is the first Trojan horse of this kind that we have found. It is also the first Mac malware we have seen that does BitCoin mining. We first detected this last Friday, October 28, and it is found in a number of different Mac applications. There’s no way we can estimate the number of users infected, as many BitTorrent trackers will pick up torrents listed on other trackers.”
Bitcoin programmer Wladimir van der Laan also emailed TPM, saying our email was the first he’s heard of the malware, but adding that it was probably a contained and minimal threat.
