Analysis by: Roland Marco Dela Paz

ALIASES:

Backdoor:MacOS_X/Olyx.B (Microsoft)

 PLATFORM:

Mac OS X

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

This malware arrives as payload of an email campaign that makes use of Pro-Tibetan sentiments. It uses the said subject or content to lure users into opening the email for this malware to be downloaded or executed on the affected user's system.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

  TECHNICAL DETAILS

File Size: 60,100 bytes
File Type: Mach-O
Memory Resident: Yes
Initial Samples Received Date: 09 Apr 2012
Payload: Compromises system security, Connects to URLs/IPs

Arrival Details

This backdoor may be dropped by the following malware:

  • JAVA_RHINO.AE

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Create or delete folders
  • Downlad and execute file
  • List drives and files
  • Manipulate files
  • Open an instance of bash shell where a remote malicious user may execute commands
  • Search folders
  • Upload files to its server

It connects to the following websites to send and receive information:

  • avira.{BLOCKED}t.com

NOTES:

This malware drops its backdoor component /Library/Audio/Plug-Ins/AudioServer. It creates the property list file /Library/LaunchAgents/com.apple.DockActions.plist in order to execute itself every at system startup.

It reports system infection by sending the following information to its C&C server:

  • Host name
  • IP address

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 8.900.02
FIRST VSAPI PATTERN DATE: 10 Apr 2012
VSAPI OPR PATTERN File: 8.901.00
VSAPI OPR PATTERN Date: 11 Apr 2012

Step 1

Remove the malware/grayware file that dropped/downloaded OSX_OLYX.EVL

NOTES:

Step 2

Terminate the malware process. To terminate the malware process, open a Terminal window and perform the following:

  1. Enter the following command:

    ps -A

  2. In the Terminal window, search for a line similar to the following:

    {number} ?? Ss {time}
    /Library/Audio/Plug-Ins/AudioServer

    Take note of the number. This number is the malware process ID (PID)
  3. Enter the following command:

    kill {malware PID}

Step 3

Delete files dropped by this malware. To delete the autostart file, open a Terminal window and type the following command:

rm "/Library/LaunchAgents/com.apple.DockActions.plist"

rm "/Library/Audio/Plug-Ins/AudioServer"

Step 4

Scan your computer with your Trend Micro product to delete files detected as OSX_OLYX.EVL If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

To open a Terminal window, double-click Applications > Utilities > Terminal in Finder.

To close the Terminal application, press ⌘ (Command) + Q.


Did this description help? Tell us how we did.