Report: new Trojan aimed at OS X appears, using OpenSSH
updated 04:20 pm EST, Tue February 19, 2013
Not yet spotted 'in the wild' but could become a threat
Anti-malware software maker Intego is confirming reports of a new OS X-based malware it called "Pintsized" that uses a modified version of OpenSSH to potentially set up a remote connection into Mac accounts, whereupon it could be used to snoop for private owner information. Though not yet seen "in the wild," the malware attempts to disguise itself by using filenames that appear as part of the normal OS X printing system, and sets itself to launch on startup.
The threat has the potential to become serious, as it uses an exploit in OS X to bypass Gatekeeper and establish a reverse shell that creates a secure connection, CNet reports. Currently, however, it is simply being discussed as a potential threat on security mailing lists and similar forums. Intego reports that all the network connections made by the Trojan have been sinkholed, so even those machines that have inadvertently used the software are not at much if any risk.
More details, such as where the attack is coming from and how to disable it should it be on a particular system, are likely to appear before the threat can grow past the "proof of concept" stage. Apple automatically updates Gatekeeper on a routine (but silent) schedule, and will likely close the loophole in due course.
Part of the danger is that the malware is using the common SSH protocol, and that it uses names users might think are legitimate. Companies such as Intego are already working to update their preventative measures to prevent the malware from spreading. At present, users need to be aware but not concerned about such a threat, and don't yet need to update or install any anti-virus or anti-malware programs they may have installed.
Those who wish to manually check their systems for any possibility of the malware being present (even though the Trojan's ability to set up a connection has already been thwarted) can consult Intego's blog post for the names of files that could be considered suspicious, along with a manual removal procedure.
