HellRTS Backdoor Mac malware can allow Malicious Remote Users to control system

by: admin on April 19th, 2010 at 2:31 am


Intego Security has issued a security warning targeted towards Mac OS X owners regarding a variant of malware from 2004. The HellRTS (classified as OSX/HellRTS.D), once installed on a Mac running OS X, opens a backdoor, allowing hackers to remotely control the system for wrongful purposes. HellRTS was written in RealBasic in Universal Binary code, so it can affect either PowerPC or Intel-based Macs. Once it is executed it sets up its own server and configures a server port and password. It duplicates itself, using the names of different applications, adding the new version to a user’s login items, to ensure that it starts up at login (these different names can make it hard to detect, not only in login items, but also in Activity Monitor).

It can send e-mail with its own mail server, contact a remote server, and provide direct access to an infected Mac. It can also perform a number of operations such as providing remote screen-sharing access, shutting down or restarting a Mac, accessing an infected Mac’s clipboard, and much more. Unlike PCs, any Mac executables need to be authorized by the user, so it won’t install secretly like a Windows trojan. However, the writers have used various socially engineered methods to fool users into thinking the operations they are carrying out are legit.

The malware has not been found to be in general circulation yet (not in the wild), but Intego states that the program can be planted within files on Warez based forums on the web. The best advice would be to be careful when downloading any software from those types of forums, and if you are not sure, just do not download it at all. Intego’s VirusBarrier X6 is has the latest heuristics and can eliminate the malware if a system does become infected.


Have Something To Say? Be The First!