New “Ventir” malware

On Thursday of last week, Kaspersky announced their discovery of a new piece of Mac malware, which they are calling Ventir. I have held off writing anything about this until I could get some independent confirmation, as I tend to be skeptical of Kaspersky these days. (See Misinformation about “acoustical infections” and Kaspersky reveals “The Mask”.) However, I have tested my own copy of the malware at this point, and found that Kaspersky’s analysis seems to be fairly accurate in this case.

Kaspersky does not say how the malware gets installed, other than to call it a “trojan.” The sample I have is just a Unix executable file, which may have been part of an application or installer package, or which may have been intended to be used in targeted attacks with physical access to the Mac being targeted. Either way, executing this file in the Terminal infects the system.

The Kaspersky report points to a difference in behavior depending on whether “root” access is available (ie, whether or not the user has provided and admin password to the malicious app). If this were part of a malicious app or installer, the user would have been asked for an admin password, and if the user refused to enter that password, the malware would simply install itself in a different way. If it were part of an attack requiring physical access, it would work whether the attacker knew the admin password or not.

When executed with “sudo” in the Terminal, which gives it root access, the dropper creates a folder named “.local” in the /Library folder, and installs a number of files inside it. (Because the “.local” folder’s name begins with a period, it is hidden from the user.) It also installs a file named “com.updated.launchagent.plist” in the /Library/LaunchDaemons folder, which keeps the “updated” executable file running at all times.

If root access is not available, it installs the “.local” folder in the user’s Library folder (~/Library) instead, without the kext.tar and Keymap.plist files. In this case, the com.updated.launchagent.plist file is created in the ~/Library/LaunchAgents folder.

Apple has not yet blocked Ventir with XProtect, but I provided them with the malicious executable file this morning, so hopefully they will update it shortly. Although an XProtect update will protect against Ventir in trojan form, it’s important to understand that if this is being used by an attacker with physical access to the computer, the attacker could bypass XProtect.

To identify whether you are infected or not, look in the following folders for the com.updated.launchagent.plist file:

~/Library/LaunchAgents/ /Library/LaunchDaemons/

(If you’re not sure how to find those folders, see Locating files from paths.)

If you find that file in either of those folders, you’re infected with Ventir.

Unfortunately, because this malware includes a backdoor that could be used to install additional components or make malicious changes to your system, removal is not as simple as just removing the malicious files described in Kaspersky’s report. If you are infected, you need to erase your hard drive, reinstall the system and apps from scratch and restore data only (no settings files, apps, etc) from a backup. See:

How to reinstall Mac OS X from scratch

Tags: Kaspersky, malware, trojan, Ventir