Top 5 Malware for Mac OS X Users Should Know About

Why you need a Mac OS X Antivirus: an overview of the most aggressive pieces of malware targeting Mac OS X users

For quite a while now, Mac OS X systems have been touted to be safer and “smarter” than regular PCs using Windows operating systems. And so they were, since Mac OS X users represented a small fraction of the entire Internet user-base. However, as the number of users embracing Mac OS X increased, so did the interest of malware authors to have a bite from the shiny apple.

At the moment, there are around 300 e-threats especially designed for the Mac OS X platform.  Some of them are simple adware-based applications ready to cash on the unwary, but others are highly dangerous tools that can easily hijack e-banking sessions or that expose the entire computer to the attacker. Below we’d like to present you a couple of the most dangerous e-threats that you should know about if you’re using a Mac-based computer.

Trojan.OSX.Jahlav.A & Trojan.OSX.Jahlav.A – The Fake Codec

The OSX.Jahlav family has been discovered in November 2008, when it started to be distributed as a fake codec. In order to lure users into downloading and installed the malicious DMG (Disk Image) file, the gang behind this scheme created a page claiming to feature an “unplayable” video.  If the user installs this alleged codec, the malicious payload starts downloading additional Trojans from a remote web server.

Trojan.OSX.RSPlug.A – Porn may get you phished even on a Mac

This is one of the most dangerous families of malware running on Mac OS X. The RSPlug Trojan also plays the missing codec card in order to persuade the user into downloading and installing the infected DMG. It is present particularly on websites with pornographic content. Once installed, the Trojan tampers with the DNS server entries in order to redirect traffic from legit addresses to copycat, spoofed domains set up by phishers to collect critical information about e-banking accounts, email and the like.

This kind of attack is extremely difficult to tell, since the user will be redirected to the fake version of the website even when they manually type in the correct URL on when they access a bookmark that has worked in the past. The only hint would be the absence of the SSL certificate, but, since users hardly look for their presence, they probably won’t spot the trick.

Other uses of the RSPlug Trojan are related to redirecting users’ requests towards pornography websites or to websites asking to install adware / malware or take surveys.

Trojan.OSX.HellRTS.A – The Remote Access Tool

Trojan.OSX.HellRTS.A is more than a simple e-threat. It is a complex malware development kit that allows an attacker to create their own piece of malware for Mac OS X in no time. The pack contains a  client-server application, where the server is the backdoor service running on the infected machine and the client application is used by the attacker to issue commands. Apart from the client and the server, the pack contains a Configurator – a config application that “fine tunes” essential aspects of the Trojan such as the listening port or connection password, as well as a SMTP grabber – used for routing ANY messages the victim receives to the attacker.

If the system has been successfully infected, a remote attacker may perform a wide range of operations on the infected computer, ranging from annoying pranks (such as launching chat instances, playing voices or instruments, launching applications and web pages, or shutting the system down / logging the user out etc.) to extremely harmful operations (including the execution of binary code, fetching all the data available on the HDD or routing all the incoming mails to an attacker’s address). The attacker can also watch the user work without their knowledge via the Desktop View module.

Trojan.OSX.OpinionSpy.A – Mac Screensavers reporting to the base

The OpinionSpy family of spyware is usually installed by a number of freely-distributed applications such as screen-savers and audio / video converters. The installer utility of these applications will fetch the spyware package, install it and run is with root privileges. Trojan.OSX.OpinionSpy.A poses as a marketing research tool, but it does more than collecting users’ browsing habits and preferences: it also opens backdoors and shuffles through a great number of documents found on both local and remote drives. The Trojan poses a great danger to the user’s privacy and to the security of the stored data.

Trojan.OSX.Boonana.A – The Social Network Worm

Trojan.OSX.Boonana.A is a multi-platform e-threat that can run on Windows, Mac OS X and Linux altogether. This Java-based piece of malware downloads a couple of malicious files in the user’s home folder in an invisible folder called “.jnana”, then installs a local IRC- and web server, among others. The Boonana piece of malware will also attempt to change the DNS server settings in order to hijack requests to legit websites towards spoofed websites as part of an extremely efficient phishing scheme.

In order to enjoy a safe surfing experience, we advise you to install a security solution for Mac OS X such as the one provided by BitDefender.

All products and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

1 Comment

Click here to post a comment
  • Just a heads up but it looks like Intego had never seen adware on a MAC and was quick to call this a trojan and a backdoor – there are references all over the internet blasting them for getting this wrong and claiming a billion dollar publicly traded company is putting backdoors on systems. You might want to pull the post, just an fyi.

    A few quick credible references about it being adware:

    Reference: http://www.computersecurity.org/computer-cyber-security-news/analysis-securestudies-com-ossproxy-marketscore-opinionspy-adwarepupriskware-or-malware/

    Reference: http://doc.emergingthreats.net/bin/view/Main/2001564

    References: https://www.virustotal.com/en/file/726b325e1b3ea2cfbb1f57ece7a60734151b07874869b6ac6ac7ae5f23507295/analysis/