Security company Intego has discovered new OS X backdoor trojan malware, dubbed Pintsized, that bypasses Gatekeeper to infect Macs and can help attackers get past firewalls by initiating an encrypted reverse-shell connection.

"This threat likely starts with an exploit to get it past Gatekeeper," reports Intego, referring to the security feature launched with OS X 10.7 Lion that aims to prevent users from installing malware by implementing a digital signature system.

"Once on a system, it sets up a reverse shell," Intego continues. "That is to say, rather than announcing to the controller that the machine is infected, the controller periodically contacts the infected machine to perform commands/ Initiating the contact from outside the affected machine potentially helps get past firewalls."

The threat can be difficult to spot, however. Intego explains that the connection is hidden among a file that is usually used for printing, and also erases all command histories to they cannot be tracked. Thankfully, though, the attacker also uses clear text Perl scripts that can be easily discovered by those who know what to look for.

 

The reported filenames that Intego has seen the malware generate are as follows:

  • com.apple.cocoa.plist
  • cupsd (Mach-O binary)
  • com.apple.cupsd.plist
  • com.apple.cups.plist
  • com.apple.env.plist

At present, Pintsized doesn't appear to be a widespread threat, and Intego believes that this may have been a targeted attack. Nevertheless, Intego said that, as of 19 February, its VirusBarrier anti-virus software was able to detect Pintsized, but that XProtect is unable to protect against the threat at the time of writing.

See also:

Less than half of Mac owners have anti-virus software installed

Apple releases Java update and malware removal tool following cyber attack

New Mac Malware charging user's mobile accounts

New 'Dockster' malware targets Apple computers

New Mac malware stealing passwords