Security company Intego has discovered a new OS X backdoor trojan virus, dubbed Pintsized, that bypasses Gatekeeper to infect Macs and can help attackers get past firewalls by initiating an encrypted reverse-shell connection.
"This threat likely starts with an exploit to get it past Gatekeeper," reports Intego, referring to the security feature launched with OS X 10.7 Lion that aims to prevent users from installing malware by implementing a digital signature system.
"Once on a system, it sets up a reverse shell," Intego continues. "That is to say, rather than announcing to the controller that the machine is infected, the controller periodically contacts the infected machine to perform commands/ Initiating the contact from outside the affected machine potentially helps get past firewalls."
The threat can be difficult to spot, however. Intego explains that the connection is hidden among a file that is usually used for printing, and also erases all command histories to they cannot be tracked. Thankfully, though, the attacker also uses clear text Perl scripts that can be easily discovered by those who know what to look for.
The reported filenames that Intego has seen the virus generate are as follows:
com.apple.cocoa.plistcupsd (Mach-O binary)com.apple.cupsd.plistcom.apple.cups.plistcom.apple.env.plist
Intego said that, as of 19 February, its VirusBarrier anti-virus software was able to detect Pintsized, but that XProtect is unable to protect against the threat at the time of writing.