Wednesday, April 28, 2010

The Not Quite In-The-Wild
Hacker Tool "Trojan"

"Take a deep breath and count to ten. One, two, three..."

This past couple weeks the incoherent, or should I say incompetent, nature of the anti-malware community has become evident yet-again through the discovery and discussion about a new variation of a hacker tool called 'OSX.HellRTS.D'. I am going to use that name because my best estimation is that it was first described by Intego, and that is their chosen name. It also follows the published malware naming protocol.

As per usual, other anti-malware companies could not bother to stick to the source name and have proliferated the usual WHATEVER of their own names, those being 'Hellraiser' and 'Pinhead'. Further confusion includes the addition of '.D' at the end of Intego's name. I have no idea why it is there. It indicates that this is supposed to be the FOURTH variant of this 'malware', and yet no one, including Intego of course, provides any reference to variants ".A", ".B" or ".C". I am going to toss out a wild guess that ".D" only means that this hacker tool has three previous versions known well only within the hacker community.

UPDATE: I have verified that 'Hellraiser' is the actual name of the source hacker tool of which HellRTS.D is the fourth variation.

Why I'm counting to ten: Because there are no signs of improvement in the chaotic nature of the anti-malware community. Anti-malware is supposed to be a 'professional' endeavor. The only reliably professional thing I have found so far in the community is that people make money in it. Otherwise, as a trained and experienced scientist, I find the community to be nothing more than 'A Pack Of Cards', as Lewis Carroll put it. That is to say it is a bunch of playing card characters disagreeing with one another over nonsense.

Which is to say quite bluntly:

The anti-malware community is not entirely scientific in nature.

(I am so itching to have someone disagree with my statement above. I dare you.)

Of course, enough of my own injection of subjective emotion into what should be an objective, scientific subject. Here's the lowdown on this new 'Trojan':

So far OSX.HellRTS is entirely ignorable. It is being distributed as a hacker tool out on the Internet, but has NOT been utilized as malware 'in-the-wild'. Instead it is being described as capable of being used as malware in-the-wild. When or if OSX.HellRTS becomes anything more than a hacker tool, I'll provide more detailed information.

In the meantime, here are some links for those who would like to dig around in the details:

David Harley has written a series of articles about HellRTS at his poorly named "Mac Virus" blog. David provides some very useful information through his professional work for the Mac community, which I very much appreciate. However, David also often makes his own contributions to the chaotic nature of the anti-malware community, fitting my fittingly harsh appraisal. Therefore, when you read his articles, "Take a deep breath and count to ten...."

Hellish Mac Malware

More on that hellish Mac malware...

OSX/HellRTS - more info

Here are Intego's source articles about OSX.HellRTS:

HellRTS Backdoor Can Allow Malicious Remote Users to Control Macs

Intego Security Memo: HellRTS Backdoor Can Allow Malicious Remote Users to Control Macs

Now for the firing squad:

These are reports from other anti-malware companies that chose to use their own WHATEVER name for OSX.HellRTS. They should be lined up against a wall. As you click each of the links below, think to yourself:


Sophos: "OSX/Pinhead-B"


iAntiVirus (PC Tools): "Backdoor.OSX.Hellraiser" <- Search on this page for 'Hellraiser' to read its description.

As usual I'm not going to bother with references to Symantec or MacScan articles. Why? Why bother.

If there are hackers who'd like to share the history of the Hellraiser hacking tool, please let us know via the comments! I'd be most interested.

No comments:

Post a Comment