minimal-minimal

OSX/HellRTS

OSX/HellRTS

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Remote Access
  • Protection Added: 2010-04-21
This description is for a remote access trojan consisting of a server component, client component and a server editor component. The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.
Minimum Engine

5400.1158

File Length

Varies

Description Added

2010-04-21

Description Modified

2010-04-21

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

Server Component:

When the server component is executed on the user's machine, the malware will open a preconfigured port and wait for an incoming connection from the attacker.

The malware will also send a notification to the attacker about the victim's IP address & the port on which the malware is listening on. Once the attacker has this info, he can remotely connect to the victim using the client component.

Server Editor Component:

The server editor component is used by the attacker to edit/create the server component.

The following are some of the functions available for the server editor component:

  • Change the filename of the server component
  • Choose from a range of notification methods (Email, FTP etc)
    This is used to notify the attacker about the victims name and IP address, so the attacker
    can remote connect to the victim
  • Change the port number on which the Trojan listens to, for incoming connections
  • Choose a startup method, so the malware can automatically execute when the machine is rebooted

Given below are some screenshots of the server editor component:

265239_02

265239_03

Client Component:

The client component runs on the attackers computer, and connects to the server component on the victims machine remotely.

The following are a list of some of the functions that are available to the attacker:

  • Process Manager (List, kill running processes)
  • File Manager (List, upload, download, delete)
  • Open a chat box and chat with the victim
  • Pranks played on the victim (Opening and closing CD-Rom, play videos/sounds)
  • Read/Modify contents of the clipboard
  • Desktop logoff, reboot or shutdown

Given below is a screenshot of the client component of the remote access trojan:

265239_01

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Presence of the files mentioned earlier.