1. Mac OS X backdoor Trojan, now in beta? 報告人：劉旭哲

2. Introduction It targets users of Mac OS X As even the malware itself admits, it is not yet finished. It could be indicative of more underground programmers taking note of Apple's increasing market share.

3. Introduction Not the first backdoor Trojan for OS X. – HellRaiser (OSX/HellRTS)_ by McAfee – This Trojan was detected earlier in 2010. BlackHole RAT has the classic client-server architecture. The server (the Trojan itself) works only on Intel-based OS X machines, while the client works also on Microsoft Windows.

4. How to Work Infects computers （ Victims ） through downloads over the Web or a vulnerability in your browser, plugins, and other applications. The server will also open ports such as 10005, 10004, 10001, 10000, 9999, 7781, 7782, 7780, and 7779. The attacker can use the client to connect to the victim’s machine on port 7777 and open port 7778 to accept incoming connections

5. Method Sophos calls it OSX/MusMinim-A, or 'MusMinim‘ Its functions include: 1.Placing text files on the desktop 2.Sending a restart, shutdown or sleep command 3.Running arbitrary shell commands 4.Placing a full screen window with a message that only allows you to click reboot 5.Sending URLs to the client to open a website 6.Popping up a fake "Administrator Password" window to phish the target

7. After connection, attacker click More

8. Pop up on victim’s mac 此視窗僅能打帳密後按 OK

9. Default text that is displayed in the full screen window with the reboot button: "I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected! I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it. So, Im a very new Virus, under Development, so there will be much more functions when im finished."

10. Demo_Video

11. Conclusion BlackHole RAT Trojan seems to be copying the behavior of DarkComet – The author deny this relationship Easy to kill – Check port – kill process