Threat Description

Backdoor:​OSX/Olyx.B

Details

Aliases:Backdoor:​OSX/Olyx.B, Mac.OSX.Trojan.Lamadai.A
Category:Malware
Type:Backdoor
Platform:OSX

Summary



Backdoor:OSX/Olyx.B connects to a remote server to receive further instructions, without the knowledge or permission from the user.



Removal



Manual Removal Instructions

  • 1. Open Activity Monitor, select AudioServer, and click Quit Process.
  • 2. Open Terminal, then execute the followings:
    • rm /Library/Audio/Plug-Ins/AudioServer
    • rm ~/Library/LaunchAgents/com.apple.DockActions.plist


Technical Details



Arrival

Olyx.B is dropped into the system by malicious Java applets that exploit vulnerabilities identified by CVE-2011-3544 and CVE-2012-0507.

Installation

The malware drops the following copy of itself:

  • /Library/Audio/Plug-Ins/AudioServer

It creates the following launchpoint for the file above:

  • ~/Library/LaunchAgents/com.apple.DockActions.plist

Payload

The malware connects to a remote server to obtain additional commands. The server varies between samples. As of this writing, there are two known servers:

  • dns[...].assyra.com[...]
  • avira[...].suroot.com[...]

The backdoor is capable of performing the following actions:

  • Downloading and uploading files
  • Executing shell commands

Other variants






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your Mac

F-Secure Anti-Virus for Mac will disinfect your Mac and remove all harmful files

Learn More