Summary
Backdoor:OSX/Olyx.C connects to a remote server to receive further instructions, without the knowledge or permission from the user.
Removal
Manual Removal Instructions
- 1. Open Activity Monitor, select DockLight, and click Quit Process.
- 2. Open Terminal, then execute the following:
- sudo rm /Applications/Automator.app/Contents/MacOS/DockLight
- rm ~/Library/LaunchAgents/com.apple.DockActions.plist
Technical Details
Arrival
Olyx.C is dropped into the system by malicious Word documents that exploit the vulnerability identified by CVE-2009-0563.
Installation
The malware drops the following copy of itself:
- /Applications/Automator.app/Contents/MacOS/DockLight
It creates the following launchpoint for the file above:
- ~/Library/LaunchAgents/com.apple.DockActions.plist
Payload
The malware connects to a2012[...].slyip.net[...] to obtain additional commands.
The backdoor is capable of performing the following actions:
- Downloading and uploading files
- Executing shell commands