SecureMac say they have discovered a new version of BlackHole RAT trojan horse as labeled by the hacker as 2.0 for Mac OS X. This new version should not be confused with an older variant already detected back in February by SecureMac as BlackHole RAT 1.0c that has recently been in the news called OSX/BlackHoleRAT.B.
Upon first release of BlackHole RAT 1.0, SecureMac identified three variants of the trojan horse, including one disguised as Apple’s Safari web browser. At that time, it was noted that the trojan horse appeared to be a work-in-progress, and that further variants would probably appear in the future.
SecureMac says their prediction proved to be correct, as there is a brand new version of the trojan horse currently being passed around on hacker message boards. This new version of the trojan horse is substantially different than previous variants, and is described as version 2.0 by the hacker who created it.
The new version of the trojan horse adds itself as a log-in item disguised as Java, has a more believable prompt for username and password, slows down the computer by tying up the CPU with a loop function, executes shell commands, and can attempt to erase the hard drive.
In the version analyzed by SecureMac, the author states that the trojan horse is unstable, but an upcoming version will improve stability. It appears that development of this program is ongoing, and the author recently posted to a hacker message board that the new version has been completed and is currently in testing, so we expect that it will soon be distributed in a more widespread fashion.
This new version of the trojan horse is detected by MacScan as “BlackHole RAT 2.0a” in the spyware definitions update released on March 31st, 2011.
The original SecureMac security bulletin about BlackHole RAT 1.0 trojan horse can be found here: http://www.securemac.com/blackholerat-bulletin.php .