The Safe Mac

Macintosh Malware Catalog

<- Back to Mac Malware Guide

Below is a list of the Mac trojans that I know of. If I have left anything off this list, please let me know. Due to the extreme rarity of Mac malware, it's often difficult to find good information about it... very few people have actually ever seen any of it.

Threat Level
Malware Name
Low
Word macro viruses
Appeared 1990s / Description modified August 3, 2012

These viruses have been around long before Mac OS X, and could infect both Mac and Windows through Microsoft Office products. These viruses were written in a scripting language that allowed automated tasks to run when opening a Word, Excel or PowerPoint file. They were once the most prevalent and dangerous of all Mac viruses, and even played a significant role in the retirement of Disinfectant in the pre-X days. However, the scripting language they relied on was removed from MS Office 2008, and in Office 2004 you would be warned by default when opening a file with a macro.

Unfortunately, the re-introduction of that scripting language in Office for Mac 2011 has re-opened this old can of worms for Mac users. In the Security pane of Word's preferences, you should make sure to check the box labeled "Warn before opening a file that contains macros." If you think you may have contracted a Word macro virus, see Microsoft's instructions for dealing with the virus.

None
MW2004
Appeared early 2004 / Description modified November 22, 2011

First seen in early 2004, this AppleScript trojan pretended to be an installer for Microsoft Word 2004, but actually did its best to delete the user's home folder. In my opinion, anyone stupid enough to try to download pirated software got what they deserved with this one. It is extremely unlikely anyone will encounter this malware by now.

None
Renepo, aka Opener
Appeared late 2004 / Description modified November 22, 2011

This trojan is a shell script that must be intentionally run by someone with root privileges. Once installed, it would open up some backdoors to allow a hacker access to your machine. If this malware can still be found by now, it is certain the hackers behind it are no longer active (or have moved on to other things), so there's nobody waiting to come in the back door!

None
Cowhand
Appeared April 2005 / Description modified November 12, 2012

Described only in a very vague way by Sophos, it's unclear exactly what this malware might have been. I suspect, since it's difficult to find any references to Cowhand other than ones related to Sophos' report, that it was a proof-of-concept trojan that was never actually seen in the wild.

None
Exploit.OSX.Safari, aka OSX.Exploit.Metadata
Appeared 2006 / Description modified November 22, 2011

This malware relied on a vulnerability in Safari that was closed by Security Update 2006-001 almost as soon as it was discovered.

None
Leap, aka Oompa Loompa
Appeared early 2006 / Description modified November 22, 2011

This trojan pretends to be a picture but is actually an application. Although it is a trojan, once launched it will try to spread itself through iChat like a virus. It is extremely unlikely anyone will encounter this malware in the wild at this point. In addition, if you did, quarantine will tip you off that it's not actually a document.

None
Inqtana
Appeared early 2006 / Description modified November 22, 2011

A proof-of-concept virus that was dead before it was ever seen in the wild, thanks to an update to the Mac OS that closed the vulnerability it relied on.

None
OSX.Exploit.Launchd
Appeared mid-2006 / Description modified November 22, 2011

A proof-of-concept virus, which was never actually seen in the wild, this would provide an attacker with root access to your computer... unless you're running Mac OS X 10.4.7 or later, which no longer have the vulnerability it relied on.

None
Macarena
Appeared late 2006 / Description modified November 22, 2011

Macarena was a proof-of-concept virus. It consisted of source code and instructions on compiling it, meaning that the user would have to compile and run it with full knowledge of what they were doing to become infected. It did not actually do anything other than copy itself, as a demonstration that such things were possible on a Mac. It was never seen as an actual virus in the wild.

None
RSPlug, aka DNSChanger, aka Jahlav, aka Puper
Appeared late 2007 / Description modified June 17, 2012

This trojan was downloaded by people who visited adult websites and were told they needed to download a "video codec" to view adult videos. The "plugin" that was installed was actually a trojan horse. More recently, RSPlug has been seen masquerading as more innocent things, including a free game, and thus may be easier to fall for now than it was initially. RSPlug changes the DNS server settings (and installs a script to make sure it stays changed). Infected machines will use a malicious DNS server instead, which will redirect requests for certain banking sites, eBay, etc to phishing servers, in an attempt to steal account passwords that can be used to make money. This trojan is protected against by quarantine in Mac OS X 10.6 or later.

Addendum (6/17/2012): Since the gang behind this trojan was caught late last year, I have downgraded the threat level to "None."

None
MacSweeper, aka Immunizator
Appeared January 15, 2008 / Description modified November 12, 2012

MacSweeper was classified as "the first rogue application" for Mac OS X by F-Secure, who announced its discovery. It is very similar to the later MacDefender series of malware. Neither it nor the MacSweeper web site are still in existence.

None
AsTHT, aka Hovdy, aka AplS.Saprilt
Appeared mid-2008 / Description modified November 12, 2012

This was an AppleScript that used a vulnerability in ARDAgent to take over a computer remotely. This vulnerability was closed soon thereafter by Security Update 2008-005.

None
PokerStealer, aka Corpref
Appeared mid-2008 / Description modified April 24, 2012

Pretending to be a poker game, this trojan will ask for a password using a non-standard interface. (The typical Mac OS account password prompt is the only one you should give your account password to!) It would then use that password to give an attacker remote access to your Mac. As it apparently took advantage of the same vulnerability as AsTHT, which has been fixed, it is no longer a threat.

None
Lamzev, aka Malev
Appeared late 2008 / Description modified April 24, 2012

This is not actually malware, but a hacker tool that can be used to create a backdoor in your system, giving a hacker access. The catch: the hacker must have access to the system already in order to use this tool to create a backdoor. If a hacker has physical access to your machine, you have bigger problems, and it's very unlikely that Lamzev would be the current hacker tool of choice anyway.

None
iServices, aka iWorkServices, aka Krowi
Appeared early 2009 / Description modified November 12, 2012

Perhaps the most common of all Mac malware, this trojan masquerades as pirated software (initially iWork, as the name would suggest, but later variants pretended to be other programs), typically distributed over peer-to-peer sharing networks. Infected machines become part of a botnet (a group of hijacked computers) and used to attack web sites. This trojan is protected against by quarantine in Mac OS X 10.6 or later.

None
Tored
Appeared mid-2009 / Description modified November 22, 2011

A trojan that spreads like a virus by attaching itself to e-mail. However, it was quite poorly written and riddled with bugs, so it does not actually do what it was meant to do. It is not considered a threat. Security experts called it "lame."

Very low
HellRTS, aka Pinhead, aka Hellraiser
Appeared late April 2010 / Description modified April 24, 2012

This trojan was quietly added to the Mac OS X quarantine definitions in Apple's mid-June 2010 release of Mac OS X 10.6.4. It was apparently first seen in the wild in late April as an installer for iPhoto, though Sophos reported at the time that none of their customers had encountered it (as far as they knew). Very little information about this trojan can be found other than what is available from the various Mac anti-virus firms, and that information tends to vary from mildly to seriously biased. In any case, as long as you're not dumb enough to try to download an illegal copy of iPhoto, you're safe whether you've upgraded to 10.6.4 or not.

None
OpinionSpy, aka Premier Opinion, aka Spynion
Appeared June 1, 2010 / Description modified November 12, 2012

OpinionSpy, also called Premier Opinion, was announced as spyware by Intego on June 1, 2010. According to Intego, it is distributed with a number of screensavers (all sold by one company, 7art) and one video converter. The full list can be seen here. However, it's poor spyware indeed that warns you that it is installing, tells you it's going to collect your personal information, and then requires you to agree to install it. On March 21, 2011, Apple added it to the Mac OS X quarantine definitions.

None
Koobface, aka Boonana
Appeared October 2010 / Description modified October 17, 2012

Koobface - a malicious Java applet commonly found on social networking sites like Facebook and Twitter - has been around in the Windows world since 2009. Unfortunately, as of October 2010, it has also made its entry into the Mac world. It appears in the browser as a request to view a video, often with the question "Is this you in this video?" Initial reports from Intego indicated that this malware was too buggy to work, but subsequent reports from other security companies reveal that fully functional versions are being encountered in the wild. Worse, this trojan does not require an admin password to install. Although you do have to click the Allow button in an alert that tells you the applet is trying to access your computer, users who are not tech-savvy may assume that it's okay to do so. I highly recommend that you turn off Java (not JavaScript, which is different) if you are afraid you might agree to something you shouldn't.

Update: Downgrading threat to "none" due to lack of Koobface sightings in quite some time.

Very low
BlackHole RAT, aka MusMinim, aka DarkHole
Appeared February 2011 / Description modified December 5, 2012

BlackHole RAT (Remote Administration Tool) is a sophisticated exploit kit. It is typically distributed from malicious web sites that use a variety of different vulnerabilities to install malicious code. It is capable of infecting a Mac, if that system has vulnerabilities used by Blackhole. If you keep your system and all third-party web plugins (Java, Flash, etc) updated (or, better, disabled), your risk is minimal. Currently, a Mac with properly-updated system and software will have no vulnerabilities for Blackhole to take advantage of.

None
MacDefender, aka MacSecurity, aka MacProtector, aka MacGuard, aka MacShield, aka Defma
Appeared April 30, 2011 / Description modified January 4, 2014

MacDefender is a trojan for Macs that is downloaded from fake anti-virus web sites claiming to have detected viruses on your Mac. These sites are reached via malicious JavaScripts that are injected into legitimate web sites and that redirect you to the malicious "anti-virus" site (often called something like Apple Security Center). Clicking a button on the malicious site results in downloading of an installer. On machines where Safari's Open "safe" files after downloading option is turned on, the installer launches automatically, but requires user action to proceed with the installation. Users of Safari are advised to turn this option off immediately. (It is found at the bottom of the General pane of Safari's preferences.) Once installed, this trojan begins opening porn sites in Safari every few minutes, "proving" that there's a virus and fooling people into spending money on the software to "remove" the "virus." For detailed accounts on this virus, see the coverage of MacDefender on The Safe Mac. Numerous variants of MacDefender are currently recognized by XProtect.

Addendum (9/26/2011): Since the folks behind the credit card processing have been caught and put in Russian prison, there have been no more reports of MacDefender infections to my knowledge. For this reason, I'm downgrading the threat level to Low.

Addendum (10/17/2012): And still no more sightings, so I'm downgrading the threat to None.

Low
QHost, also HostMod-A
Appeared August 1, 2011 / Description modified July 15, 2012

This trojan, announced by F-Secure on August 1, 2011, masquerades as a Flash player installer. The program does not actually install Flash, instead making modifications to the /etc/hosts file that can be used to customize DNS lookups. A number of different Google domains are added to that file, mapped to a malicious IP address. Although the malicious server was non-functional for a while, new variants have been spotted that do redirect to working sites.

Note that Sophos detects the modified hosts file as OSX/HostMod-A. This is not separate malware.

Very Low
Revir, aka Imuler, aka Muxler
Appeared September 23, 2011 / Description modified February 21, 2013

Discovered by F-Secure on September 23, 2011, this two-part trojan pretends to be a PDF file. When opened, Revir.A - which is an application, and not really a PDF file - opens a PDF file to keep the user from catching on, and in the background installs the second part, Imuler.A. This process remains running on your Mac, providing backdoor access through a malicious server that it attempts to contact. At this time, however, that server does nothing. Because of that, there is currently little risk from this trojan, but that could change at any time. For more information, including removal instructions, see More broken Mac malware.

None
Flashback, aka Flashfake
Appeared September 26, 2011 / Description modified February 21, 2013

See About the Flashback malware.

Addendum (6/17/2012): I have degraded the threat level to low, based on the fact that I haven't seen any new Flashback infections in more than a month, and the fact that Apple has patched all vulnerabilities that it relied on and released updates that removed the malware from infected machines. Anyone infected at this point has been infected for a while and hasn't been installing updates. Of course, this could always come back using newly-discovered vulnerabilities (like the ones Apple patched on June 12) or in a new version of the older trojan variants, so I can't say the threat is gone entirely.

Addendum (10/17/2012): Still no further Flashback sightings, so I'm downgrading the threat level to "none."

None
DevilRobber, aka Miner-D
Appeared October 28, 2011 / Description modified February 21, 2013

On October 28, 2011, Intego announced discovery of a trojan they call DevilRobber. A good description of its actions can be found in Intego's article, and my take on it can be found in my blog post, New DevilRobber trojan. I consider the risk very low, not because this trojan isn't dangerous, but because at this time only people who download pirated software are at risk. Such people deserve what they get, and are of no concern to me, but if you have a child or relative who might download stolen software, do not allow them to use an admin account on your computer.

Very low
FinFisher
Appeared November 2011 / Description modified November 25, 2013

FinFisher is a surveillance tool designed for law enforcement or government use. I have wrestled with whether or not to add this to my list of malware, but finally decided to. After all, it's being sold by a private company, and who knows if they don't have any deals going on the side with less legitimate people.

For more information about FinFisher, see FinFisher vulnerability closed.

Low
FileSteal, Hackback, KitM
Appeared January 20, 2012 / Description modified May 27, 2013

Apple quietly added a definition for FileSteal to XProtect, but nothing could be found about it anywhere. None of the security companies were talking about it publicly. It puzzled me, and some colleagues, until more than a year later, when F-Secure announced the discovery of something they called KitM, which they said appeared to be related to something called "Hackback." Another unfamiliar malware name! It finally came out that FileSteal/Hackback was a trojan that would upload files of a particular type to a command and control server. The newer KitM malware, which took screenshots and uploads them to a server, is a variant of this older malware.

This malware appears to be very tightly targeted at specific people, so most will never see it.

Very low
Tibet, aka MacControl, aka MaControl, aka MacKontrol
Appeared March 2012 / Description modified November 12, 2012

Tibet.A installs itself in a very similar manner to recent variants of Flashback, relying on Java vulnerabilities, and at the time of this writing has only been used to target Tibetan activist organizations. Beyond that, little is known about what it does, thanks to security companies either ignoring the Mac version of the trojan or citing few details in order to sell anti-virus software. In any case, though, the malware can be avoided easily: turn off Java in your web browser. If that is not an option, users of Mac OS X 10.6 and up should install all Java updates available in Software Update to patch the vulnerabilities this malware's installation depends on. Users of Mac OS X 10.5 and earlier do not have those patches available, and are at higher risk of infection if Java is left turned on.

Low
Sabpab, aka Sabpub, aka Mdropper, aka Lamadai, aka Olyx
Appeared April 13, 2012 / Description modified December 1, 2012

Sabpab, like the Flashback and Tibet malware, sneaks in through vulnerabilities in older versions of Java or Microsoft Office, requiring no user interaction. Although the vulnerabilities it relies on have been patched already, many users do not keep up with security updates as they should. However, it appears to have limited distribution; indications are that it may be used mostly to target Tibetan activists, like the Tibet malware. Sabpab installs a backdoor that can take screen captures, upload or download files and execute any code the hacker wants remotely. The Mdropper name, apparently, is applied to a malicious Microsoft Office document that installs Sabpab.

Very low
FkCodec/Codec-M
Appeared April 23, 2012 / Description modified February 21, 2013
Very low
Maljava
Appeared April 23, 2012 / Description modified April 26, 2012

Announced by Symantec, Maljava is a web-based drive-by downloader that uses the same Java vulnerabilities as Flashback to install malware. It apparently works on either Mac or Windows machines, dropping appropriate malware for the system. Specifics on what it does are unclear, and thus far I've seen no reports about this from anyone other than Symantec.

None/Low
GetShell, aka SET.gen, aka ShellCode, aka MetaData, aka TESrel
Appeared July 9, 2012 / Description modified July 13, 2012

GetShell uses a social exploit to get permission to access your computer, and installs a backdoor on Mac, Windows or Linux. Although the first variant only worked on machines capable of running PowerPC applications, the second variant included native Intel code, eliminating this limitation. Turning off Java in your web browser is recommended.

Very low
Crisis, aka Morcut, aka DaVinci
Appeared July 24, 2012 / Description modified November 12, 2012

Crisis appears to be a government-sponsored trojan (which government is unknown), installed through Java-based social exploits, that is used to spy on a specific group of Moroccan journalists. It is almost certainly not a threat to anyone else, but if you're a Moroccan journalist, or might be under the scrutiny of the same government that might be watching them, you would be well-advised to turn Java off in your web browser!

See the coverage of Crisis in my blog.

very low
NetWeird, aka Wirenet
Appeared August 22, 2012 / Description modified November 12, 2012

NetWeird is a rather lame remote access kit and trojan, for sale on the black market for $60. Although at this time it is extremely poorly made, and may not even actually be in the wild, it's still possible some people may see this. For more information, see my blog coverage of NetWeird.

None/Very Low
Jacksbot
Appeared October 30, 2012 / Description modified November 1, 2012

Jacksbot is a Java application, possibly installed as a malicious Minecraft mod, that can infect multiple platforms including the Mac. Its main focus appears to be stealing Minecraft passwords, although it does appear to include other remote access capabilities. (Some of which may or may not work on the Mac, as the malware appears to be focused primarily on Windows, despite being written in a cross-platform language like Java.) If you don't play Minecraft, you'll probably never see this. If you don't have Java installed and enabled on your computer, you'll definitely never see it.

Very low
Dockster
Appeared November 30, 2012 / Description modified January 1, 2013

Dockster is a backdoor app that is installed using the same Java vulnerabilities that Flashback used. Those vulnerabilities have been closed for some time now, but not everyone keeps their machines properly updated. It has only been spotted on a web site devoted to the Dalai Lama at this point.

Very low
SMSSend
Appeared December 11, 2012 / Description modified February 21, 2013

SMSSend is a fake installer for legitimate software. It asks for a cell phone number during installation, and then charges a fee to that cell phone account for "service," similar to many other texting scams. For more information, see my posts about SMSSend.

Moderate
Pintsized
Appeared January 30, 2013 / Description modified February 21, 2013

This malware is installed via Java vulnerabilities and opens a back door to allow hackers to access your Mac. It was named and described by Intego, and may be responsible for a number of high-profile security breaches.

Miniscule
CallMe
Appeared February 13, 2013 / Description modified February 13, 2013

CallMe is a trojan that targets Tibetan activists, and installs a backdoor through a malicious Microsoft Word document. Installation relies on a Microsoft Office vulnerability (CVE-2009-0563) that was fixed in June of 2009. Few people are likely to ever see this malware, and even fewer are likely to still have a vulnerable version of Microsoft Office installed.

None/Very low
Minesteal
Appeared March 1, 2013 / Description modified March 1, 2013

Trojan that pretends to give powerful in-game capabilities to Minecraft players, but actually steals passwords. Not a threat if you don't download it, and it cannot be opened if you don't have Java installed. For more information, see New Minecraft password-stealing trojan.

none
KitM
Appeared May 16, 2013 / Description modified July 15, 2013

The first Mac malware to take advantage of code signing to allow it to get past Gatekeeper in Mountain Lion (Mac OS X 10.8). This malware would take screenshots at a constant rate and upload them to a server. It is no longer a threat, since Apple revoked the certificate used to sign the code, making future infections impossible.

For more information, see New Mac spyware found at freedom conference.

none
Janicab
Appeared July 15, 2013 / Description modified July 16, 2013

Janicab uses code signing to get past Gatekeeper, and is disguised as a PDF file. The trojan takes screenshots and records audio, and uploads the captured files to a server. Within 24 hours of its discovery, Apple had revoked the developer certificate used to sign the app, making further infections impossible.

For more information, see New signed malware called Janicab.

none
ClickAgent
Appeared August 2013 / Description modified March 11, 2014

ClickAgent is a malicious Safari extension that pretends to be Adobe Flash Player. In reality, it is adware that injects unwanted advertisements (often of a pornographic nature) into web pages. For more information, see my coverage of ClickAgent.

Low
Leverage
Appeared September 17, 2013 / Description modified September 17, 2013

A trojan that pretends to be an image file. See New Mac malware discovered: OSX/Leverage.

Low
Icefog
Appeared September 25, 2013 / Description modified September 26, 2013

A trojan disguised as graphics program Img2icns. The Mac version is a new variant of the Windows version, which has been used in targeted attacks since 2011, mainly in Japan and South Korea. For more information, see New Mac malware discovered: Icefog.

low
LaoShu
Appeared January 21, 2014 / Description modified March 11, 2014

LaoShu is a trojan that is distributed via fake delivery notice e-mails. The e-mail contains a link that it instructs the user to click, which downloads what appears to be a PDF file. It is actually an application, however. Once installed, it will mine the infected system for data and send it off to a command and control server. For more information, see my coverage of LaoShu.

none
CoinThief
Appeared February 10, 2014 / Description modified February 13, 2014

This malware disguised itself as a legitimate Bitcoin payment app, but actually stole the user's bitcoins. For more information, see The Safe Mac's coverage of CoinThief.

At this point, CoinThief is blocked by the built-in anti-malware protection in Mac OS X.

Malware count: 47

<- Back to Mac Malware Guide

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.