Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (66)
  • add to favourites
    Add to Bookmarks

Think before you install

Read: 715 Comments: 2 Rating: 11

So here is yet another news story about the seemingly implausible: the discovery of a malicious file that is stubbornly being ignored by anti-viruses.

Somehow Coldroot.RAT manages to stay undetected.

Cybercriminals have been selling Coldroot to their "colleagues" for over a year (since January 1, 2017). The original source code has been available at GitHub for almost two years. No anti-virus engine at VirusTotal identifies Coldroot as malware.

On the surface it looks like nothing less than a world-wide conspiracy! Meanwhile, panic is welling up among users, and experts are recommending that they exercise caution.

"The fact that the code has been around for a year, but anti-virus engines still aren’t detecting Coldroot is really strange. Hopefully, this situation will change soon", said Oleg Galushkin, an information security expert with SEC Consult Services. "But for now users should pay special attention to their programs' installation prompts and use firewalls that will warn them about attempts being made to establish an outbound connection to an unknown remote server".

So what kind of sneaky malware are we talking about?

Coldroot RAT targets machines running Mac OS X but can also infect Windows and Linux PCs.

Coldroot's installer for Mac OS X is disguised as the Apple sound-system driver The user is prompted to enter their login and password to proceed with the installation. Thus, users are unknowingly facilitating the malware's installation on their computers.

A very stealthy malicious program, indeed. Users install it themselves without ever noticing what they are actually doing. And this has been happening for over a year!

The malicious file was originally discovered by security researcher Patrick Wardle.

He noted that the file caught his attention because it interacted with TCC.db, a local privacy database that keeps track of all installed applications and their permissions to use system routines. Once it has fished local login and password information out of a user, RAT modifies the database to gain access privileges that will enable it to log keystrokes throughout the system. Or, perhaps, do something more.

"Directly modifying the database means users never see the obnoxious system alert that is normally presented to them,” Wardle wrote.

Once RAT has penetrated the system, it will install itself as a launch daemon to make sure it maintains its constant presence after a system restart.

Yes, generally speaking, we are talking about malware here. But the program description indicates that it contains nothing that would allow it to avoid being detected by an anti-virus.

So why don't anti-viruses detect it? The answer is quite simple. An anti-virus can only perform its algorithm-dictated routines. If it doesn't know about a threat, it can’t detect it. If no one has yet sent a freshly released malware program to an anti-virus laboratory, chances are that no anti-virus will be able to expose it.

#malware #OS_X #Linux #Windows

Dr.Web recommends

Dr.Web detects the malware as Java.CrossRat.1. But the "honours" for keeping this malware unknown should go to the users who’ve installed it and never noticed anything strange. Stay vigilant! If you suspect that malware is trying to sneak into your computer, send the sample to the anti-virus developer whose product you are using.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.