Watch out for OS X Keydnap virus

Although many Mac viruses aren't a significant threat, this one needed further scrutiny. It also happened to appear at almost the same time as OSX.Backdoor.Eleanor malware, that also appeared in June 2016.

When Eleanor and Keydnap first appeared, there was also analysis that suggested both were connected to Windows malware viruses, known as Fareit/Pony, as if the creator or creator(s) were determined to steal as much data and cause as many problems as possible at the same time.

When Keydnap was first discovered, security analysts noted that it came in the form of an attachment, usually a Zip file, or other more benign attachments, such as .JPG or .TXT. It is unclear how victims received these emails, although the usual attack vectors can’t be ruled out: spam and phishing emails, downloads from untrusted websites, and file sharing sites. Cryptocurrency exchanges and messaging platforms can’t be ruled out either.

Once the executable is downloaded on a Mac, it is equipped to replace admin passwords to make a permanent home on your Mac, and therefore act as a permanent backdoor for cyber criminals. It can also disguise its location deep within files and folders, and the greatest risk it poses is it can steal passwords stored on OS X Keychain.


What is Keydnap?

Security analysts found that the creator copied a “proof-of-concept example available on Github called Keychaindump”, based on the work covered in a paper by K. Lee and H. Koo. The concept that Keydnap put into practice is to read security’s memory to discover the decryption key for a Mac user’s keychain.

Once it has the initial cache of data, it reports back to its command-and-control server using onion.to Tor2Web proxy over HTTPS. With this information, those behind this malware can access any website with the passwords stored in your keychain. Unless you are aware of this virus, even changing a password means you are still vulnerable because Keydnap creates a permanent backdoor into your Mac.

One of the ways it avoids the usual security measures is that the executable extension includes a space icon. Instead of .jpg or .txt, it downloads as . txt. This space means that double-clicking the file will open it in Terminal, instead of where you would expect: the program that should open in Finder. The executable download also includes the icon Finder that would usually show up when downloading a TXT or JPEG file, making it more likely that someone would trust the download enough to click on it.

Another way Keydnap gets around security is that it contains a Mach-O executable, which means your Mac won’t display the usual warning about the download. It quickly closes the Terminal window, creates a decoy document and adds an entry to the LaunchAgents directory, which means it will survive a reboot. All of this happens so quickly that it’s possible a Mac user doesn’t even realise they’ve let a malicious virus in. It also replaces the owner of icloudsyncd to root:admin and make the executable setuid and setgid, to make sure that it will run as the root ID in the future.

Clearly, this is an unwelcome and dangerous malware virus that needs to be removed as quickly as possible.

How to remove Keydnap?

As security analysts have already noted, it can bypass security and embed itself in numerous places across your Mac to create a permanent backdoor for cyber criminals. Removing it without some assistance may prove difficult.

You would need to search through several /Library folders, including LaunchAgents, plus make sure that you’ve replaced Support/com.apple.iCloud.sync.daemon directory back to the default, before it was replaced by Keydnap. One reason this may prove difficult is we know Keydnap can survive a reboot, so unless you catch and remove every component the virus could come back.

Can Keydnap be removed safely?

Yes, it can, with CleanMyMac X.

CleanMyMac X is a powerful Mac guardian, keeping your Mac safe from malware, ransomware and adware. It is also an essential performance improvement tool, uncovering and clearing loads of junk from your Mac. When it comes to unwanted adware, here is how you use it to restore your Mac to order:

  1. Download CleanMyMac X here (for free!)
  2. Click on the Malware Removal tab;
  3. Click Scan to search for Keydnap;
  4. CleanMyMac X will show you've been infected with Keydnap or any other malware;
  5. Click Remove and they will vanish for good.

Removing Keydnap is essential to retain a level of security you have come to expect from your Mac. Also, if it turns out you have been infected with Keydnap, you should change every password in your keychain, and it might be worth changing your Mac login password and/or Apple ID, for safety. Look into every account that might have been affected by this to check for any unusual activity, or any other viruses that may have got in through the backdoor.

CleanMyMac X
CleanMyMac X

Your Mac. As good as new.