ESET Warns About Keydnap, The New OS X Malware That Steals Your Credentials

ESET's researchers are investigating Keydnap, a new Trojan that steals passwords and keys from the OS X keychains, by creating a permanent backdoor.

The way that this malware is spread is not exactly known, but it is believed that it’s transmitted via attachments in spam emails, through downloads from untrusted websites or other similar ways.

The virus is downloaded in the form of a .zip archive with an executable file in it which resembles the Finder icon, which is usually used in JPEG or text files, increasing the chances of the user opening the file. If that happens, a terminal window is executed and malicious code is run.

Once the backdoor is installed, it begins collecting information about the Mac it runs on. When asked from its Command & Control (C&C) server, Keydnap will require administrator rights by opening the corresponding OS X window used for this purpose. By entering his credentials, the user actually gives the backdoor the ability to run as root, extracting the contents of his keychain.

Marc-Etienne M. Léveillé, Malware Researcher at ESET, says:

While there are multiple security mechanisms in place within OS X to mitigate malware, as we see here, it’s possible to deceive the user into executing non-sandboxed, malicious code. All OS X users should remain vigilant as we still do not know how Keydnap is distributed, nor how many victims are out there.

So, always be careful of what you download, and never enter your credentials if you have even the slightest doubt about doing so! Don't hesitate to ask someone for help, if you are unsure about what to do.