Send to Kindle

Apple trojanMalware that targets Mac OS X isn’t anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that’s been in favor among Windows malware authors for several years now.

The new piece of malware hides inside a PDF file and delivers a backdoor that hides on the user’s machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user’s machine and then opens it as a way to hide the malicious activity that’s going on in the background, according to an analysis by researchers at F-Secure. The Trojan then installs the backdoor, which is named Imuler.A, which attempts to communicate with a command-and-control server.

That server isn’t capable of communicating with the malware, however, the researchers found, so the malware is on its own once it’s installed on a victim’s machine. What’s not clear is exactly how the malware is spreading right now.

This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires,” the analysis by F-Secure said.

Windows-based malware variants have been using the same sort of techniques for hiding themselves for a long time now. They often use common file extensions such as DOC, PDF, XLS and others to entice users into opening the malicious file. In some cases, the malware may not have the proper icon to go along with the fake file extension, as is the case with the Mac OS X Revir.A malware that F-Secure identified. It’s a simple trick, but it’s still quite effective and users have shown themselves to be willing to open these files, regardless of the potential consequences.

Send to Kindle
Categories: Malware, SMB Security, Vulnerabilities

Comments (18)

  1. Anonymous
    1

    This article is very confusing.  What means it “OS X-based Trojan”?  From the description given, it sounds like this would be an executable application that has the PDF icon.  Except that you have seen no PDF icon.  So that means it’s just an application that you…what?  Download from the Internet?  What would entice someone to run it?  And “it’s not exactly clear on how the malware is spreading now”…umm, is there any evidence that it is “spreading” at all?

    Just sounds like someone downloaded a random program and ran it on their machine.  (Or at least, the claim is that there is someone stupid enough out there to do that.  That’s believable.  The vector is stupidity?)

     

  2. Anonymous
    3

    Something very important this article fails to clarify;

    Does the trojan need root access? To install anything on OS X or other *nix systems root access is required. This would make it fairly obvious that the file you have is maleware when it asks for your password to open a .pdf…

  3. evanh
    4

    Kind of funny. The article is written for people that would get fooled by such attacks. And in doing so this article itself hides the important info of how to identify such viruses.

  4. MJ
    5

    The article sounds more like it was written by the marketing department to scare tech illiterates into parting with their money for a product or service they may not need.

    -MJ

  5. Anonymous
    6

    So what he is saying without understanding, is the file might have been a mac binary file that had a resource fork that contained an approprate icon, etc.  But again, its a lousy article written by a non-technical person so it’s anyones guess as to what it actually is about.  The fsecure post reads like it is a trojan app file which if allowed to run opens a PDF (as a diversion) while it does its dirty work creating up a background communcations channel.  So, if your mac is updated, you will get the standard warning asking if you trust this file you downloaded before you can open it.

  6. Anonymous
    7

    The thing is that the general public will not get the complete details, just the Fox/Global News hype.  “We are all going to die!” Version of this.

    The tipoff is that OSX would ask if you want to run this downloaded program, enter your password as well.

    Sounds like a Msoft sponsored hyped story.

  7. Grandma
    8

    It never hurts to alert people that our “safe” Macs can be targets of nastyware. I get so used to never worrying about it that a reminder is not a bad idea. That’s the main thing I got out of it, and that there is one that seems to masquerade as a PDF file.

  8. Anonymous
    9

    What do you all not understand? “…hides inside a PDF file and delivers a backdoor that hides on the user’s machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user’s machine and then opens it as a way to hide the malicious activity that’s going on in the background,…” RTFA.

    Like any other malware, it is designed to go UN-noticed…so you dont have a dmg or some mac crap safe-guard, you are f’ed from the fact you clicked on it and opened…which is ‘new’ to many mac users…also new to them- becoming a popular target.

  9. Anonymous
    10

    1: Post a Mac malware article

    2: Score mega hits as the brainwashed, overzealous, will eat corn out of poo of anyone who works at Apple, fanbois come to the imaginary defense of their platform.

    3: Score mega hits from level headed Mac users like me telling the zealots to fsck off and die because we are totally sick of their sh*t.

    4: Score more mega hits from PC and Linux users who are also sick of the Mac fanboi sh*t and wish Apple would have died 10 years ago like it should have.

    5: Score 10 hits from someone promoting Puppy, Scientific or some other low traffic Linux distro.

    6: Score 5 hits from someone post spamming how “brand x” anti-malware would have caught this because it doesn’t need no definitions.

    7: Run advertising on site.

    8: PROFIT!

  10. Anonymous
    11

    Hi, a mac user here. Two words for all of you who think that OSX dialog asking you for the admin password would save your hides: “Privilege escalation”. Look it up. They are routinely found in Linux and Windows, and if you honestly think Apple is so infallible that there cannot be such bugs in OSX, then you deserve to get your machines hosed.

  11. Anonymous
    12

    The confusing part for me was first it says, “…disguises itself as a PDF file…” and then turns around and says, “…hides inside a PDF file…” That’s 2 completely different things.

    “Disguises itself as…” implies that it’s an like and exe with the icon of a PDF. There have been windows viruses that had the icon of a standard WMP AVI file and replied on people that left the default setting of “Hide extensions for known files types” enabled and yet the filename would be something like “movie.avi.exe” and when you ‘hide’ the exe you’re left with “movie.avi” to which anyone that took just 1 second to look at the file name and think “Wait, this file shows the .avi part and yet none of my other movie files do that. That’s odd.”

    “Hides inside a … file..” implies that you have a PDF file like you normally do that Adobe Reader or any other PDF reader can open and read but has extra code that releases something nasty. This usually relies on there being some glitch in the way PDFs themselves are read that can do this or a glitch in the reader, usually Adobe’s Reader, that can allow an executable code of some kind to function. So you can take any PDF that one might normally find and turn it into…well…a trojan horse for a trojan virus.

  12. kurk
    14

    <body><p><p><body><p> recently downloaded adobe acrobat. I noticed that my mac behaving very stange after running the app. After shutdown my mac I was unable to get it to work. I have to reformat my hard drive and reinstall the os before I got it to work. I have sophos security installed but it did not detect the trojan. 

  13. Creepovognobe
    15

    This is an era where everybody wants a flawless and spotless skin making sure that it’s possible to look more youthful. You usually edit the photographs in which your actual age spots are visible. Are you content with anywhere near this much? Well, you already know that it’s hard that you should take a look at yourself inside the mirror and accept the bitter truth.

    Since the age passes by, whatever we observe on our facial skin is defined of a good lines. Creases steadily come to be wrinkles. Wrinkles are part of natural phenomenon that starts appearing with continuing development of age. These facial lines cause you to look older and are likely to hide your actual beauty. Well, there is a solution for all these complaints. There is certainly the type of wrinkle cream that can assist you attain youthful skin very quickly. Juvenue is a good anti-aging solution that can rewind your age clock a few years back. This product offers to gift you your beauty and freshness back.

    This wrinkle reducer is usually an instantaneous and advanced skin rejuvenating cream who has the capability to erase indications of aging of their root-the sub-cutis level. It repairs and renews skin. This cream assists with boosting up collagen and Elastin production. Elastin and Collagen will be the main proteins that guide to keep your sensitive skin healthy and provide it elasticity. By activating their production, the skin automatically regains its youthful resilience, leaving skin with younger, firmer plus much more shining complexion.

    Juvenue’s superior formula contains effectual anti-aging ingredients like, DMAE, Matryxil 3000, Resveratrol and also a special mix of peptides which have been scientifically which can turn back the natural upshots of maturing for a cellular level providing you with astonishing results.

    This device is useful in several ways:

    * 60% decline in wrinkles within A month
    * Intensely moisturized skin in less than a week
    * Makes skin firmer and smoother
    * Prevents new wrinkles from forming and rejuvenates skin cells.
    * Improves pores and skin and softness
    * Stimulates collagen production and smoothens deep wrinkles effectively
    * Much better than Botox

    So, grab this bottle of youth and happiness. Visit the official website of Juvenue and order the product or service now.

    amazing Juveneu Skin

  14. Michael G.
    17

    Some times you do not have a choice. While I have yet to see this behaviour on an OS X machine, it is quite common for a .pdf to be placed in a hidden iframe and it will open without interaction by the victim other than visiting the website. This is a common technique for infecting Windwos-based computers.

    So, while your advice to not open documents from people you do not know is valid, the victim is onften not given then opportunity to prevent the file from being opened.

Comments are closed.