Malware that targets Mac OS X isn’t anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that’s been in favor among Windows malware authors for several years now.
The new piece of malware hides inside a PDF file and delivers a backdoor that hides on the user’s machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user’s machine and then opens it as a way to hide the malicious activity that’s going on in the background, according to an analysis by researchers at F-Secure. The Trojan then installs the backdoor, which is named Imuler.A, which attempts to communicate with a command-and-control server.
That server isn’t capable of communicating with the malware, however, the researchers found, so the malware is on its own once it’s installed on a victim’s machine. What’s not clear is exactly how the malware is spreading right now.
“This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires,” the analysis by F-Secure said.
Windows-based malware variants have been using the same sort of techniques for hiding themselves for a long time now. They often use common file extensions such as DOC, PDF, XLS and others to entice users into opening the malicious file. In some cases, the malware may not have the proper icon to go along with the fake file extension, as is the case with the Mac OS X Revir.A malware that F-Secure identified. It’s a simple trick, but it’s still quite effective and users have shown themselves to be willing to open these files, regardless of the potential consequences.