Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mac OS X Trojan Hides Inside PDFs

Posted by timothy on from the see-enclosed-nude-document dept.

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."

8 of 194 comments (clear)

  1. Nothing to see.. by Anonymous Coward · · Score: 4, Informative

    Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!

    1. Re:Nothing to see.. by Zephiris · · Score: 4, Informative

      It can add itself to your user files, which allow something to start "at boot", as long as that user is the one (auto)logging in.

      You don't see much Windows malware adding itself to your "Startup" folder, but few average Mac users are going to check "command line files" to see whether something has injected something bad or not.

      As TFA says, this isn't a PDF, but an executable merely pretending to be one.

      It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part. It wouldn't be able to snoop some low level processes, but absolutely anything that is running under your user? Yup. Open ports to communicate with the mothership? Of course. Install a line to start whenever this user is logged in? Of course.

      If you get a user dumb enough to allow admin privileges to a fake PDF, you can use officially sanctioned mechanisms to inject code into every process in the machine without requiring a separate 'trojan process' to stay alive to monitor it. Or just replace the operating system kernel. :p

      --

      "A Goddess rarely smiles for she is forced by others to be an island unto herself." - Zephiris
    2. Re:Nothing to see.. by Guy+Harris · · Score: 3, Informative

      What makes you think it wouldn't be sandboxed on OS X 10.7 by default, the same as every other app you download?

      Because it wasn't downloaded from the App Store, so it isn't sandboxed by default.

  2. Re:again PDF? by Pence128 · · Score: 3, Informative

    Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.

    --
    404: sig not found.
  3. Re:But... by tmosley · · Score: 1, Informative

    Never said they didn't have trojans.

    Might want to learn the difference.

  4. Re:But... by bonch · · Score: 5, Informative

    This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.

  5. Re:Does not hide in PDFs by oakgrove · · Score: 4, Informative

    Absolutely. The title of the summary is "hides in pdfs" which is a big fat lie. Nice job, Slashdot.

    --
    The soylentnews experiment has been a dismal failure.
  6. Re:Okay, fellow Mac users by 93+Escort+Wagon · · Score: 3, Informative

    You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

    For the account stuff, you might have a point. They don't need to "know it's there" (unlike, say, the old Windows setup where you had to know about "Run as Administrator...") - but they do need to know what admin versus non-admin means. But really that's all they have to know. Even my 70+ year old mom was able to grok that.

    As far as backups go, though - the first time you plug in an external hard drive, if backups haven't already been set up - OS X automatically asks "do you want to use this disk for backups?" The user doesn't need to go looking for anything. That's a pretty low bar.

    --
    #DeleteChrome