Slashdot Mirror
New Mac OS X Trojan Hides Inside PDFs
Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."
Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!
Must every story about Mac malware spend more time talking about how Windows is so bad than the OS X malware they are reporting?
-Lod
It's just a trojan with a PDF icon.
And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.
Trojans are nothing new, giving them fake icons is nothing new, even Mac trojans are nothing new. News this ain't.
Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.
404: sig not found.
Part of it, apparently.
I am John Hurt.
This trojan doesn't hide inside a PDF. It is an executable that disguises itself as a PDF.
I saw reference to this trojan the other day, but my research turned up only vague descriptions such as the one linked in the summary. From all the reading I did it seems like this is an executable of some sort, with no extension that is being e-mailed to people. None of the descriptions I've read have described how it infects the machine, but I assume the user has to run it and then agree to allow the unsigned program to run for the first time. At this point it drops a PDF on the hard drive, opens it, and then installs a bare bones apache server, which doesn't actually work as far as anyone can tell. There was some indication that this was a cross platform trojan, but no one has been able to confirm this.
So if anyone is actually in a lab with a copy of this could you please enlighten us on the following points:
So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?
Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.
Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.
How does this get past the download protection though? Any executable that is saved by Safari or Mail.app will have the source location saved in the metadata. When you first run it, the system tells you that it's an executable that you've not run before and asks if you meant to. It never shows this for pdf files[1] so you know that it is definitely something malicious.
[1] Depressingly, it does show this warning when you open a UNIX shell script in TextEdit if it has execute permission. It also shows when you open a Windows application, irrespective of whether or not you have anything installed that will actually run it.
I am TheRaven on Soylent News
Never said they didn't have trojans.
Might want to learn the difference.
This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.
Still technically correct: a trojan isn't a virus.
Though I'll admit it's amazing that anyone working at a Genius Bar got anything technically correct...
Blank until
Here's the plan:
1) OS X makes it brain-dead easy to not run as an admin user. Create a separate admin account first, then remove the admin privilege from your everyday account. On those rare occasions you need admin privileges, you'll be automatically asked to provide the admin account info - you don't need to even think about it.
(Somehow that isn't sinking into a lot of peoples' heads, even those who should know better)
2) Back up your stuff regularly. Again, OS X makes this brain-dead easy with Time Machine. You can use something else like a custom rsync script, but - just DO IT.
If you're running as a non-admin user, the worst that can happen is your own stuff gets hosed - and then you can get it back from your backups. But since trojans are probably only going to go after the system files, it's unlikely even your stuff will get touched.
Okay, there's one caveat. If you click on an infected file, and it asks for admin permissions and you provide it, you're screwed. But one would hope you're smart enough to realize viewing a PDF should not require admin authentication. In the end, common sense does have to enter into the picture.
BTW if you claim running as an admin is okay because you're always prompted to authenticate anyway... you're just wrong.
#DeleteChrome
Imagine I made an piece of malware.
Imagine I set it's icon to the default PDF icon on your operating system
Imagine I named it "somefile.pdf.exe" or "somefile.pdf.app"
That's what's happened here. It's not an exploit in the PDF format but rather somebody using the appearance of a 'safe' file to trick people into double clicking it. It could just as easily have been "somefile.jpg.app" or "somefile.ogg.app" with appropriate icons.
Mac OS X will display a "you've never opened this application before, are you sure you want to?" message when a user double clicks the fake-PDF, but let's be realistic: our mom's aren't going to know any better.
To quote Apple's own website: Mac don't get WINDOWS viruses.
(They get Mac viruses). --- not on the website.
If the world were the other way around, where 90% + of the population used Macs and a small minority used Windows... need I say more?
Obvious troll is obvious.
Tubal-Cain smokes the white owl.
Apple and some of its fans do tout Mac OS X as being somehow immune to malware in general, not just viruses.
As for viruses, this one indeed seems not to be a virus (unless it proceeds to replicate after launching - a piece of malware can be both a virus and a trojan), but any device that can run an arbitrary program can run a virus.
Would a Mac or Slashcode exploit explain not seeing the "Apple" category included on the left side of the Slashdot page except when viewing an Apple story? There's a place in the Account area to remove a section, but no provision to add/restore one???
The signature editor seems to be hiding too.
These social engineering tricks aren't much of a malware story. It'd be more useful to be asking why NoScript doesn't have an option to filter web-bugs on trusted sites. (and how it doesn't seem to be showing Google analytics to block anymore?)
Maybe OS X should be asking for permission anytime a new app wants net access. They should not be able to phone home or anywhere by default.
You know. I would know (I wouldn't even bother to read the email or save the attachment so it's kind of moot). The average user though? They're not so well clued up. If they've been as far as saving the file to their computer, I wouldn't have much faith in them not executing it.
which is totally what she said
Maybe not, but its users are.
which is totally what she said
So...it's candy!
No need to worry Apple users, it "doesn't do anything when installed or propagate". You are safe and warm and don't forget to let iTunes save your password.
You are welcome on my lawn.
What version of NoScript doesn't show google-analytics?
I'm running 2.1.2.3 on the machine that accesses the net, and it still has it in the menu, maybe because it is in use and blocked on the site I checked.
Every time one of these "sky is falling, OS X is being attacked by new malware/virus/trojan" articles floats around the 'net, it seems like the source document is from one or another AV builder or a computer security outfit with things to sell. The first clue is how vapid and vague the article is, and how little useful information it provides. Another clue is when one part of the article tells the story a bit different than elsewhere in the same article. For OS X users, there are a handful of good, indepdent, computer security sites (apple.com NOT being one of them), and if it aint there, I ignore it.
In fact I've seen a big rise in the amount of non-admin Windows malware. It just infects the user that is using the system. The reason is they realize that for the vast majority of systems, the user IS the system, there is no need to infect anything else. It also lets them get an infection in an enterprise setup where users don't get admin.
Now I suppose it does make the malware slightly easier to get rid of but then it really doesn't matter, I tend to scan the things from a boot disk anyhow.
This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.
RTFA. It's an executable using a PDF document icon. This is nothing more than a social engineering trick
Social engineering tricks ARE THE #1 reason for systems being compromised/hacked.
Users are idiots (aka not computer saavy) wether they use Windows or Os X.
This is the reality, and if you had the same amount of idiots on linux as you have on the other systems you'd have the exact same kinds of problems. Instead of trojans and virues we would be talking of users downloading executable scripts from gods know where and wreaking havoc on their systems.
What's depressing is that stupid tricks like this are even still possible in this day and age.
Helpful tip: In Mac OS X's Finder, if you choose "Preferences..." from the "Finder" menu, you'll find a checkbox that says, "Show all filename extensions". Check it. You will never again be at risk from these sorts of malware attacks (unless you or someone else goes back in and unchecks it).
I'm strongly of the opinion that this checkbox should be enabled on every computer in the world, and that a checkbox to hide those extensions should not even exist. The only thing that "feature" does is make trojans like this one possible.
Check out my sci-fi/humor trilogy at PatriotsBooks.
As Douglas Adams said, "it may only be ten percent of the users, but it's the top ten percent." That aside, being in the minority with a usable OS (read cli) is exactly where I want to be. Let Windows draw the flies, I say.
http://www.rootstrikers.org/
Add in some http://cs.nyu.edu/trackmenot/ to your browser too.
As for this, http://blog.intego.com/2011/09/23/mac-pdf-trojan-horse-surfaces-threat-is-low/
A Mac security company notes: 'threat to be very low, as this is not found in the wild."
Domestic spying is now "Benign Information Gathering"
And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.
Black lists don't work. This even MS has figured out. So they add this particular one to the filter rather then fixing the vulnerabilities or worse yet, educating users on how to safely use computers (as opposed to telling them they are automagically protected by owning a Mac) but the malware writers simply make a new variation to get around that black list. There is so much Malware for Windows simply because a lot of it is subtle variations on the same malware to get around AV/Anti-malware.
The "protect filter" is not computer security rather it is computer security theatre.
It's just a trojan with a PDF icon
To the end user, there is no difference.
Calling someone a "hater" only means you can not rationally rebut their argument.
Trojan: (capitlized)
1. citizen/resident/native/inhabitant of Troy
2. well-known brand of condoms
trojan horse: (not capitalized)
1. A hollow wooden statue of a horse in which the Greeks concealed themselves in order to enter Troy.
2. A person or thing intended secretly to undermine or bring about the downfall of an enemy or opponent.
3. A program designed to breach the security of a computer system while ostensibly performing some innocuous function
just can't get yer shit straight, can you editors?
The Admin and the Engineer
Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.
Can't be. A bundle ending in pdf is not executable.
I guess it's named 'something.pdf.app'.
And you can't even hide the app extension. (At least not on Lion. Is this new?)
Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.
The resource fork can hold MIME types?
(Of course the resource fork can hold anything; I mean in a format that is used by the OS.)
I'm strongly of the opinion that this checkbox should be enabled on every computer in the world, and that a checkbox to hide those extensions should not even exist. The only thing that "feature" does is make trojans like this one possible.
Well, at least it doesn't seem to be possible to hide the extension on a file named something.pdf.app
You mean the .pdf part, I assume.
Check out my sci-fi/humor trilogy at PatriotsBooks.
It's not a virus, but thanks for playing.
It's not even the first trojan for OS X - there have been several in the past.
I watch way too many computer chronicles on the internet, its funny cause from the mid mid 80's (like 87 or so) until about 1993 the # 1 software in sales is SAM antivirus ... get ready .. FOR MAC
anyone that says mac's dont get viruses is either ignorant or fucking stupid, they had a virus problem, and gee whiz they still do
Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.
Actually, if you skip all the journalism and follow links all the way to the F-Secure blog posting about the trojan, it's a file "where the icon is stored in a separate fork that is not readily visible in the OS", which presumably means "in the resource fork". The F-Secure item for the trojan says "Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.", which seems to indicate that both a PDF that "[distracts] the user" and other stuff including "a backdoor program" are involved. It sounds a bit more complex than what the articles about the trojan say it is and the /. discussion of the trojan seem to imply it is, but they don't indicate what "a downloader component" is. I guess I've spent too much time dealing with Mac OS X at the UN*X level to know what "a downloader component" is....
Saving a file on the computer is easy. Click on a link to a PDF and Safari will download it. Double click on it and Preview will open it. This is the behaviour that users expect. Double click on it and OS X puts up a warning box telling them that it's the first time they've run this application that they downloaded from the Internet? That's not. Especially for normal users who won't download any applications from the Internet, so won't have seen that dialog before...
I am TheRaven on Soylent News
in the context of my post there's no relevant distinction.
Your sad attempt to "burn" me might have had some impact if you actually addressed my point instead of simply going for a cheap knock down.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
No, it really does make a difference. Words have meaning. You used the term incorrectly.
I imagine what you meant to say was "malware", but of course no one is claiming Macs are immune to malware as a whole - that would just be silly. There's a long history of trojans on the Mac since they tend to reply on social engineering to work, and that's a platform independent problem. You can certainly attempt to minimise the potential threats, but ultimately you're only as effective as the user at the computer when it comes to that sort of thing.
You mentioned something about me addressing your point, but your point seems to be "I'm pleased because I believe this story means that Mac users are 'joining the rest of the computing world'" despite that being hilariously inaccurate because, as I mentioned, this is a long way from being the first trojan on OS X. I can talk some more about your ignorance if you like though?
okay captain strawman, I didn't say words didn't have meaning. I said that in this context the distinction is irrelevant.
http://en.wikipedia.org/wiki/Context_(language_use)#Verbal_context
That's so you can bone up on what context means... it's a word and apparently a difficult concept to master.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Oh I understand the meaning of the word context, however the context of this discussion is a Mac trojan, and you come wading in with some oft-repeated meme that "Mac users always claim they are immune to viruses". Whether it's true or not (and it's not), you're out of context quite clearly.
You also claimed that you were "pleased" to see that "Mac users are now joining the rest of the computing world" when as I explained, that train sailed a long time ago in the context of this discussion: trojans.
So, which is it? Are you claiming that you believe "virus" specifically means "malware" in your interpretation of what you believe "most" Mac users tell you since you claim to have endured "years" of them telling you this apparently erroneously, since you seem to believe this article represents the very first instance of any virus or trojan on the Mac platform, or are you just trying to save face because you didn't expect anyone to call you on your demonstrably false equivalence between a trojan and a virus, trying to handwave it all away with a non sequitur about it "all being in context" so it doesn't matter about being precise in your definition.
It's not even like it's shorthand - the shorthand catch all term is "malware", but you specifically went with "viruses", in error.
If your point was to somehow make Mac users who say that specific phrase look bad, then it still fails, because this isn't a virus. If your point was to gloat about "Mac users joining the rest of the computing world" due to this then you still fail, since this is nowhere near the first trojan on OS X (nor would it be the first virus if it was a virus and not a trojan).
I can loan you a spade if you prefer to keep digging.
A user space application can not receive a listen port on OSX now can it? If so, Apple needs to fix it.
Having to work for a living is the root of all evil.
Or just replace the operating system kernel.
OS X malware doesn't have to do that. Personally, I can't wait until the malware starts to complete the full circle, and we see common malware start using its own kernel extensions to hide itself completely from the system, giving us Mac rootkits.
Boot Windows, Linux, and ESX over the network for free.
Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.
The resource fork can hold MIME types?
It's not technically a MIME type (I used that term because it is actually familiar to a significant number of people), but it serves the same purpose, assuming the allusion in the article is correct. You can set the file type, system icon to use, and store a custom icon. Alternately they may be referring to similar functionality in an openstep bundle, which they refer to incorrectly as a fork. But yes, OS X can and will read this type of data stored in several formats.
The slashdot of today reminds me of USENET after the AOL crowd was released from their cages. Minus the capslock of course. You'd think that at a supposed nerd hangout you wouldn't have to be arguing with someone about the difference between a self propagating piece of software and a social engineering trick. Yet that seems to be the norm, if evidenced by the bulk of comments on this article (and this article isn't alone in this).
Well, as I understand this, it is simply an executable with a PDF icon and file extension. I presume therefore that when the user tries to open it they get the standard 'This is an application downloaded from the Internet do you really want to run it?’ alert.
A virus copies itself on its own, but the initial infection might happen by running it manually (that's how many old DOS viruses operated).
Setting aside the fact that Macs are PCs and not all PCs run Windows... I run regularly both a Linux desktop and a Windows desktop. What "PC" users need is a tiny, just a tiny bit of education (admittedly many don't have it). I've gotten exactly zero viruses on linux and two viruses on Windows: on one occasion, I ran a random binary while drunk. On the other occasion I was not running a firewall - something that *every* computer online needs - your Mac runs one by default, I suppose you know; have no doubt it may get blasted without one (Sasser-style net worms have happened in the *nix world). The precautions I've always taken are pretty much the same I take on Linux: make sure a firewall is running, do not run random binaries (or PDFs, or DOC/XLS/PPTs, for that matter) from the net, and back in the day, don't use IE (admittedly you can't even do that on Linux). And definitely don't run an antivirus to hog the system - which has to be *disabled* on Win7 and that's a bit annoying.
The oft repeated phrase refers to all malware actually. You're insistence on specificity ignores the context of the comment and entirely fails to understand the larger point.
In your attempt to sound relevant and clever you've simply come off as arrogant and clueless.
Regards.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
In your opinion that's what you think it refers to.
In my opinion Linux is Unix. See how easy that is?
Your unprovoked and childish hostility has been noted. Thank you participating.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
And definitely don't run an antivirus to hog the system - which has to be *disabled* on Win7 and that's a bit annoying.
Huh? I have seen warnings like this from some installers, but I have never had to disable my antivirus. Also, don't get McAfee or Norton, and you don't get a system hog, Trend Micro is actually quite good (#3) and doesn't bog your system down.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Wow, that is hilarious. So you are saying that Macs are more usable than Windows? For what? I can do everything on a Windows machine that you can do on Mac, plus much more. Therefore by definition, Windows is more usable. Just because you don't know how to use the command line in Windows does not mean it is less usable.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
The lack of communication with the control server I got the impression had more to do with the command server not accepting connections. I doubt it is a failing of the software, as they did note that it tried to connect, which means it got past the firewall on the Mac and out on the network.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
I didn't mean you have to disable the antivirus.
My point, and I thought the context made it clear, was that you do not need an antivirus as long as you take just a few precautions. Run a firewall, avoid random executables, disable useless services (and have strong passwords for those that aren't useless) and patch up vulnerabilities regularly. Precautions that should be taken for any computer online.
If you don't notice a system hog, so much the better for you. I personally don't appreciate pop-ups telling me to update the anti-virus database and icons cluttering the taskbar.