Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mac OS X Trojan Hides Inside PDFs

Posted by timothy on from the see-enclosed-nude-document dept.

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."

27 of 194 comments (clear)

  1. Nothing to see.. by Anonymous Coward · · Score: 4, Informative

    Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!

    1. Re:Nothing to see.. by Richard_at_work · · Score: 5, Insightful

      Do much being .... What, exactly? Access your browser to capture your passwords? Participate in a DDOS? Send spam email? Propagate itself?

      Don't need admin to do any of that...

    2. Re:Nothing to see.. by Richard_at_work · · Score: 2

      I don't need the admin password to add something I own to my own startup items list...

    3. Re:Nothing to see.. by Zephiris · · Score: 4, Informative

      It can add itself to your user files, which allow something to start "at boot", as long as that user is the one (auto)logging in.

      You don't see much Windows malware adding itself to your "Startup" folder, but few average Mac users are going to check "command line files" to see whether something has injected something bad or not.

      As TFA says, this isn't a PDF, but an executable merely pretending to be one.

      It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part. It wouldn't be able to snoop some low level processes, but absolutely anything that is running under your user? Yup. Open ports to communicate with the mothership? Of course. Install a line to start whenever this user is logged in? Of course.

      If you get a user dumb enough to allow admin privileges to a fake PDF, you can use officially sanctioned mechanisms to inject code into every process in the machine without requiring a separate 'trojan process' to stay alive to monitor it. Or just replace the operating system kernel. :p

      --

      "A Goddess rarely smiles for she is forced by others to be an island unto herself." - Zephiris
    4. Re:Nothing to see.. by Guy+Harris · · Score: 3, Informative

      What makes you think it wouldn't be sandboxed on OS X 10.7 by default, the same as every other app you download?

      Because it wasn't downloaded from the App Store, so it isn't sandboxed by default.

    5. Re:Nothing to see.. by Guy+Harris · · Score: 2

      The capability-based privilege system applies to all applications, not just App Store ones.

      No, it only applies to applications that have opted into it, which App Store apps have to, but other apps don't.

      An application on 10.7 can't access paths on the filesystem without either getting explicit permission or asking through an NSOpenPanel, which on 10.7 runs in a separate process.

      Again, only if it's opted into it. cat doesn't have to ask permission, and neither do, say, Wireshark or Microsoft Office or Quicken or.... Some apps that ship with Lion are sandboxed, such as TextEdit and Preview, but most aren't.

  2. Does not hide in PDFs by Anonymous Coward · · Score: 5, Insightful

    It's just a trojan with a PDF icon.

    And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

    Trojans are nothing new, giving them fake icons is nothing new, even Mac trojans are nothing new. News this ain't.

    1. Re:Does not hide in PDFs by oakgrove · · Score: 4, Informative

      Absolutely. The title of the summary is "hides in pdfs" which is a big fat lie. Nice job, Slashdot.

      --
      The soylentnews experiment has been a dismal failure.
    2. Re:Does not hide in PDFs by LordLimecat · · Score: 2

      Lets be clear here, then.

      Is or is not Microsoft to blame for executable content that a user double clicks? Because if we had a clear "no" to that, I think the entire "Windows security vs OSX security" discussion would basically be over.

  3. Re:again PDF? by Pence128 · · Score: 3, Informative

    Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.

    --
    404: sig not found.
  4. Re:Windows is bad, hmmmmk? by Pence128 · · Score: 2

    To be fair, it's a "lets trick people into downloading and running programs" and not a "shit, lets execute data".

    --
    404: sig not found.
  5. Any Informative Links? by ninetyninebottles · · Score: 3, Interesting

    I saw reference to this trojan the other day, but my research turned up only vague descriptions such as the one linked in the summary. From all the reading I did it seems like this is an executable of some sort, with no extension that is being e-mailed to people. None of the descriptions I've read have described how it infects the machine, but I assume the user has to run it and then agree to allow the unsigned program to run for the first time. At this point it drops a PDF on the hard drive, opens it, and then installs a bare bones apache server, which doesn't actually work as far as anyone can tell. There was some indication that this was a cross platform trojan, but no one has been able to confirm this.

    So if anyone is actually in a lab with a copy of this could you please enlighten us on the following points:

    • How is this being distributed in the wild?
    • Does this somehow run automatically and does it bypass the user having to authorize the executable to run for the first time?
    • On 10.6 does it require an admin password to install?
    • Does it attempt to do something about the firewall settings?
    • On 10.7 does this attempt to escape the sandbox?
    • Does the best case install actually get an Apache server running well enough to listen to a control channel, update itself, or perform actions?

    So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?

  6. Re:Windows is bad, hmmmmk? by KDR_11k · · Score: 3, Insightful

    So it requires a gullible user. There's not exactly a shortage of those.

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  7. Re:But... by bonch · · Score: 5, Informative

    This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.

  8. Okay, fellow Mac users by 93+Escort+Wagon · · Score: 3, Insightful

    Here's the plan:

    1) OS X makes it brain-dead easy to not run as an admin user. Create a separate admin account first, then remove the admin privilege from your everyday account. On those rare occasions you need admin privileges, you'll be automatically asked to provide the admin account info - you don't need to even think about it.

    (Somehow that isn't sinking into a lot of peoples' heads, even those who should know better)

    2) Back up your stuff regularly. Again, OS X makes this brain-dead easy with Time Machine. You can use something else like a custom rsync script, but - just DO IT.

    If you're running as a non-admin user, the worst that can happen is your own stuff gets hosed - and then you can get it back from your backups. But since trojans are probably only going to go after the system files, it's unlikely even your stuff will get touched.

    Okay, there's one caveat. If you click on an infected file, and it asks for admin permissions and you provide it, you're screwed. But one would hope you're smart enough to realize viewing a PDF should not require admin authentication. In the end, common sense does have to enter into the picture.

    BTW if you claim running as an admin is okay because you're always prompted to authenticate anyway... you're just wrong.

    --
    #DeleteChrome
    1. Re:Okay, fellow Mac users by 93+Escort+Wagon · · Score: 3, Informative

      You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

      For the account stuff, you might have a point. They don't need to "know it's there" (unlike, say, the old Windows setup where you had to know about "Run as Administrator...") - but they do need to know what admin versus non-admin means. But really that's all they have to know. Even my 70+ year old mom was able to grok that.

      As far as backups go, though - the first time you plug in an external hard drive, if backups haven't already been set up - OS X automatically asks "do you want to use this disk for backups?" The user doesn't need to go looking for anything. That's a pretty low bar.

      --
      #DeleteChrome
    2. Re:Okay, fellow Mac users by berryjw · · Score: 3, Insightful

      Dude, I've watched so many OS X users click through *anything* that pops up to know better. That "average" user everyone keeps referencing doesn't read those boxes any more than they read the EULAs for the software they're using, and most of them will provide credentials without even considering why they might be asked for them. Users view all of this as speed bumps, and don't have any idea it's part of system security. Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

    3. Re:Okay, fellow Mac users by artor3 · · Score: 2

      That's if they plug in an external drive. How many do? And how many answer in the affirmative? A lot might worry that if they say yes, they can't use that drive for other things.

      And I suspect that your 70+ year old mom had it explained to her, likely by you. There are a lot of people who just want their cursor to turn into a unicorn, and will say yes to anything to make it happen.

      In the end, you can't defend a computer from it's owner, no matter which OS you use.

    4. Re:Okay, fellow Mac users by NoMaster · · Score: 2

      Not to mention the fact that if an Apple executable is downloaded via browser or email, when you attempt to run it for the first time you get a message that says:

      "Xxxx is an application that was [downloaded from the internet || attached to a mail message]. Are you sure you want to open it?"

      And some details about when it was downloaded / received. Admin permissions or not don't even come into it.

      At some point you've got to hand over responsibility from the OS (or anti-virus) babying the user's arse, and on to the user to think a bit and look after themselves. Is learning the difference between a document or data file and a program file too much to ask?

      Anti-virus software is in fact starting to become part of the problem, because users have been trained to trust it so much that they never develop the skills to protect themselves from the bleedin' obvious.

      --
      What part of "a well regulated militia" do you not understand?
  9. Re:But... by scottbomb · · Score: 2

    To quote Apple's own website: Mac don't get WINDOWS viruses.

    (They get Mac viruses). --- not on the website.

    If the world were the other way around, where 90% + of the population used Macs and a small minority used Windows... need I say more?

  10. Re:again PDF? by Aardpig · · Score: 2

    Obvious troll is obvious.

    --
    Tubal-Cain smokes the white owl.
  11. Re:But... by PopeRatzo · · Score: 2

    This isn't a virus; it doesn't do anything when installed or propagate. It can't even communicate with its server.

    So...it's candy!

    No need to worry Apple users, it "doesn't do anything when installed or propagate". You are safe and warm and don't forget to let iTunes save your password.

    --
    You are welcome on my lawn.
  12. Re:Windows is bad, hmmmmk? by ninetyninebottles · · Score: 2

    But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

    You don't need to prevent a user from being able to run apps, you just need to restrict default behaviors for apps, provide the user with information on how much an "expert" thinks they should trust software, and tell the user in clear and simple terms when the app wants more privileges and exactly what those privileges are. Finally, you need to present this in a usable interface. Apple is already heading down this route with both iOS and OS X. In OS X 10.7 apps are sandboxed by default, although I haven't seen a single report as to if this trojan works within the sandbox, breaks out of the sandbox, or simply fails entirely on Lion.

  13. Smells Like AV Flackery by jasnw · · Score: 4, Insightful

    Every time one of these "sky is falling, OS X is being attacked by new malware/virus/trojan" articles floats around the 'net, it seems like the source document is from one or another AV builder or a computer security outfit with things to sell. The first clue is how vapid and vague the article is, and how little useful information it provides. Another clue is when one part of the article tells the story a bit different than elsewhere in the same article. For OS X users, there are a handful of good, indepdent, computer security sites (apple.com NOT being one of them), and if it aint there, I ignore it.

  14. Yep by Sycraft-fu · · Score: 4, Insightful

    In fact I've seen a big rise in the amount of non-admin Windows malware. It just infects the user that is using the system. The reason is they realize that for the vast majority of systems, the user IS the system, there is no need to infect anything else. It also lets them get an infection in an enterprise setup where users don't get admin.

      Now I suppose it does make the malware slightly easier to get rid of but then it really doesn't matter, I tend to scan the things from a boot disk anyhow.

    This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.

    1. Re:Yep by mjwx · · Score: 2

      This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.

      Some of us have understood for a while that that the user is the most vulnerable part of any system. Almost all malware infections I've seen have been user initiated, drive by infections in this day and age are very rare even on unpatched machines. This is why my Windows servers are more secure then any Linux or Mac desktop, simply because no user is permitted near them.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  15. Re:again PDF? by Guy+Harris · · Score: 2

    Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.

    Actually, if you skip all the journalism and follow links all the way to the F-Secure blog posting about the trojan, it's a file "where the icon is stored in a separate fork that is not readily visible in the OS", which presumably means "in the resource fork". The F-Secure item for the trojan says "Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.", which seems to indicate that both a PDF that "[distracts] the user" and other stuff including "a backdoor program" are involved. It sounds a bit more complex than what the articles about the trojan say it is and the /. discussion of the trojan seem to imply it is, but they don't indicate what "a downloader component" is. I guess I've spent too much time dealing with Mac OS X at the UN*X level to know what "a downloader component" is....