Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mac OS X Trojan Hides Inside PDFs

Posted by timothy on from the see-enclosed-nude-document dept.

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."

15 of 194 comments (clear)

  1. Nothing to see.. by Anonymous Coward · · Score: 4, Informative

    Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!

    1. Re:Nothing to see.. by Richard_at_work · · Score: 5, Insightful

      Do much being .... What, exactly? Access your browser to capture your passwords? Participate in a DDOS? Send spam email? Propagate itself?

      Don't need admin to do any of that...

    2. Re:Nothing to see.. by Zephiris · · Score: 4, Informative

      It can add itself to your user files, which allow something to start "at boot", as long as that user is the one (auto)logging in.

      You don't see much Windows malware adding itself to your "Startup" folder, but few average Mac users are going to check "command line files" to see whether something has injected something bad or not.

      As TFA says, this isn't a PDF, but an executable merely pretending to be one.

      It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part. It wouldn't be able to snoop some low level processes, but absolutely anything that is running under your user? Yup. Open ports to communicate with the mothership? Of course. Install a line to start whenever this user is logged in? Of course.

      If you get a user dumb enough to allow admin privileges to a fake PDF, you can use officially sanctioned mechanisms to inject code into every process in the machine without requiring a separate 'trojan process' to stay alive to monitor it. Or just replace the operating system kernel. :p

      --

      "A Goddess rarely smiles for she is forced by others to be an island unto herself." - Zephiris
    3. Re:Nothing to see.. by Guy+Harris · · Score: 3, Informative

      What makes you think it wouldn't be sandboxed on OS X 10.7 by default, the same as every other app you download?

      Because it wasn't downloaded from the App Store, so it isn't sandboxed by default.

  2. Does not hide in PDFs by Anonymous Coward · · Score: 5, Insightful

    It's just a trojan with a PDF icon.

    And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

    Trojans are nothing new, giving them fake icons is nothing new, even Mac trojans are nothing new. News this ain't.

    1. Re:Does not hide in PDFs by oakgrove · · Score: 4, Informative

      Absolutely. The title of the summary is "hides in pdfs" which is a big fat lie. Nice job, Slashdot.

      --
      The soylentnews experiment has been a dismal failure.
  3. Re:again PDF? by Pence128 · · Score: 3, Informative

    Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.

    --
    404: sig not found.
  4. Any Informative Links? by ninetyninebottles · · Score: 3, Interesting

    I saw reference to this trojan the other day, but my research turned up only vague descriptions such as the one linked in the summary. From all the reading I did it seems like this is an executable of some sort, with no extension that is being e-mailed to people. None of the descriptions I've read have described how it infects the machine, but I assume the user has to run it and then agree to allow the unsigned program to run for the first time. At this point it drops a PDF on the hard drive, opens it, and then installs a bare bones apache server, which doesn't actually work as far as anyone can tell. There was some indication that this was a cross platform trojan, but no one has been able to confirm this.

    So if anyone is actually in a lab with a copy of this could you please enlighten us on the following points:

    • How is this being distributed in the wild?
    • Does this somehow run automatically and does it bypass the user having to authorize the executable to run for the first time?
    • On 10.6 does it require an admin password to install?
    • Does it attempt to do something about the firewall settings?
    • On 10.7 does this attempt to escape the sandbox?
    • Does the best case install actually get an Apache server running well enough to listen to a control channel, update itself, or perform actions?

    So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?

  5. Re:Windows is bad, hmmmmk? by KDR_11k · · Score: 3, Insightful

    So it requires a gullible user. There's not exactly a shortage of those.

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  6. Re:But... by bonch · · Score: 5, Informative

    This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.

  7. Okay, fellow Mac users by 93+Escort+Wagon · · Score: 3, Insightful

    Here's the plan:

    1) OS X makes it brain-dead easy to not run as an admin user. Create a separate admin account first, then remove the admin privilege from your everyday account. On those rare occasions you need admin privileges, you'll be automatically asked to provide the admin account info - you don't need to even think about it.

    (Somehow that isn't sinking into a lot of peoples' heads, even those who should know better)

    2) Back up your stuff regularly. Again, OS X makes this brain-dead easy with Time Machine. You can use something else like a custom rsync script, but - just DO IT.

    If you're running as a non-admin user, the worst that can happen is your own stuff gets hosed - and then you can get it back from your backups. But since trojans are probably only going to go after the system files, it's unlikely even your stuff will get touched.

    Okay, there's one caveat. If you click on an infected file, and it asks for admin permissions and you provide it, you're screwed. But one would hope you're smart enough to realize viewing a PDF should not require admin authentication. In the end, common sense does have to enter into the picture.

    BTW if you claim running as an admin is okay because you're always prompted to authenticate anyway... you're just wrong.

    --
    #DeleteChrome
    1. Re:Okay, fellow Mac users by 93+Escort+Wagon · · Score: 3, Informative

      You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

      For the account stuff, you might have a point. They don't need to "know it's there" (unlike, say, the old Windows setup where you had to know about "Run as Administrator...") - but they do need to know what admin versus non-admin means. But really that's all they have to know. Even my 70+ year old mom was able to grok that.

      As far as backups go, though - the first time you plug in an external hard drive, if backups haven't already been set up - OS X automatically asks "do you want to use this disk for backups?" The user doesn't need to go looking for anything. That's a pretty low bar.

      --
      #DeleteChrome
    2. Re:Okay, fellow Mac users by berryjw · · Score: 3, Insightful

      Dude, I've watched so many OS X users click through *anything* that pops up to know better. That "average" user everyone keeps referencing doesn't read those boxes any more than they read the EULAs for the software they're using, and most of them will provide credentials without even considering why they might be asked for them. Users view all of this as speed bumps, and don't have any idea it's part of system security. Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

  8. Smells Like AV Flackery by jasnw · · Score: 4, Insightful

    Every time one of these "sky is falling, OS X is being attacked by new malware/virus/trojan" articles floats around the 'net, it seems like the source document is from one or another AV builder or a computer security outfit with things to sell. The first clue is how vapid and vague the article is, and how little useful information it provides. Another clue is when one part of the article tells the story a bit different than elsewhere in the same article. For OS X users, there are a handful of good, indepdent, computer security sites (apple.com NOT being one of them), and if it aint there, I ignore it.

  9. Yep by Sycraft-fu · · Score: 4, Insightful

    In fact I've seen a big rise in the amount of non-admin Windows malware. It just infects the user that is using the system. The reason is they realize that for the vast majority of systems, the user IS the system, there is no need to infect anything else. It also lets them get an infection in an enterprise setup where users don't get admin.

      Now I suppose it does make the malware slightly easier to get rid of but then it really doesn't matter, I tend to scan the things from a boot disk anyhow.

    This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.