Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mac OS X Trojan Hides Inside PDFs

Posted by timothy on from the see-enclosed-nude-document dept.

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."

8 of 194 comments (clear)

  1. Nothing to see.. by Anonymous Coward · · Score: 4, Informative

    Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!

    1. Re:Nothing to see.. by Richard_at_work · · Score: 5, Insightful

      Do much being .... What, exactly? Access your browser to capture your passwords? Participate in a DDOS? Send spam email? Propagate itself?

      Don't need admin to do any of that...

    2. Re:Nothing to see.. by Zephiris · · Score: 4, Informative

      It can add itself to your user files, which allow something to start "at boot", as long as that user is the one (auto)logging in.

      You don't see much Windows malware adding itself to your "Startup" folder, but few average Mac users are going to check "command line files" to see whether something has injected something bad or not.

      As TFA says, this isn't a PDF, but an executable merely pretending to be one.

      It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part. It wouldn't be able to snoop some low level processes, but absolutely anything that is running under your user? Yup. Open ports to communicate with the mothership? Of course. Install a line to start whenever this user is logged in? Of course.

      If you get a user dumb enough to allow admin privileges to a fake PDF, you can use officially sanctioned mechanisms to inject code into every process in the machine without requiring a separate 'trojan process' to stay alive to monitor it. Or just replace the operating system kernel. :p

      --

      "A Goddess rarely smiles for she is forced by others to be an island unto herself." - Zephiris
  2. Does not hide in PDFs by Anonymous Coward · · Score: 5, Insightful

    It's just a trojan with a PDF icon.

    And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

    Trojans are nothing new, giving them fake icons is nothing new, even Mac trojans are nothing new. News this ain't.

    1. Re:Does not hide in PDFs by oakgrove · · Score: 4, Informative

      Absolutely. The title of the summary is "hides in pdfs" which is a big fat lie. Nice job, Slashdot.

      --
      The soylentnews experiment has been a dismal failure.
  3. Re:But... by bonch · · Score: 5, Informative

    This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.

  4. Smells Like AV Flackery by jasnw · · Score: 4, Insightful

    Every time one of these "sky is falling, OS X is being attacked by new malware/virus/trojan" articles floats around the 'net, it seems like the source document is from one or another AV builder or a computer security outfit with things to sell. The first clue is how vapid and vague the article is, and how little useful information it provides. Another clue is when one part of the article tells the story a bit different than elsewhere in the same article. For OS X users, there are a handful of good, indepdent, computer security sites (apple.com NOT being one of them), and if it aint there, I ignore it.

  5. Yep by Sycraft-fu · · Score: 4, Insightful

    In fact I've seen a big rise in the amount of non-admin Windows malware. It just infects the user that is using the system. The reason is they realize that for the vast majority of systems, the user IS the system, there is no need to infect anything else. It also lets them get an infection in an enterprise setup where users don't get admin.

      Now I suppose it does make the malware slightly easier to get rid of but then it really doesn't matter, I tend to scan the things from a boot disk anyhow.

    This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.