Forgot your password?
typodupeerror
OS X Security Apple

New Mac OS X Trojan Hides Inside PDFs 194

Posted by timothy
from the see-enclosed-nude-document dept.
Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."
This discussion has been archived. No new comments can be posted.

New Mac OS X Trojan Hides Inside PDFs

Comments Filter:
  • Nothing to see.. (Score:4, Informative)

    by Anonymous Coward on Saturday September 24, 2011 @03:42PM (#37503772)

    Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!

  • Re:again PDF? (Score:3, Informative)

    by Pence128 (1389345) on Saturday September 24, 2011 @03:49PM (#37503832)
    Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.
  • Re:But... (Score:2, Informative)

    by tmosley (996283) on Saturday September 24, 2011 @04:07PM (#37503978)
    Never said they didn't have trojans.

    Might want to learn the difference.
  • Re:But... (Score:5, Informative)

    by bonch (38532) on Saturday September 24, 2011 @04:14PM (#37504022)

    This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.

  • by oakgrove (845019) on Saturday September 24, 2011 @04:21PM (#37504062)
    Absolutely. The title of the summary is "hides in pdfs" which is a big fat lie. Nice job, Slashdot.
  • by 93 Escort Wagon (326346) on Saturday September 24, 2011 @04:58PM (#37504282)

    You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

    For the account stuff, you might have a point. They don't need to "know it's there" (unlike, say, the old Windows setup where you had to know about "Run as Administrator...") - but they do need to know what admin versus non-admin means. But really that's all they have to know. Even my 70+ year old mom was able to grok that.

    As far as backups go, though - the first time you plug in an external hard drive, if backups haven't already been set up - OS X automatically asks "do you want to use this disk for backups?" The user doesn't need to go looking for anything. That's a pretty low bar.

  • Re:Nothing to see.. (Score:5, Informative)

    by Zephiris (788562) on Saturday September 24, 2011 @05:28PM (#37504442)

    It can add itself to your user files, which allow something to start "at boot", as long as that user is the one (auto)logging in.

    You don't see much Windows malware adding itself to your "Startup" folder, but few average Mac users are going to check "command line files" to see whether something has injected something bad or not.

    As TFA says, this isn't a PDF, but an executable merely pretending to be one.

    It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part. It wouldn't be able to snoop some low level processes, but absolutely anything that is running under your user? Yup. Open ports to communicate with the mothership? Of course. Install a line to start whenever this user is logged in? Of course.

    If you get a user dumb enough to allow admin privileges to a fake PDF, you can use officially sanctioned mechanisms to inject code into every process in the machine without requiring a separate 'trojan process' to stay alive to monitor it. Or just replace the operating system kernel. :p

  • Re:Nothing to see.. (Score:4, Informative)

    by Guy Harris (3803) <guy@alum.mit.edu> on Saturday September 24, 2011 @10:11PM (#37505808)

    What makes you think it wouldn't be sandboxed on OS X 10.7 by default, the same as every other app you download?

    Because it wasn't downloaded from the App Store, so it isn't sandboxed by default.

When you don't know what to do, walk fast and look worried.

Working...