Forgot your password?
typodupeerror
OS X Security Apple

New Mac OS X Trojan Hides Inside PDFs 194

Posted by timothy
from the see-enclosed-nude-document dept.
Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."
This discussion has been archived. No new comments can be posted.

New Mac OS X Trojan Hides Inside PDFs

Comments Filter:
  • Nothing to see.. (Score:4, Informative)

    by Anonymous Coward on Saturday September 24, 2011 @03:42PM (#37503772)

    Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!

    • by ceoyoyo (59147)

      Don't forget the part where opening a "PDF" asks for your admin password. Hm....

      (Note: I couldn't find out whether it actually asks for your admin password, but if it actually wants to do much it's going to have to)

      • by Kenja (541830)
        At the very least it would warn you that the application was not in the white list and ask if you wanted to add it.
      • by Richard_at_work (517087) <richardprice@nOSPam.gmail.com> on Saturday September 24, 2011 @04:08PM (#37503984)

        Do much being .... What, exactly? Access your browser to capture your passwords? Participate in a DDOS? Send spam email? Propagate itself?

        Don't need admin to do any of that...

        • Yep (Score:5, Insightful)

          by Sycraft-fu (314770) on Saturday September 24, 2011 @06:15PM (#37504726)

          In fact I've seen a big rise in the amount of non-admin Windows malware. It just infects the user that is using the system. The reason is they realize that for the vast majority of systems, the user IS the system, there is no need to infect anything else. It also lets them get an infection in an enterprise setup where users don't get admin.

            Now I suppose it does make the malware slightly easier to get rid of but then it really doesn't matter, I tend to scan the things from a boot disk anyhow.

          This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.

          • by mjwx (966435)

            This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.

            Some of us have understood for a while that that the user is the most vulnerable part of any system. Almost all malware infections I've seen have been user initiated, drive by infections in this day and age are very rare even on unpatched machines. This is why my Windows servers are more secure then any Linux or Mac desktop, simply because no user is permitted near them.

      • Without your admin password it can still do quite a bit; it could skim your iMail account, access your browser saved passwords, etc-- anything else that YOU have access to without typing a password.

        • by spud603 (832173)
          what is iMail?
        • by ceoyoyo (59147)

          Browser passwords on a Mac are in the system keychain, which you have to give the password for. If you're using Mail.app, which I assume you mean by "iMail," it's the same deal. Passwords are stored in the system keychain and are accessible by Mail.app but not by other apps, without the password. I guess it could probably scrape any locally stored e-mail though.

          Anyway, I really don't care what happens to someone dumb enough to click on a fake PDF that's sent to them and then click yes, it's okay to run t

    • by ThorGod (456163)

      The new piece of malware hides inside a PDF file and delivers a backdoor that hides on the user's machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user's machine and then opens it as a way to hide the malicious activity that's going on in the background, according to an analysis by researchers at F-Secure. The Trojan then installs the backdoor, which is named Imuler.A, which attempts to communicate with a command-and-control server.

      That server isn't capable of communicating with the malware, however, the researchers found, so the malware is on its own once it's installed on a victim's machine. What's not clear is exactly how the malware is spreading right now.

      Vague enough to be worthless, but worded to sound informative.

    • by antdude (79039)

      But Mac OS X don't use file extensions. How is a Chinese person supposed to know it is a legit PDF or a malware? Do we really need to install an AV in Mac OS X these days?

  • Must every story about Mac malware spend more time talking about how Windows is so bad than the OS X malware they are reporting?

    • by Pence128 (1389345)
      To be fair, it's a "lets trick people into downloading and running programs" and not a "shit, lets execute data".
      • by LodCrappo (705968)

        I'm sure that will be a great comfort to the Mac users effected by this malware :)

        • It takes time to effect a user. I guess you could start the process while bored, waiting for your computer to be repaired, but somehow I think that any users effected would probably not need any particular comforting regarding the particulars of their conception if this were the case.

      • by KDR_11k (778916) on Saturday September 24, 2011 @04:10PM (#37503998)

        So it requires a gullible user. There's not exactly a shortage of those.

        • But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

          If "people are exceedingly stupid and will do anything the dancing bunnies tell them" is your only major security flaw, I'd say you're doing as well as possible.

          • But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

            You don't need to prevent a user from being able to run apps, you just need to restrict default behaviors for apps, provide the user with information on how much an "expert" thinks they should trust software, and tell the user in clear and simple terms when the app wants more privileges and exactly what those privileges are. Finally, you need to present this in a usable interface. Apple is already heading down this route with both iOS and OS X. In OS X 10.7 apps are sandboxed by default, although I haven't

            • by tlhIngan (30335)

              You don't need to prevent a user from being able to run apps, you just need to restrict default behaviors for apps, provide the user with information on how much an "expert" thinks they should trust software, and tell the user in clear and simple terms when the app wants more privileges and exactly what those privileges are. Finally, you need to present this in a usable interface. Apple is already heading down this route with both iOS and OS X. In OS X 10.7 apps are sandboxed by default, although I haven't

              • Users do not read dialog boxes.

                Users do read dialogue boxes, when presented in a decent UI instead of the abysmal situation we have with most programs today. First, they have to be presented sparingly; not a problem going forward as most apps should never need to elevate privileges, especially since those distributed by the manufacturer through controlled channels can be vetted and signed with an ACL. This only applies to unsigned apps downloaded outside the main channels. It will take time to overcome the conditioning most users of Wind

  • by Anonymous Coward on Saturday September 24, 2011 @03:47PM (#37503820)

    It's just a trojan with a PDF icon.

    And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

    Trojans are nothing new, giving them fake icons is nothing new, even Mac trojans are nothing new. News this ain't.

    • by oakgrove (845019) on Saturday September 24, 2011 @04:21PM (#37504062)
      Absolutely. The title of the summary is "hides in pdfs" which is a big fat lie. Nice job, Slashdot.
    • And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

      Black lists don't work. This even MS has figured out. So they add this particular one to the filter rather then fixing the vulnerabilities or worse yet, educating users on how to safely use computers (as opposed to telling them they are automagically protected by owning a Mac) but the malware writers simply make a new variation to get around that black list. There is so much Malware for Windows simply because a lot of it is subtle variations on the same malware to get around AV/Anti-malware.

      The "protect

    • Lets be clear here, then.

      Is or is not Microsoft to blame for executable content that a user double clicks? Because if we had a clear "no" to that, I think the entire "Windows security vs OSX security" discussion would basically be over.

      • No for a long time MS was blamed because content was executable without the user double clicking. MS has done a lot of work since XP to fix these things but the track record before XP was atrocious.
  • by ninetyninebottles (2174630) on Saturday September 24, 2011 @03:57PM (#37503886)

    I saw reference to this trojan the other day, but my research turned up only vague descriptions such as the one linked in the summary. From all the reading I did it seems like this is an executable of some sort, with no extension that is being e-mailed to people. None of the descriptions I've read have described how it infects the machine, but I assume the user has to run it and then agree to allow the unsigned program to run for the first time. At this point it drops a PDF on the hard drive, opens it, and then installs a bare bones apache server, which doesn't actually work as far as anyone can tell. There was some indication that this was a cross platform trojan, but no one has been able to confirm this.

    So if anyone is actually in a lab with a copy of this could you please enlighten us on the following points:

    • How is this being distributed in the wild?
    • Does this somehow run automatically and does it bypass the user having to authorize the executable to run for the first time?
    • On 10.6 does it require an admin password to install?
    • Does it attempt to do something about the firewall settings?
    • On 10.7 does this attempt to escape the sandbox?
    • Does the best case install actually get an Apache server running well enough to listen to a control channel, update itself, or perform actions?

    So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?

    • So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?

      Of course it is a failed attempt - they should have got it on the app store and given Apple control of 30% of the infected machines.

      Seriously, security is one area where, IMHO, Apple users have a bit of a head in the sand attitude. Other than hearing some (non-Apple) stores that are authorized retailers attempt to sell "protection" plans for Macs because "Macs have two viruses in the wild" (really? What are they?); the general attitude is "Macs are immune because no one attacks them." While strident fanboy

  • by 93 Escort Wagon (326346) on Saturday September 24, 2011 @04:19PM (#37504054)

    Here's the plan:

    1) OS X makes it brain-dead easy to not run as an admin user. Create a separate admin account first, then remove the admin privilege from your everyday account. On those rare occasions you need admin privileges, you'll be automatically asked to provide the admin account info - you don't need to even think about it.

    (Somehow that isn't sinking into a lot of peoples' heads, even those who should know better)

    2) Back up your stuff regularly. Again, OS X makes this brain-dead easy with Time Machine. You can use something else like a custom rsync script, but - just DO IT.

    If you're running as a non-admin user, the worst that can happen is your own stuff gets hosed - and then you can get it back from your backups. But since trojans are probably only going to go after the system files, it's unlikely even your stuff will get touched.

    Okay, there's one caveat. If you click on an infected file, and it asks for admin permissions and you provide it, you're screwed. But one would hope you're smart enough to realize viewing a PDF should not require admin authentication. In the end, common sense does have to enter into the picture.

    BTW if you claim running as an admin is okay because you're always prompted to authenticate anyway... you're just wrong.

    • by artor3 (1344997)

      You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

      • by 93 Escort Wagon (326346) on Saturday September 24, 2011 @04:58PM (#37504282)

        You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

        For the account stuff, you might have a point. They don't need to "know it's there" (unlike, say, the old Windows setup where you had to know about "Run as Administrator...") - but they do need to know what admin versus non-admin means. But really that's all they have to know. Even my 70+ year old mom was able to grok that.

        As far as backups go, though - the first time you plug in an external hard drive, if backups haven't already been set up - OS X automatically asks "do you want to use this disk for backups?" The user doesn't need to go looking for anything. That's a pretty low bar.

        • by artor3 (1344997)

          That's if they plug in an external drive. How many do? And how many answer in the affirmative? A lot might worry that if they say yes, they can't use that drive for other things.

          And I suspect that your 70+ year old mom had it explained to her, likely by you. There are a lot of people who just want their cursor to turn into a unicorn, and will say yes to anything to make it happen.

          In the end, you can't defend a computer from it's owner, no matter which OS you use.

          • In the end, you can't defend a computer from it's owner, no matter which OS you use.

            iOS does a pretty good job of defending itself from the owner. Mac OS X 10.7 has the technology built in to have similar features, all they would need to add is a tick box somewhere "only allow trusted software to run".

            Where "trusted software" is software that was digitally signed by Apple as part of purchasing it via App Store, where they've been adding some serious crypto based security recently. Dangerous privileges, such as *accessing the internet* or *decoding a jpg file* will raise serious red flags a

          • by keytoe (91531)

            That's if they plug in an external drive. How many do? And how many answer in the affirmative? A lot might worry that if they say yes, they can't use that drive for other things.

            The advice I give to people in this class of user (ie, my mom) is to go buy a backup drive just for Time Machine. Plug it in, click 'Yes' and don't touch it. For a $75 insurance investment, you are now backed up.

            If you need an external drive for more storage space, go buy another drive. They're cheap.

        • For the account stuff, you might have a point.

          He definitely has a point.

          Consider the "installer." You bring your fancy new computer home, turn it on, and it starts up the setup program. It asks you to make an administrator account. It then says, "Great! You're now ready to use your brand new computer!"

          Nothing mentioned about setting up a second account for regular use or anything like that.

    • by berryjw (1071694) on Saturday September 24, 2011 @05:05PM (#37504322)
      Dude, I've watched so many OS X users click through *anything* that pops up to know better. That "average" user everyone keeps referencing doesn't read those boxes any more than they read the EULAs for the software they're using, and most of them will provide credentials without even considering why they might be asked for them. Users view all of this as speed bumps, and don't have any idea it's part of system security. Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?
      • Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

        Unless your machine is in an easily accessible place, that seems perfectly reasonable to me. I'd rather have users who write down complex passwords than ones that use "password1" for everything.

        • by berryjw (1071694)

          Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

          Unless your machine is in an easily accessible place, that seems perfectly reasonable to me. I'd rather have users who write down complex passwords than ones that use "password1" for everything.

          I work for a K-12 public school system... and most of the passwords I see like this *are* [lastname][current year], or something equally guessable. Oh, and these are the faculty. I really want to send out an email at the beginning of every school year; "All faculty should make three copies each of their house and car keys, and attach them to 3"x5" index cards containing the address/license # and description of each property. Please have these delivered to the Technology Department as soon as possible, so

          • by kerrbear (163235)

            I work for a K-12 public school system... and most of the passwords I see like this *are* [lastname][current year], or something equally guessable. Oh, and these are the faculty. I really want to send out an email at the beginning of every school year; "All faculty should make three copies each of their house and car keys, and attach them to 3"x5" index cards containing the address/license # and description of each property. Please have these delivered to the Technology Department as soon as possible, so we may have them distributed randomly about our schools when the students arrive to begin this year. If you take exception to this, please consider how we feel about your doing the same with our keys, the ones we call passwords." Think anyone would read it? No more than they do those annoying boxes which pop up asking for credentials...

            I wonder if there is a way to actually provide physical keys to computer systems. The solution would be to insert a USB key that would unlock the computer. The sys admin could set all the passwords. That way, even if the user forgot their key, they could still use the password- they would just have to memorize it.

            • by dkf (304284)

              I wonder if there is a way to actually provide physical keys to computer systems.

              Yes. That's smartcard-based login systems, and they've been around for decades. The main downside is that they're relatively expensive due to the need to have all that extra hardware and someone on-site to issue new cards — that can't be outsourced to another location, well not outside the city where this is happening, because cards will get broken from time to time and need replacing by someone who's trained to check that the card is going to the right person — so they tend to only be used in s

    • by NoMaster (142776)

      Not to mention the fact that if an Apple executable is downloaded via browser or email, when you attempt to run it for the first time you get a message that says:

      "Xxxx is an application that was [downloaded from the internet || attached to a mail message]. Are you sure you want to open it?"

      And some details about when it was downloaded / received. Admin permissions or not don't even come into it.

      At some point you've got to hand over responsibility from the OS (or anti-virus) babying the user's arse, and on t

  • by jasnw (1913892) on Saturday September 24, 2011 @06:00PM (#37504626)
    Every time one of these "sky is falling, OS X is being attacked by new malware/virus/trojan" articles floats around the 'net, it seems like the source document is from one or another AV builder or a computer security outfit with things to sell. The first clue is how vapid and vague the article is, and how little useful information it provides. Another clue is when one part of the article tells the story a bit different than elsewhere in the same article. For OS X users, there are a handful of good, indepdent, computer security sites (apple.com NOT being one of them), and if it aint there, I ignore it.
  • Trojan: (capitlized)
    1. citizen/resident/native/inhabitant of Troy
    2. well-known brand of condoms

    trojan horse: (not capitalized)
    1. A hollow wooden statue of a horse in which the Greeks concealed themselves in order to enter Troy.
    2. A person or thing intended secretly to undermine or bring about the downfall of an enemy or opponent.
    3. A program designed to breach the security of a computer system while ostensibly performing some innocuous function

    just can't get yer shit straight, can you editors?

  • A user space application can not receive a listen port on OSX now can it? If so, Apple needs to fix it.

The sooner you fall behind, the more time you have to catch up.

Working...