Become a fan of Slashdot on Facebook


Forgot your password?
OS X Security Apple

New Mac OS X Trojan Hides Inside PDFs 194

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."
This discussion has been archived. No new comments can be posted.

New Mac OS X Trojan Hides Inside PDFs

Comments Filter:
  • by ninetyninebottles ( 2174630 ) on Saturday September 24, 2011 @03:57PM (#37503886)

    I saw reference to this trojan the other day, but my research turned up only vague descriptions such as the one linked in the summary. From all the reading I did it seems like this is an executable of some sort, with no extension that is being e-mailed to people. None of the descriptions I've read have described how it infects the machine, but I assume the user has to run it and then agree to allow the unsigned program to run for the first time. At this point it drops a PDF on the hard drive, opens it, and then installs a bare bones apache server, which doesn't actually work as far as anyone can tell. There was some indication that this was a cross platform trojan, but no one has been able to confirm this.

    So if anyone is actually in a lab with a copy of this could you please enlighten us on the following points:

    • How is this being distributed in the wild?
    • Does this somehow run automatically and does it bypass the user having to authorize the executable to run for the first time?
    • On 10.6 does it require an admin password to install?
    • Does it attempt to do something about the firewall settings?
    • On 10.7 does this attempt to escape the sandbox?
    • Does the best case install actually get an Apache server running well enough to listen to a control channel, update itself, or perform actions?

    So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?

"Tell the truth and run." -- Yugoslav proverb