September 25, 2011

Mac Trojan Disguised As PDF File

Two European computer security firms are warning Mac users to be on the lookout for a piece of malware that disguises itself as a PDF file, various tech media outlets reported Friday.

Jacqui Cheng of Ars Technica writes that the virus-like program in question has been identified as Trojan-Dropper:OSX/Revir.A. When activated, it installs a backdoor Trojan horse, Backdoor:OSX/Imuler.A, onto the user's computer.

"Currently, however, the backdoor doesn't communicate with anything," Cheng added. "The command-and-control center for this particular malware is apparently a bare Apache installation, which has been sitting at its current domain since May of this year."

"Because of this, users who might fall victim to this attack aren't likely to see many ill effects for the time being, but that could change if the files end up spreading to a wider audience," she added.

It was discovered by Sophos, a UK-based company, and F-Secure of Finland.
Once installed, the backdoor can connect to a remote server, which is controlled by the hacker. The attacker can then use that communication channel to obtain information from the infected Mac, or alternatively to trigger additional effects in that computer. The malware, which is in actuality an executable, does not exploit any vulnerable area in Mac OS X and must be intentionally downloaded by users that are unaware of its actual nature, Gregg Keizer of Computerworld reports.

In a warning posted to their website on September 23, Sophos representatives noted that the contents of the PDF are written in Chinese, and that it appears to be an article about a hot-button issue within the countries--namely, whether or not the Diaoyu Islands belong to Japan.

"Because the document is opened, users may believe that they have opened a harmless PDF rather than run a program," the Finnish company said. "When we tested the malware inside our labs, we couldn't manage to get it to execute as the author probably intended -- however, strings embedded deep inside its code make it clear that it was written with malicious intent."

F-Secure added that the malware "may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a '.pdf.exe' extension and an accompanying PDF icon. The sample on our hand does not have an extension or an icon yet."

"However, there is another possibility," they wrote. "It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.


On the Net: