Mac Trojan Posing as a PDF File

[menotu]

It does start off with "We may.........."

====================================

http://www.f-secure.com/weblog/archives/00002241.html

This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a ".pdf.exe" extension and an accompanying PDF icon. The sample on our hands does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.

The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background. As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet. The domain was registered on March 21, 2011 and was last updated on May 21, 2011.

Since this malware sample was received from VirusTotal, we cannot exactly be sure about the method it uses to spread. The most probable way is sending via e-mail attachment. The author could be just testing the water to see if the sample is detected by different AV vendors.

[AndrzejL]

Eh... "It's just another trojan Monday... Wish it was Sunday..."

LOL

Andy

[menotu]

http://www.h-online.com/security/news/item/Apple-updates-malware-definition-list-to-defend-against-PDF-trojan-1350430.html

Apple updates malware definition list to defend against PDF trojan

Apple has added another entry to its XProtect malware signature list in to defend against a new Mac trojan that masquerades itself as a PDF file. When opened by a user, the malware (OSX/Revir.A) exploits holes in PDF viewers to download and install backdoor software (OSX/Imuler.A); however, once opened, users will only see the document which contains Chinese-language text. According to the security researchers at F-Secure who discovered the trojan, as of 25 September, the backdoor's command and control server was not yet operational.

[menotu]

Inside a Modern Mac Trojan

http://krebsonsecurity.com/2011/09/inside-a-modern-mac-trojan/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

Mac malware is back in the  news again. Last week, security firm F-Secure warned that it had discovered a Trojan built for OS X that was disguised as a PDF document. It’s not clear whether this malware is a present threat — it was apparently created earlier this year — but the mechanics of how it works are worth a closer look because it challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.

I wanted to understand a bit more about how this Trojan does its dirty work, so I contacted Broderick Aquilino, the F-Secure researcher who analyzed it. Aquilino said the sample is a plain Mach-O binary — which we’ll call “Binary 1″, that contains PDF file and another Mach-O binary (Binary2). Mach-O, short for Mach object, is a file format for executable files on OS X.

According to Aquilino, when you run Binary1, it will extract the PDF file from its body, drop it in the Mac’s temporary or “tmp” directory, and then open it. This is merely a decoy, as Binary1 continues to extract Binary2 from itself — also into the “tmp” directory — and then runs the file.

Upon execution, Binary2 downloads another binary from [omitted malware download site] and saves it as /tmp/updtdata. For the sake of continuity, we’ll call this latest file “Binary3.” Binary2 then executes and downloads the third binary, which opens up a backdoor on the OS X host designed to allow attackers to administer the machine from afar.

“All of this happens without the user needing to input their password,” Aquilino said.

Aquilino believes the Trojan drops its files into the “tmp” directory because the malware is not meant to be permanent.