New Mac trojan found hidden in PDF file

New Mac trojan found hidden in PDF file

Summary: A newly discovered Mac vulnerability disguises itself as a PDF to trick users into opening it, which installs an Apache server on your Mac. Luckily it hasn't been weaponized. Yet.

SHARE:
TOPICS: Apple, Hardware, Malware
20

New Mac trojan found hidden in PDF file - Jason O'Grady

Just when you thought that it was safe to start using your Mac again comes a report that a new PDF vulnerability may be targeting Mac users.

Fellow ZDNet blogger Ryan Naraine brings the news via his Zero Day blog, that the malware, Trojan-Dropper:OSX/Revir.A "installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user."

Lovely.

F-Secure notes that the vulnerability disguises itself as an Adobe Acrobat (PDF) file in an effort to trick users into opening it, which of course, triggers its payload. It even opens a bogus Chinese-language PDF in order to deceive the user and avoid detection. The payload, Backdoor:OSX/Imuler.A according to F-Secure, then runs in the background.

The good news, I suppose, is that Revir.A is fairly innocuous at this point. The payload is a bare Apache installation that is "not capable of communicating with the backdoor yet." The going theory is that the author may have leaked it to see if any of the antivirus detectors picked it up. Luckily, someone did.

It's important for Apple to act swiftly on this one. From the looks of things Revir.A probably wouldn't be too hard to weaponize and we're not sure how many people might already have the source code.

Apple: you're on the clock.

MD5 hashes for the samples:

• Trojan-Dropper:OSX/Revir.A: fe4aefe0a416192a1a6916f8fc1ce484 • Trojan-Downloader:OSX/Revir.A: dfda0ddd62ac6089c6a35ed144ab528e • Backdoor:OSX/Imuler.A: 22b1af87dc75a69804bcfe3f230d8c9d

Topics: Apple, Hardware, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • Poor headline: No, not hidden in PDF

    The malware disguises itself as a PDF as is mentioned in the post.
    severud
  • RE: New Mac trojan found hidden in PDF file

    Regardless of how this stuff is delivered, the reality is that this is another incident and we could see more.

    Will this ever be as big as the PC infestation over the years? Not likely because the PC Infestation also brought about fundamental changes in the way security is handled and this stuff has been implemented in pretty much every modern OS.

    Is this a sign of the future, sure is but to what degree is really anyone's guess.
    slickjim
    • RE: New Mac trojan found hidden in PDF file

      @Peter Perry : I disagree - with the significant migration to iPads, it will become even more attractive for disrespectable people. So, one can and should expect increased frequency of Mac based malware.
      So, for all those iPad users who seem to think they can not have a security issue - they really need to get updated. AND, in fact, I hold that is true of ALL tablet users, regardless of OS - they have become an attractive target, especially because so many ignorant users have no real clues.
      Willnott
      • RE: New Mac trojan found hidden in PDF file

        @Willnott: You are certainly right. Being ignorant is not the way out. I dedicated the article to this issue: http://www.totalapps.net/mac/mac-trojan-wrapped-up-in-a-pdf-file/
        totalapps
  • RE: New Mac trojan found hidden in PDF file

    Will Apple deny this too?
    The one and only, Cylon Centurion
    • RE: New Mac trojan found hidden in PDF file

      @Cylon Centurion <br><br>No, Apple has already updated XProtect.plist.
      sigma2
      • RE: New Mac trojan found hidden in PDF file

        @Cylon Centurion There was no denial. Official comment took a little while, but that isn't the same. Apple find a resolution THEN make it public, they don't get bounced into issuing a press release before they can fully address the issue.

        It's the PR equivalent of "measure twice, cut once".

        Yes, this can look like inaction before the resolution.
        Jeremy-UK
    • RE: New Mac trojan found hidden in PDF file

      @Cylon Centurion I take it you don't want to be taken seriously? You've achieved that.
      Jeremy-UK
      • RE: New Mac trojan found hidden in PDF file

        @Jeremy-UK

        Actually, I was being serious. The fact that Apple danced around the Mac Guard and Mac Defender Trojans for the longest time, even going as far as to <I>deny</I> the whole situation - straight up to the consumer, was very concerning.
        The one and only, Cylon Centurion
  • RE: New Mac trojan found hidden in PDF file

    there is no point of using "Apple you are on the clock" as you are using it every time and they are not doing anything about the problem. MSFT at least issues updates every Tuesday or so ...
    AdnanPirota
    • RE: New Mac trojan found hidden in PDF file

      @AdnanPirota Every first Tuesday of the month (not every Tuesday). Occasionally they issue patches outside that, if there is a serious problem that's being actively exploited (this happens very rarely).
      Jeremy-UK
  • Apple has already updated the XProtect.plist.

    On Fri, 23 Sep 2011 18:03:15 GMT for both OSX.Revir.A and OSX.QHost.WB.A.<br> <br>So no need to worry.<br><br>Thank you Apple for taking swift action.
    sigma2
    • RE: New Mac trojan found hidden in PDF file

      @sigma2 Actually, understanding the issue is what's needed. Then future variants of this idea won't "get you".
      Jeremy-UK
  • RE: New Mac trojan found hidden in PDF file

    No, this is a lie Mac do not have vulnerabilities this is pure fiction... haaa!!!! my head!!!!
    palermo1980
  • RE: New Mac trojan found hidden in PDF file

    I've read some stupid statements on this blog, but the following is the most stupid I have ever read: "Just when you thought that it was safe to start using your Mac again comes a report that a new PDF vulnerability may be targeting Mac users."

    Give me a break.

    Kent
    K4thwright
  • RE: New Mac trojan found hidden in PDF file

    I've read some stupid remarks on this blog, but this is the most stupid I've read to date: "Just when you thought that it was safe to start using your Mac again comes a report that a new PDF vulnerability may be targeting Mac users."

    Give me a break.
    K4thwright
  • RE: New Mac trojan found hidden in PDF file

    Does this have "Adobe" written all over it.
    trm1945
  • RE: New Mac trojan found hidden in PDF file

    I'm going to sound incredibly stupid here, but how do you check for these files? I have Leopard 10.5.8 and I'd like to have an idea where to look as XProtect.plist is for Snow Leopard and up, isnt it?
    LadyAurora
  • RE: New Mac trojan found hidden in PDF file

    Well, the good ol' standard advice still applies... DON'T OPEN unsolicited files and don't download from untrusted sites. And remember just because someone is friends/family does not mean you can open just anything they send. Not a perfect solution but it definitely helps.
    house63
  • RE: New Mac trojan found hidden in PDF file

    How about some REAL DETAILS?!<br>The MacDefender hoopla too often failed to mention that if you turned off the "Open Safe" (no such thing, yes) files boolean in Safari (WHY IS THIS STILL THERE, LET ALONE ON BY DEFAULT, APPLE?!?!?!) AND if you DID NOT run as an admin (or type in admin credentials willy-nilly in some cases), then you COULD/WOULD not be affected.<br>SO, what is the attack vector on this? Is it just opening a PDF (or the file that is disguised as same) or is it the same tired "hole" of an idiot user typing admin credentials without havign the slightest clue why, or what?!
    sjobs84