MUST READ: Congress demands answers from Google over Glass privacy concerns

Topic: Software

Apple blocks malware-as-PDF threat but new attack emerges

Summary: Even as Apple adds detection to block a Mac OS X malware threat, researchers find new Mac malware posing as a legitimate Flash Player installation package.

Ryan Naraine

By for Zero Day |

Apple has quietly added detection for the recent malware attack that used PDF files as lures to trick Mac OS X users into downloading a malicious Trojan dropper.

The detection was added into the rudimentary XProtect.plist malware blocker built into Mac OS X.

The malware, flagged as a trojan dropper, installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

However, in what has become a classic cat-and-mouse game, researchers have spotted a new Mac malware threat posing as a legitimate Flash Player installation package.

Researchers find Mac OS X malware posing as PDF file ]

Intego explains the characteristics of the new threat:follow Ryan Naraine on twitter

Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link. When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch. (Safari considers installer packages, with .pkg or .mpkg extensions, to be “safe” files and will launch them after download, if default settings are used.)

If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software, Intego said.

After installation, [it] will delete the installation package itself. The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected.

The company said it has spotted this new malware in the wild but notes that it is not widely distributed.

Topics: Software, Apple, Hardware, Malware, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion

  • This is very dangerous

    In this example, being asked for your username and password is totally expected. OS X always asks for a username and password when you try to install anything. Most users would have no reason to be suspicious.

    Now I have a question for you. I use Windows 7 on my Mac through Bootcamp. Can I get infected by this or is Windows immune to all this OS X malware? I sure hope Windows is immune to this malware.
    toddybottom
    Reply Vote

    • RE: Apple blocks malware-as-PDF threat but new attack emerges

      @toddybottom It will be immune in this case because the installer for this trojan is Mac-based. Most trojans etc are not cross-platform.
      Imrhien
      Reply Vote

    • RE: Apple blocks malware-as-PDF threat but new attack emerges

      @toddybottom
      Since the file extension is.pkg, which is not a Windows executable, your Windows instance shouldn't even be able to open that file.
      swmace
      Reply Vote

      • Absolutely you can

        since you'll just trigger the windows version of the malware. Except the windows version is even better. You won't be bothered with downloading a program that then asks you to enter your credentials so you can install it. Nope, with Windows, you just visit the site, click a link, and the superior Windows version will download and install itself without any muss, fuss or intervention on your part.
        baggins_z
        Reply Vote

      • RE: Apple blocks malware-as-PDF threat but new attack emerges

        @baggins_z LMAO :D there's never been a way to make hard-headed mactards accept the truth that <b><i>"Nothing made by man is indestructible by man"</i></b>
        MrElectrifyer
        Reply Vote

  • RE: Apple blocks malware-as-PDF threat but new attack emerges

    Wow. Taken from Intego's blog:

    [i]"When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch. (Safari considers installer packages, with .pkg or .mpkg extensions, to be ???safe??? files and will launch them after download, if default settings are used.) "[/i]

    That sounds [i]real[/i] safe. Like it was built "with security in mind"
    UrNotPayingAttention
    Reply Vote

    • RE: Apple blocks malware-as-PDF threat but new attack emerges

      @chmod 777 Yes, I find that rather concerning myself! I've been trying to get my in-laws off Safari for years
      Imrhien
      Reply Vote

      • Or you could just tell them to uncheck the option to

        automatically open "safe" files. But, where's the sensationalist hyperbole in that solution.
        baggins_z
        Reply Vote

      • RE: Apple blocks malware-as-PDF threat but new attack emerges

        ...
        FuzzyBunnySlippers
        Reply Vote

    • &quot;If default settings are used&quot;

      @chmod 777 ... the most novice of users can fix this.<br><br>It is advisable, for those who use Safari as their web browser, to uncheck Open safe files after downloading in the programs General preferences. This will prevent installer packages - whether real or malicious - from launching automatically.
      HollywoodDog
      Reply Vote

      • True but...

        @HollywoodDog
        "the most novice of users can fix this."

        Only if they know about it.

        And the most novice of users don't know about it.

        Nor do most OS X users.

        This default setting is part of the reason why you can't use OS X without AV.
        toddybottom
        Reply Vote

      • RE: Apple blocks malware-as-PDF threat but new attack emerges

        @HollywoodDog <br><br><br>The question is begged ... how many folks have or will alter the default settings? It has been my experience that layfolks think default is best ... after all who knows better than the OS maker?
        whatagenda
        Reply Vote

      • RE: Apple blocks malware-as-PDF threat but new attack emerges

        @HollywoodDog

        So, should I check the box that says "Open unsafe files after downloading", then?
        FuzzyBunnySlippers
        Reply Vote

      • Applies in Windows, though, too.

        @HollywoodDog

        "Novice" Windows users can easily change the settings in whichever browser they use (including the default IE) so that it doesn't automatically run any downloaded programs, either.

        Yet how much will you bet that Apple fanbois will claim that this behavior in Windows is indicative of a vulnerability...yet will claim that the same behavior in OS X is "superior"?
        spdragoo@...
        Reply Vote

    • RE: Apple blocks malware-as-PDF threat but new attack emerges

      @chmod 777 <br>Packages ARE safe files in OS X, they are just a type of folder, Safari just calls the installer application built into OS X which then sets about installing the software, the .pkg itself can't do anything as it's not executable, and the installer application in OS X can't install software without the users intervention, so how does it make a difference if Safari runs the installer or if the user invokes the installer by double clicking the .pkg file from their download folder, a trojan is a trojan, the user is being tricked into thinking they are installing Flash, and they clicked on a link to download and install Flash to start with.
      SaxonXXX
      Reply Vote

      • RE: Apple blocks malware-as-PDF threat but new attack emerges

        @SaxonXXX

        First, learn proper punctuation. That is one of the longest run-on sentences I've ever seen.

        Now, I would say [i]any[/i] auto-run, auto-load, auto-anything running on any platform is a bad idea.

        But to answer your question... it obviously does make a difference whether Safari runs the installer or if the user invokes... just by the replies to Intego's blog. Several users state: "I ran the 'Flash Update' without even thinking about it."

        [i]If they had to download and run it themselves, it would have caused each one of them to think about it.[/i]

        And, as with the .PDF trojan, it was shown that depending on the user's own config, the user may not have necessarily been prompted for the admin credentials.
        UrNotPayingAttention
        Reply Vote

  • This malware blocker, what is it?

    I've always heard from OS X users that you can use OS X without using AV. However this malware blocker is AV and is built into the OS.

    Does this mean that it is impossible to use OS X without AV?
    toddybottom
    Reply Vote

    • This is a troll post, right?

      -
      ScorpioBlue
      Reply Vote

      • You failed to answer the question.

        @ScorpioBlue. I suspect it's because you know he's right and cannot bring yourself to admit it (or worse accept it).
        ye
        Reply Vote

  • Heh. So, now that Ryan, who works for an AV company

    has to admit that OS X comes with anti-malware software, he has to call it "rudimentary." Yeah, no conflict of interest there.
    baggins_z
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close