Researchers find Mac OS X malware posing as PDF file

Researchers find Mac OS X malware posing as PDF file

Summary: The malware installs a backdoor that contacts a remote server for instructions and can be used to steal files or capture a screenshot of the infected computer system.

SHARE:
53

Researchers at F-Secure have discovered a Mac OS X malware file masquerading as a PDF file to lure users into installing a backdoor trojan.

The malware, flagged as a trojan dropper, installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

According to F-Secure, the PDF file contains Chinese-language text related to political issues, which some users may find offensive.

The use of a PDF file as a social engineering gimmick is widely used by malicious hackers on the Windows platform and F-Secure's research team believes this is an attempt to copy the trick of opening a PDF file containing a ".pdf.exe" extension and an accompanying PDF icon.
""The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires," the company said.

Once installed, the trojan dropper installs a backdoor program that gives a hacker full control of the infected Mac OS X machine.

The backdoor typically contacts a remote server for instructions and can be used to steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.

F-Secure reports that the command-and-control of the malware is just a bare Apache installation that is not yet capable of communicating with the backdoor.

Topics: Apple, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

53 comments
Log in or register to join the discussion
  • RE: Researchers find Mac OS X malware posing as PDF file

    Ryan, any indication whether this affects Lion?

    If so, I'd say this plus the ability authenticate to LDAP using anything, and the ability to change any user's password would be interesting.

    *grabs popcorn*
    UrNotPayingAttention
    • Are you getting lonely with your popcorn?

      @chmod 777
      Where are all the posters who usually equate the existence of malware with major security design flaws in the target platform?

      Maybe they are too busy cleaning this malware off their Macs?

      *munch* *munch*

      *chirp* *chirp*
      toddybottom
      • RE: Researchers find Mac OS X malware posing as PDF file

        @toddybottom <br>Nobody, but morons blame an OS maker for malware on their OS. But you of course like to make reference to these morons because that gives you someone you can mock.<br><br>People with common sense give you the fact of the matter and that is the probability of getting malware on a Mac is much less than its more widely used counterpart like the probability of someone shooting me in my house is less than if I was in the middle of a war zone.
        anono
      • Well that's fine...

        @anono

        Except all the other Mac fanboys and apologists say that the 'security through obscurity' argument is BS, that Macs are more secure by design (which security professionals vehemently disagree with)

        So which is it? who is right? the morons who say the Mac is secure by design (again, security professionals)? or, the morons who claim they have security through obscurity?
        UrNotPayingAttention
      • RE: Researchers find Mac OS X malware posing as PDF file

        @chmod 777<br>The morons are those who waste their time mulling over this question. Besides, security be design wouldn't even apply to malware. The fact of the matter is that the probability of getting viruses on Macs are much much lower and that's certainly a pro in the Mac column. There are obviously other factors.
        anono
      • RE: Researchers find Mac OS X malware posing as PDF file

        @anono [b]Nobody, but morons blame an OS maker for malware on their OS.[/b] Okay then let's turn this around - do YOU blame Microsoft for malware on Windows? I don't - IMHO the root cause lies in a lack of common sense, tech savvy, and a large amount of complacency. [b] But you of course like to make reference to these morons because that gives you someone you can mock.[/b] Actually he's mocking the hordes of mactards who claim that malware on Windows is the fault of Microsoft and also claim that there is and can never be any malware on Macs.[b]

        People with common sense give you the fact of the matter and that is the probability of getting malware on a Mac is much less than its more widely used counterpart like the probability of someone shooting me in my house is less than if I was in the middle of a war zone.[/b] So you seem to bringing up the whole "security by obscurity" defense... and yet this is no longer the case. [b]

        The morons are those who waste their time mulling over this question. [/b] First you say the morons are those who blame the OS maker now you say the morons are those who mull over the question of security by obscurity vs security by design - neither of which apply to a Mac anymore. [b]Besides, security be design wouldn't even apply to malware. The fact of the matter is that the probability of getting viruses on Macs are much much lower and that's certainly a pro in the Mac column. There are obviously other factors.[/b] The probability is lower now - but a few months ago the probability was none. You say there are other factors - care to share what those might be other than the ones I mentioned above?
        athynz
      • RE: Researchers find Mac OS X malware posing as PDF file

        @toddybottom <br><br>I'm a PC user, and can obviously empathize with affected users. No need to rub anything in. Unfortunately, the real people to be blamed, the malware writers/users have become almost immune to backlash due to a stupid Mac/PC/Linux war.
        TechNickle
      • RE: Researchers find Mac OS X malware posing as PDF file

        @Pete "athynz" Athens
        "But you of course like to make reference to these morons because that gives you someone you can mock. Actually he's mocking the hordes of mactards who claim that malware on Windows is the fault of Microsoft and also claim that there is and can never be any malware on Macs."
        Basically what I said except you replaced "moron" with "hordes of mactards". Nice counter argument, except saying "moron" is more comprehensive since it would include people like toddybottom (who is clearly not a mactard) who blame Apple for malware on Macs.

        "People with common sense give you the fact of the matter and that is the probability of getting malware on a Mac is much less than its more widely used counterpart like the probability of someone shooting me in my house is less than if I was in the middle of a war zone. So you seem to bringing up the whole "security by obscurity" defense... and yet this is no longer the case. "

        I don't remember bringing up any specific defenses. In fact, I specifically said people are wasting their time trying to figure out exactly why Macs get less Malware. And what do you mean it's not longer the case. I don't have any data on hand, but if we assume Ed Bott has written an article about every piece of malware on a Mac (which is probably true since he sometimes writes multiply articles) then I believe my statement stands.

        "The morons are those who waste their time mulling over this question. First you say the morons are those who blame the OS maker now you say the morons are those who mull over the question of security by obscurity vs security by design - neither of which apply to a Mac anymore."

        Yes, there are more than one type of morons. In this case I'm speaking specifically about malware. So yes, no system can prevent a user from getting a new piece of malware so it's a pretty idiotic thing to be arguing about.

        "Besides, security be design wouldn't even apply to malware. The fact of the matter is that the probability of getting viruses on Macs are much much lower and that's certainly a pro in the Mac column. There are obviously other factors. The probability is lower now - but a few months ago the probability was none. You say there are other factors - care to share what those might be other than the ones I mentioned above?"

        Yes so, reduced malware is less of a pro for a Mac now than it was a few months ago (although not buy as I'm sure the amount of malware written for Macs are very small). I never denied it. As for these other factors; you can't possibly believe that I would base my choice of OS solely on how likely I am to get malware.
        anono
      • RE: Researchers find Mac OS X malware posing as PDF file

        @FuzzyBunnySlippers
        My point exactly; and look at all the bashing I'm getting for saying it.
        anono
    • Presumably it affects any version of OS X...

      Presumably it affects any version of OS X because the user is launching an application, entering their administrative login and password, then installing the backdoor software.

      The operating system could be the most secure in the world, but it can't protect against gullible or naive users.
      olePigeon
      • Sure, blame the user

        @olePigeon
        This is all the user's fault.

        I've heard this defense before when it comes to malware on a certain other OS.

        That argument wasn't accepted then.

        It shouldn't be accepted now.

        Apple must do more to protect its users from malware.
        toddybottom
      • RE: Researchers find Mac OS X malware posing as PDF file

        @toddybottom
        People who say its the OS (whether Windows or OSX) fault for malware getting in are trolls. So you mocking them and then saying the same thing for OSX is basically like a troll mocking another troll and then trolling.
        anono
    • RE: Researchers find Mac OS X malware posing as PDF file

      @chmod 777 The file would be flagged as executable union first launch (of course this, like UAC, relies on the user taking notice). But it'll run - it's just a program. This is a problem for ANY system where the users clicks on icons to open files/applications. The problem is the icon can look deceptive, and that (with extension shenanigans) can trick the user.

      This isn't really very OS specific, the problem is endemic with ALL "WIMP" style GUIs.
      Jeremy-UK
  • I think most folks are going to get suspicious when

    opening the PDF throws a window asking you for your admin credentials. Oh, I see you failed to mention that important little factoid.
    baggins_z
    • RE: Researchers find Mac OS X malware posing as PDF file

      @baggins_z

      Thanks baggins_z, I was thinking the same. Neglecting to mention this to people often unfamiliar with OSX gives a different impression. Doesn't it? Of course all Operating Systems have or develop flaws as they evolve, but nothing attracts readers like Apple-related articles. Apple sells, regardless of completeness, accuracy or objectivity. Fans cheer. Anti's jeer. Where's our middle ground? Still at the library with everything else unsexy.
      ShamooToo
    • RE: Researchers find Mac OS X malware posing as PDF file

      @baggins_z

      Does it behave that way if the user is booted as an admin or merely prompt with you sure you wanna let this run?
      whatagenda
      • Even if you are logged in as and admin, you'll still

        need to key in your admin password. If you are logged into a standard account, you'll need to provide both an admin name and its password.
        baggins_z
      • RE: Researchers find Mac OS X malware posing as PDF file

        @whatagenda It would show both in either case. All of which is weird behaviour for a PDF.
        Jeremy-UK
      • @toddybottom

        It's not a question of understanding the issue, it's the fact files never ask for your credentials. Not only that, but the credentials dialog is going to include the name of the program asking for permission, so someone who opens the PDF and sees "foo" requires that you type your password is going to make any but the most naive computer user suspicious.
        baggins_z
      • You still don't get it

        " is going to make any but the most naive computer user suspicious. "

        And this describes most OS X users. And Windows users.

        If it didn't, there wouldn't be any successful trojans on any systems.

        But there are.

        So you are wrong.
        toddybottom