Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Mac OS X Trojan Hides Inside PDFs

timothy posted more than 2 years ago | from the see-enclosed-nude-document dept.

OS X 194

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."

Sorry! There are no comments related to the filter you selected.

But... (-1, Troll)

Anonymous Coward | more than 2 years ago | (#37503746)

Macs don't have viruses O__________O

Re:But... (-1)

Anonymous Coward | more than 2 years ago | (#37503782)

LOL TROLL

Next tell us how the computer brand you don't like is evil, for morons, etc.

Re:But... (1)

Anonymous Coward | more than 2 years ago | (#37504344)

Would a Mac or Slashcode exploit explain not seeing the "Apple" category included on the left side of the Slashdot page except when viewing an Apple story? There's a place in the Account area to remove a section, but no provision to add/restore one???

The signature editor seems to be hiding too.

These social engineering tricks aren't much of a malware story. It'd be more useful to be asking why NoScript doesn't have an option to filter web-bugs on trusted sites. (and how it doesn't seem to be showing Google analytics to block anymore?)

Maybe OS X should be asking for permission anytime a new app wants net access. They should not be able to phone home or anywhere by default.

Re:But... (1)

dltaylor (7510) | more than 2 years ago | (#37504536)

What version of NoScript doesn't show google-analytics?

I'm running 2.1.2.3 on the machine that accesses the net, and it still has it in the menu, maybe because it is in use and blocked on the site I checked.

Re:But... (0)

Jeremiah Cornelius (137) | more than 2 years ago | (#37504678)

Little Snitch
Better Privacy
Ghostery
Ad Block+

And a little personal diligence. That includes no Facebook usage or Google IDs, and a clean sweep whey time you exit Amazon, PayPal or an affiliate.

The price of Liberty... Etc., etc. ad nauseum

Re:But... (1, Informative)

tmosley (996283) | more than 2 years ago | (#37503978)

Never said they didn't have trojans.

Might want to learn the difference.

Re:But... (1)

InsectOverlord (1758006) | more than 2 years ago | (#37504296)

Apple and some of its fans do tout Mac OS X as being somehow immune to malware in general, not just viruses.

As for viruses, this one indeed seems not to be a virus (unless it proceeds to replicate after launching - a piece of malware can be both a virus and a trojan), but any device that can run an arbitrary program can run a virus.

Re:But... (5, Informative)

bonch (38532) | more than 2 years ago | (#37504022)

This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.

Re:But... (2)

scottbomb (1290580) | more than 2 years ago | (#37504172)

To quote Apple's own website: Mac don't get WINDOWS viruses.

(They get Mac viruses). --- not on the website.

If the world were the other way around, where 90% + of the population used Macs and a small minority used Windows... need I say more?

Re:But... (1)

Concerned Onlooker (473481) | more than 2 years ago | (#37505070)

As Douglas Adams said, "it may only be ten percent of the users, but it's the top ten percent." That aside, being in the minority with a usable OS (read cli) is exactly where I want to be. Let Windows draw the flies, I say.

Nothing to see.. (4, Informative)

Anonymous Coward | more than 2 years ago | (#37503772)

Article is shallow: users click executables disguised with a PDF icon.. Nothing to see here, move along folks!

Re:Nothing to see.. (1)

ceoyoyo (59147) | more than 2 years ago | (#37503920)

Don't forget the part where opening a "PDF" asks for your admin password. Hm....

(Note: I couldn't find out whether it actually asks for your admin password, but if it actually wants to do much it's going to have to)

Re:Nothing to see.. (1)

Kenja (541830) | more than 2 years ago | (#37503930)

At the very least it would warn you that the application was not in the white list and ask if you wanted to add it.

Re:Nothing to see.. (5, Insightful)

Richard_at_work (517087) | more than 2 years ago | (#37503984)

Do much being .... What, exactly? Access your browser to capture your passwords? Participate in a DDOS? Send spam email? Propagate itself?

Don't need admin to do any of that...

Re:Nothing to see.. (0)

Anonymous Coward | more than 2 years ago | (#37504116)

Yea- but can the application install itself to continually start up? Ideally in a user/admin environment without the user entering a password you couldn't get the spyware/malware to automatically start at boot. There would be nothing to attach to either. Thus making it difficult to cause continued problems for users. Obviously this does not solve the problem completely as even a single click of a PDF could stay loaded on the system until reboot. Ideally exchangeable document formats would not permit executable code in the first place. Ideally in order to get executable code enabled users would have to be admin and technical enough to use a terminal. A few step process. Anybody else would require a pseudo techy user from India's approval (which would have an instant response). That user would then make a recommendation. This way someone whose job it is to know the bad from the good could make an educated determination about the request. The user would then agree to execute it if the Indian tech said "probably safe", "definitely safe" (white listed), or "may not be safe, not recommended", or "probably not safe", "almost certain not safe, not recommended", "don't install this it is on our blacklist as dangerous".

Re:Nothing to see.. (4, Informative)

Zephiris (788562) | more than 2 years ago | (#37504442)

It can add itself to your user files, which allow something to start "at boot", as long as that user is the one (auto)logging in.

You don't see much Windows malware adding itself to your "Startup" folder, but few average Mac users are going to check "command line files" to see whether something has injected something bad or not.

As TFA says, this isn't a PDF, but an executable merely pretending to be one.

It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part. It wouldn't be able to snoop some low level processes, but absolutely anything that is running under your user? Yup. Open ports to communicate with the mothership? Of course. Install a line to start whenever this user is logged in? Of course.

If you get a user dumb enough to allow admin privileges to a fake PDF, you can use officially sanctioned mechanisms to inject code into every process in the machine without requiring a separate 'trojan process' to stay alive to monitor it. Or just replace the operating system kernel. :p

Re:Nothing to see.. (1)

ninetyninebottles (2174630) | more than 2 years ago | (#37504630)

It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part.

What makes you think it wouldn't be sandboxed on OS X 10.7 by default, the same as every other app you download?

Re:Nothing to see.. (0)

Anonymous Coward | more than 2 years ago | (#37504986)

It's easy enough to use launchd to add startup items for the currently logged-in user. It's pretty annoying. I had to set up a folder action to alert me whenever something decides to have itself launch on login. I wish changes to login items would require a password.

Short the iOS locked-down approach, I don't see an obvious way to balance convenience with security. Users will enter passwords with little to no thought, and will likely be calling tech support if the computer won't let the just run the freeboobs.exe file received from an unfamiliar email address. I suppose if setting up a Mac for a newbie one could enable the parental controls stuff.

Re:Nothing to see.. (0)

ceoyoyo (59147) | more than 2 years ago | (#37504162)

Kinda kills the fun when your DDOS/spam relay etc. gets itself zapped every time the user restarts the computer.

Mac users tend not to restart their computers very often, but the ones who randomly click on executables sent to them by e-mail are probably the few who do.

Oh, and on a Mac your passwords are stored in the system keychain, which is encrypted and yes, does require your password to access.

Re:Nothing to see.. (1)

Anonymous Coward | more than 2 years ago | (#37504288)

Typical mac-boy thinks his machine is invulnerable to malware. Can only administrator set +x on files? Can only administrator customize your menu items? You are not thinking very creatively about how to penetrate a system without using admin privileges. Also, I doubt that you could not write a key-logger without admin privileges, but I don't know enough about macs to be sure.

Re:Nothing to see.. (2)

Richard_at_work (517087) | more than 2 years ago | (#37504316)

I don't need the admin password to add something I own to my own startup items list...

Re:Nothing to see.. (0)

Anonymous Coward | more than 2 years ago | (#37504598)

restart? you mean close the lid and open it again?

Yep (4, Insightful)

Sycraft-fu (314770) | more than 2 years ago | (#37504726)

In fact I've seen a big rise in the amount of non-admin Windows malware. It just infects the user that is using the system. The reason is they realize that for the vast majority of systems, the user IS the system, there is no need to infect anything else. It also lets them get an infection in an enterprise setup where users don't get admin.

  Now I suppose it does make the malware slightly easier to get rid of but then it really doesn't matter, I tend to scan the things from a boot disk anyhow.

This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.

Re:Yep (2)

mjwx (966435) | about 3 years ago | (#37505542)

This geek idea that only the system matters is silly. True for a server maybe, not for a desktop. On a desktop, the user's data is all that matters and you don't need admin to get at that.

Some of us have understood for a while that that the user is the most vulnerable part of any system. Almost all malware infections I've seen have been user initiated, drive by infections in this day and age are very rare even on unpatched machines. This is why my Windows servers are more secure then any Linux or Mac desktop, simply because no user is permitted near them.

Re:Nothing to see.. (1)

LordLimecat (1103839) | about 3 years ago | (#37505556)

Without your admin password it can still do quite a bit; it could skim your iMail account, access your browser saved passwords, etc-- anything else that YOU have access to without typing a password.

Re:Nothing to see.. (1)

joe_kull (238178) | more than 2 years ago | (#37504114)

Oh, don't worry. Nobody clicks through to the articles anyway.

Re:Nothing to see.. (0)

Anonymous Coward | more than 2 years ago | (#37504256)

Article is complete BS, however it actually has been possible to compromise OSX using PDFs (see example below) in the past and sure there are more many more bugs to come. Benefits of the PDF vector include that in general people tend to trust opening them and particularly in OSX, a thumbnail image is automatically generated so attackers don't even need the victim to open the file, also apple default mail client auto previews PDFs in incoming so the user doesn't even have the choice not to open them.

http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch

Re:Nothing to see.. (1)

ThorGod (456163) | more than 2 years ago | (#37504488)

So...turn off pdf previews (always a good idea) and/or don't use Mail.app. Also, don't download pdfs from strange sources. Pretty basic stuff.

Re:Nothing to see.. (1)

SchMoops (2019810) | more than 2 years ago | (#37504732)

Except it's NOT EVEN A PDF, so you don't need to take those precautions. OS X will say "_____ is an application you downloaded from the Internet. Are you sure you want to run it?" so any tech-literate user will know that it's an executable, not a PDF.

Re:Nothing to see.. (1)

ThorGod (456163) | more than 2 years ago | (#37505078)

Yep, it's not a problem if the pdf is an executable disguised as a pdf or an actual pdf...the classic non-problem.

Re:Nothing to see.. (0)

Anonymous Coward | more than 2 years ago | (#37504712)

Mail, Safari, and Preview open PDF's in a separate sandboxed process. Nothing to worry about.

Re:Nothing to see.. (0)

Anonymous Coward | more than 2 years ago | (#37504394)

What's more is the article is not even claiming to have seen one in the wild!

Fuck you slashdot. I am fucking tired of the constant flamebait bullshit headlines and articles.

Re:Nothing to see.. (0)

Anonymous Coward | more than 2 years ago | (#37504592)

Until there's as much malware on Mac OS X as there is in windows, we'll continue to see attention drawn to any minor 'security holes'. Everybody loves drama, especially when it's the family down the street that's always been well off.

Re:Nothing to see.. (1)

ThorGod (456163) | more than 2 years ago | (#37504468)

The new piece of malware hides inside a PDF file and delivers a backdoor that hides on the user's machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user's machine and then opens it as a way to hide the malicious activity that's going on in the background, according to an analysis by researchers at F-Secure. The Trojan then installs the backdoor, which is named Imuler.A, which attempts to communicate with a command-and-control server.

That server isn't capable of communicating with the malware, however, the researchers found, so the malware is on its own once it's installed on a victim's machine. What's not clear is exactly how the malware is spreading right now.

Vague enough to be worthless, but worded to sound informative.

Says a MacOS X fanboy trying 2 hide it (0)

Anonymous Coward | more than 2 years ago | (#37504500)

See subject line above + post parent to mine -> http://apple.slashdot.org/comments.pl?sid=2444536&cid=37503772 [slashdot.org] because Lord only knows that if that happened on another OS platform, like Windows? It'd be somekind of 'horrendous event' to be shouted from the rooftops!

Re:Nothing to see.. (1)

antdude (79039) | about 3 years ago | (#37505768)

But Mac OS X don't use file extensions. How is a Chinese person supposed to know it is a legit PDF or a malware? Do we really need to install an AV in Mac OS X these days?

But... (0, Insightful)

Anonymous Coward | more than 2 years ago | (#37503790)

Macs don't get viruses. The Genius Bar guy told me this yesterday...

Re:But... (0)

bonch (38532) | more than 2 years ago | (#37504004)

This isn't a virus; it doesn't do anything when installed or propagate. It can't even communicate with its server.

Re:But... (2)

PopeRatzo (965947) | more than 2 years ago | (#37504476)

This isn't a virus; it doesn't do anything when installed or propagate. It can't even communicate with its server.

So...it's candy!

No need to worry Apple users, it "doesn't do anything when installed or propagate". You are safe and warm and don't forget to let iTunes save your password.

Re:But... (1)

Farmer Tim (530755) | more than 2 years ago | (#37504052)

Still technically correct: a trojan isn't a virus.

Though I'll admit it's amazing that anyone working at a Genius Bar got anything technically correct...

again PDF? (-1, Offtopic)

El_Muerte_TDS (592157) | more than 2 years ago | (#37503792)

What is it with Apple OS and exploits in PDF?
Is the kernel written by Adobe?

Re:again PDF? (3, Informative)

Pence128 (1389345) | more than 2 years ago | (#37503832)

Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.

Re:again PDF? (1)

ninetyninebottles (2174630) | more than 2 years ago | (#37503900)

Title, summary and article all fail. It's an executable who's name ends with ".pdf" and has a pdf icon.

Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.

Re:again PDF? (-1)

Anonymous Coward | more than 2 years ago | (#37504106)

That's why the "every file can be executable" thing in OS Linux is such a bad thing. If it have to have a .exe in the end people know something is wrong when they get a PDF ending with it.

Re:again PDF? (2)

Aardpig (622459) | more than 2 years ago | (#37504228)

Obvious troll is obvious.

Re:again PDF? (1)

TheRaven64 (641858) | more than 2 years ago | (#37503924)

How does this get past the download protection though? Any executable that is saved by Safari or Mail.app will have the source location saved in the metadata. When you first run it, the system tells you that it's an executable that you've not run before and asks if you meant to. It never shows this for pdf files[1] so you know that it is definitely something malicious.

[1] Depressingly, it does show this warning when you open a UNIX shell script in TextEdit if it has execute permission. It also shows when you open a Windows application, irrespective of whether or not you have anything installed that will actually run it.

Re:again PDF? (1)

somersault (912633) | more than 2 years ago | (#37504352)

You know. I would know (I wouldn't even bother to read the email or save the attachment so it's kind of moot). The average user though? They're not so well clued up. If they've been as far as saving the file to their computer, I wouldn't have much faith in them not executing it.

Re:again PDF? (0)

Anonymous Coward | more than 2 years ago | (#37503834)

What is it with Apple OS and exploits in PDF?
Is the kernel written by Adobe?

What is it with and exploits in PDF?
It doesn't matter who the kernel is written by.

Re:again PDF? (1)

lightknight (213164) | more than 2 years ago | (#37503836)

Part of it, apparently.

Re:again PDF? (0)

bonch (38532) | more than 2 years ago | (#37503966)

RTFA. It's an executable using a PDF document icon. This is nothing more than a social engineering trick

Re:again PDF? (1)

Anonymous Coward | more than 2 years ago | (#37504802)

RTFA. It's an executable using a PDF document icon. This is nothing more than a social engineering trick

Social engineering tricks ARE THE #1 reason for systems being compromised/hacked.
Users are idiots (aka not computer saavy) wether they use Windows or Os X.
This is the reality, and if you had the same amount of idiots on linux as you have on the other systems you'd have the exact same kinds of problems. Instead of trojans and virues we would be talking of users downloading executable scripts from gods know where and wreaking havoc on their systems.

Re:again PDF? (1)

dgatwood (11270) | more than 2 years ago | (#37505024)

What's depressing is that stupid tricks like this are even still possible in this day and age.

Helpful tip: In Mac OS X's Finder, if you choose "Preferences..." from the "Finder" menu, you'll find a checkbox that says, "Show all filename extensions". Check it. You will never again be at risk from these sorts of malware attacks (unless you or someone else goes back in and unchecks it).

I'm strongly of the opinion that this checkbox should be enabled on every computer in the world, and that a checkbox to hide those extensions should not even exist. The only thing that "feature" does is make trojans like this one possible.

Windows is bad, hmmmmk? (1)

LodCrappo (705968) | more than 2 years ago | (#37503802)

Must every story about Mac malware spend more time talking about how Windows is so bad than the OS X malware they are reporting?

Re:Windows is bad, hmmmmk? (2)

Pence128 (1389345) | more than 2 years ago | (#37503840)

To be fair, it's a "lets trick people into downloading and running programs" and not a "shit, lets execute data".

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37503874)

To be fair the gaylord wanker is not a profitable malware market.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37503938)

It is, though. The "pink pound" effect amongst mac users means they are more likely to have significant funds for banking trojans to steal. Also many of them still believe the "macs can't get viruses" mantra and take about as many precautions online as they do with anonymous strangers down at the bathhouse.

Re:Windows is bad, hmmmmk? (1)

LodCrappo (705968) | more than 2 years ago | (#37503932)

I'm sure that will be a great comfort to the Mac users effected by this malware :)

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37503990)

The opposite actually. If you are a Mac user affected by this, then you have to acknowledge at least some personal responsibility, instead of blaming it on the OS manufacturer.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37504006)

obvious sarcasm is apparently not something you are good at seeing

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37504104)

Thank-you.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37504026)

Not really... we can still blame Windows. If not for Windows, there would not be any malware to speak of. Doesn't matter what OS you are using, Windows is to blame.

Re:Windows is bad, hmmmmk? (3, Insightful)

KDR_11k (778916) | more than 2 years ago | (#37503998)

So it requires a gullible user. There's not exactly a shortage of those.

Re:Windows is bad, hmmmmk? (1)

slimjim8094 (941042) | more than 2 years ago | (#37504182)

But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

If "people are exceedingly stupid and will do anything the dancing bunnies tell them" is your only major security flaw, I'd say you're doing as well as possible.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37504214)

To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing.

Don't worry, Apple's working on that. (And they'll probably patent it.)

Re:Windows is bad, hmmmmk? (2)

ninetyninebottles (2174630) | more than 2 years ago | (#37504608)

But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

You don't need to prevent a user from being able to run apps, you just need to restrict default behaviors for apps, provide the user with information on how much an "expert" thinks they should trust software, and tell the user in clear and simple terms when the app wants more privileges and exactly what those privileges are. Finally, you need to present this in a usable interface. Apple is already heading down this route with both iOS and OS X. In OS X 10.7 apps are sandboxed by default, although I haven't seen a single report as to if this trojan works within the sandbox, breaks out of the sandbox, or simply fails entirely on Lion.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37504728)

But how do you prevent stupidity? To stop this attack, you'd need to remove the ability for the user to execute programs of their choosing. A mitigating factor would be preventing applications from setting their own icon. Which do you propose?

If "people are exceedingly stupid and will do anything the dancing bunnies tell them" is your only major security flaw, I'd say you're doing as well as possible.

Ah ah its funny. You have stupid people on windows, and stupid people on macs. Having stupid people on windows is bad bad bad and the reputation of windows suffers. Having stupid people on macs is good good good since macs just work and nothing blemishes the shiny apple.
But hey macs get viruses and trojans too.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37504328)

Especially when it comes to Apple customers.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37505036)

How is that different from most of the malware on Windows these days? How many people download malware/trojans because the ad told them that their "virus scanner" that they have never actually installed, has found a virus and must be installed to scan?

It's email viruses and that junk that causes the most problems these days. There have been far less worms and pure attacks based on buffer overflows in the recent years.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37505118)

So it's exactly the same as most Windows malware, then.

Re:Windows is bad, hmmmmk? (-1, Troll)

bonch (38532) | more than 2 years ago | (#37503988)

Must every story about Mac malware spend more time talking about how Windows is so bad than the OS X malware they are reporting?

Can you cite an example of such a story? Since, you know, that doesn't occur in this one. It mentions Windows because this is an OS-independent social engineering attack, not "Mac malware."

Re:Windows is bad, hmmmmk? (1)

LodCrappo (705968) | more than 2 years ago | (#37504036)

"isn't anywhere near catching up to Windows-based malware in terms of volume and variety"
"may be adopting some of the more successful tactics that Windows viruses have been using to trick users"
"a technique that's been in favor among Windows malware authors for several years now"

Re:Windows is bad, hmmmmk? (1)

marcello_dl (667940) | more than 2 years ago | (#37504156)

So, to be kind and politically correct towards windows - stockholm syndrome is real - we must ignore the fact that OSX has indeed less volume and variety of malware? Does not make sense.
OSX has less malware than windows and is the more refined desktop OS out there. Windows has more games and possibly vertical apps, and I prefer debian to both. See? No problems.

Re:Windows is bad, hmmmmk? (0)

Anonymous Coward | more than 2 years ago | (#37505174)

It's worth noting that Windows has more volume and variety of installs than OSX. Saying that Windows has more malware than OSX is like saying that Washington State has more income than Washington, D.C. While that's undeniably true in absolute terms, it may or may not be true in per-capita terms.

Re:Windows is bad, hmmmmk? (1)

LordLimecat (1103839) | about 3 years ago | (#37505570)

WIndows 1.1 also has less malware volume and variety of malware than Windows XP So does BeOS. That doesnt mean its more secure.

Re:Windows is bad, hmmmmk? (0)

johnmorganjr (960148) | more than 2 years ago | (#37504462)

Face it, windows sucks and Mac is a step up from windows. Why does everyone have a hard time understanding that? Your windows is not secure, just a mere speedbump in the road. Run a real os like Debian or some other version of Linux.

Re:Windows is bad, hmmmmk? (2)

johnmorganjr (960148) | about 3 years ago | (#37505372)

Ok..... who's the crybaby that called me a troll and got my point taken away? You are about as sad as a fresh install of Windows.

Does not hide in PDFs (5, Insightful)

Anonymous Coward | more than 2 years ago | (#37503820)

It's just a trojan with a PDF icon.

And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

Trojans are nothing new, giving them fake icons is nothing new, even Mac trojans are nothing new. News this ain't.

Re:Does not hide in PDFs (4, Informative)

oakgrove (845019) | more than 2 years ago | (#37504062)

Absolutely. The title of the summary is "hides in pdfs" which is a big fat lie. Nice job, Slashdot.

Black lists dont work. (1)

mjwx (966435) | about 3 years ago | (#37505566)

And it will be nerfed as soon as it's added to the OS X XProtect filter, if it hasn't already.

Black lists don't work. This even MS has figured out. So they add this particular one to the filter rather then fixing the vulnerabilities or worse yet, educating users on how to safely use computers (as opposed to telling them they are automagically protected by owning a Mac) but the malware writers simply make a new variation to get around that black list. There is so much Malware for Windows simply because a lot of it is subtle variations on the same malware to get around AV/Anti-malware.

The "protect filter" is not computer security rather it is computer security theatre.

It's just a trojan with a PDF icon

To the end user, there is no difference.

Re:Does not hide in PDFs (2)

LordLimecat (1103839) | about 3 years ago | (#37505586)

Lets be clear here, then.

Is or is not Microsoft to blame for executable content that a user double clicks? Because if we had a clear "no" to that, I think the entire "Windows security vs OSX security" discussion would basically be over.

But Steve told me... (-1)

Anonymous Coward | more than 2 years ago | (#37503844)

that Macs don't have viruses!

When your OS begins to get relevant... (-1)

Anonymous Coward | more than 2 years ago | (#37503846)

When your OS begins to get relevant, you get to deal with the viruses. I'm fairly certain that Linux and Windows have better security than Mac OS X, but I still think the popularity of Mac OS X and Linux slowly increasing will lead to more and more of these types of attack, regardless of what the Mac and Linux fanboys say.

Re:When your OS begins to get relevant... (0)

oakgrove (845019) | more than 2 years ago | (#37504102)

Nobody with even the slightest clue pretends that OSX or Linux are immune to Trojans and implying that this view is mainstream even amongst the most fervent fanboys is pure troll.

Re:When your OS begins to get relevant... (0)

Anonymous Coward | more than 2 years ago | (#37504126)

Not really sure that Linux is much better when it comes to social engineering attacks.

Re:When your OS begins to get relevant... (1)

somersault (912633) | more than 2 years ago | (#37504382)

Maybe not, but its users are.

Article title is wrong (1)

Anonymous Coward | more than 2 years ago | (#37503878)

This trojan doesn't hide inside a PDF. It is an executable that disguises itself as a PDF.

Any Informative Links? (3, Interesting)

ninetyninebottles (2174630) | more than 2 years ago | (#37503886)

I saw reference to this trojan the other day, but my research turned up only vague descriptions such as the one linked in the summary. From all the reading I did it seems like this is an executable of some sort, with no extension that is being e-mailed to people. None of the descriptions I've read have described how it infects the machine, but I assume the user has to run it and then agree to allow the unsigned program to run for the first time. At this point it drops a PDF on the hard drive, opens it, and then installs a bare bones apache server, which doesn't actually work as far as anyone can tell. There was some indication that this was a cross platform trojan, but no one has been able to confirm this.

So if anyone is actually in a lab with a copy of this could you please enlighten us on the following points:

  • How is this being distributed in the wild?
  • Does this somehow run automatically and does it bypass the user having to authorize the executable to run for the first time?
  • On 10.6 does it require an admin password to install?
  • Does it attempt to do something about the firewall settings?
  • On 10.7 does this attempt to escape the sandbox?
  • Does the best case install actually get an Apache server running well enough to listen to a control channel, update itself, or perform actions?

So as far as I can tell this is a failed attempt to create a trojan that was released into the wild, possibly as part of testing or as an experiment. It's not really much in the way of news, but for security geeks it is quite interesting; which is why the complete failure of the security companies to provide a decent description is so frustrating. Does anyone have real information about this trojan?

Okay, fellow Mac users (3, Insightful)

93 Escort Wagon (326346) | more than 2 years ago | (#37504054)

Here's the plan:

1) OS X makes it brain-dead easy to not run as an admin user. Create a separate admin account first, then remove the admin privilege from your everyday account. On those rare occasions you need admin privileges, you'll be automatically asked to provide the admin account info - you don't need to even think about it.

(Somehow that isn't sinking into a lot of peoples' heads, even those who should know better)

2) Back up your stuff regularly. Again, OS X makes this brain-dead easy with Time Machine. You can use something else like a custom rsync script, but - just DO IT.

If you're running as a non-admin user, the worst that can happen is your own stuff gets hosed - and then you can get it back from your backups. But since trojans are probably only going to go after the system files, it's unlikely even your stuff will get touched.

Okay, there's one caveat. If you click on an infected file, and it asks for admin permissions and you provide it, you're screwed. But one would hope you're smart enough to realize viewing a PDF should not require admin authentication. In the end, common sense does have to enter into the picture.

BTW if you claim running as an admin is okay because you're always prompted to authenticate anyway... you're just wrong.

Re:Okay, fellow Mac users (1)

artor3 (1344997) | more than 2 years ago | (#37504216)

You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

Re:Okay, fellow Mac users (3, Informative)

93 Escort Wagon (326346) | more than 2 years ago | (#37504282)

You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

For the account stuff, you might have a point. They don't need to "know it's there" (unlike, say, the old Windows setup where you had to know about "Run as Administrator...") - but they do need to know what admin versus non-admin means. But really that's all they have to know. Even my 70+ year old mom was able to grok that.

As far as backups go, though - the first time you plug in an external hard drive, if backups haven't already been set up - OS X automatically asks "do you want to use this disk for backups?" The user doesn't need to go looking for anything. That's a pretty low bar.

Re:Okay, fellow Mac users (2)

artor3 (1344997) | more than 2 years ago | (#37504342)

That's if they plug in an external drive. How many do? And how many answer in the affirmative? A lot might worry that if they say yes, they can't use that drive for other things.

And I suspect that your 70+ year old mom had it explained to her, likely by you. There are a lot of people who just want their cursor to turn into a unicorn, and will say yes to anything to make it happen.

In the end, you can't defend a computer from it's owner, no matter which OS you use.

Re:Okay, fellow Mac users (3, Insightful)

berryjw (1071694) | more than 2 years ago | (#37504322)

Dude, I've watched so many OS X users click through *anything* that pops up to know better. That "average" user everyone keeps referencing doesn't read those boxes any more than they read the EULAs for the software they're using, and most of them will provide credentials without even considering why they might be asked for them. Users view all of this as speed bumps, and don't have any idea it's part of system security. Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

Re:Okay, fellow Mac users (1)

MimeticLie (1866406) | more than 2 years ago | (#37504746)

Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

Unless your machine is in an easily accessible place, that seems perfectly reasonable to me. I'd rather have users who write down complex passwords than ones that use "password1" for everything.

Re:Okay, fellow Mac users (1)

berryjw (1071694) | more than 2 years ago | (#37504964)

Come on, how many passwords do you still see pasted on monitors, or sticky's on the desktop?

Unless your machine is in an easily accessible place, that seems perfectly reasonable to me. I'd rather have users who write down complex passwords than ones that use "password1" for everything.

I work for a K-12 public school system... and most of the passwords I see like this *are* [lastname][current year], or something equally guessable. Oh, and these are the faculty. I really want to send out an email at the beginning of every school year; "All faculty should make three copies each of their house and car keys, and attach them to 3"x5" index cards containing the address/license # and description of each property. Please have these delivered to the Technology Department as soon as possible, so we may have them distributed randomly about our schools when the students arrive to begin this year. If you take exception to this, please consider how we feel about your doing the same with our keys, the ones we call passwords." Think anyone would read it? No more than they do those annoying boxes which pop up asking for credentials...

Re:Okay, fellow Mac users (1)

kerrbear (163235) | about 3 years ago | (#37505648)

I work for a K-12 public school system... and most of the passwords I see like this *are* [lastname][current year], or something equally guessable. Oh, and these are the faculty. I really want to send out an email at the beginning of every school year; "All faculty should make three copies each of their house and car keys, and attach them to 3"x5" index cards containing the address/license # and description of each property. Please have these delivered to the Technology Department as soon as possible, so we may have them distributed randomly about our schools when the students arrive to begin this year. If you take exception to this, please consider how we feel about your doing the same with our keys, the ones we call passwords." Think anyone would read it? No more than they do those annoying boxes which pop up asking for credentials...

I wonder if there is a way to actually provide physical keys to computer systems. The solution would be to insert a USB key that would unlock the computer. The sys admin could set all the passwords. That way, even if the user forgot their key, they could still use the password- they would just have to memorize it.

It's not a PDF (1)

Anonymous Coward | more than 2 years ago | (#37504154)

Imagine I made an piece of malware.
Imagine I set it's icon to the default PDF icon on your operating system
Imagine I named it "somefile.pdf.exe" or "somefile.pdf.app"

That's what's happened here. It's not an exploit in the PDF format but rather somebody using the appearance of a 'safe' file to trick people into double clicking it. It could just as easily have been "somefile.jpg.app" or "somefile.ogg.app" with appropriate icons.

Mac OS X will display a "you've never opened this application before, are you sure you want to?" message when a user double clicks the fake-PDF, but let's be realistic: our mom's aren't going to know any better.

Re:It's not a PDF (0)

Anonymous Coward | more than 2 years ago | (#37504516)

Well, perhaps *your* mom won't know any better...

My mom can actually tie her own shoes w/o assistance.. Self taught on WANG, Displaywrite, Wordperfect 5 and 6 on DOS... And when one of those "You are infected" trojan/fake antivirus notices came up on her favorite newspaper website, she - 1. Knew better than to trust it, or think she was infected (the windows box on her Mac was a dead giveaway for her) , and 2. wrote the newspaper informing them that they had malicious software being distributed by their online advertising..

And yes, my dad can beat up your dad.. :-P

Oh Noes (0)

Anonymous Coward | more than 2 years ago | (#37504396)

More malware! Whatever will we do? Better burn those Macs and get a Linux box!

Meh.

Smells Like AV Flackery (4, Insightful)

jasnw (1913892) | more than 2 years ago | (#37504626)

Every time one of these "sky is falling, OS X is being attacked by new malware/virus/trojan" articles floats around the 'net, it seems like the source document is from one or another AV builder or a computer security outfit with things to sell. The first clue is how vapid and vague the article is, and how little useful information it provides. Another clue is when one part of the article tells the story a bit different than elsewhere in the same article. For OS X users, there are a handful of good, indepdent, computer security sites (apple.com NOT being one of them), and if it aint there, I ignore it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?