Strategy, Vulnerability management, Threat intelligence, Threats, Malware

Mac trojan spreads under guise of PDF document

September 23, 2011
A Mac OS X trojan, disguised as a PDF file, is duping users into loading a backdoor onto their machines, according to researchers at F-Secure.

The trojan is emulating a tactic used for years in delivering malware to Windows systems, by which a PDF file containing a seemingly legitimate extension and icon is employed.

But, this targeting of the Mac OS is rather unusual, Chet Wisniewski, senior security adviser at Sophos, told SCMagazineUS.com on Friday. Up to this point, most Mac malware has tried to push fake anti-virus products on users, but this is one of the first strains that is using this type of social engineering.

"The PDF lure is a good trick to get people to install the trojan," he said. "You think you're opening a document, when you're installing malware."

Mikko Hypponen, chief research officer at F-Secure, told SCMagazineUS.com on Monday that attacks on the Mac OS are still a rare occurence. However, he said it is getting more common, though attacks on OS X are still nowhere near the amount of activity on Windows XP. "In fact, we see more new Android malware than Mac OS X malware," he said.

Once a user is tricked into loading the malware by clicking on the PDF, which contains Chinese language, a trojan dropper installs a backdoor program. From that point, the attacker can gain full control of the user's system.

Usually, backdoors are employed to communicate with a remote command-and-control (C&C) server, which is capable of instructing the payload to siphon off data from the infected computer back to the attackers. However, F-Secure found that the C&C server is a bare Apache installation, not yet capable of communicating with the backdoor.

McAfee, in its own blog post on Sunday, rated the threat as "low risk" because it is not taking advantage of any vulnerability. The PDF file does not actually contain a trojan, and merely acts a decoy so additional "rogue" services can be installed without the user's knowledge.

The good news, McAfee said, is that a properly configured Mac will mitigate the malicious installer.

No matter the level of risk, the threat to the Mac OS may be an indication of things to come, Wisniewski said.

"This exploit could be a one-off, but our suspicion is that the model has been established, and we will see more criminal gang activity," he said.

Clearly, though, the sky is not falling. Windows remains the preferred target of cybercriminals, who create tens of thousands of new malware threats each day for the platform.

prestitial ad