Mac PDF Trojan Horse Surfaces; Threat is Low

Posted on September 23rd, 2011 by

A novel new malware sample affecting Mac OS X has been discovered. It is an application masquerading as a PDF file, which connects to a remote server to download a backdoor. This application displays text, like a PDF, to fool users who open it, and don’t notice what really happens. (The current sample contains Chinese text, but any type of text could be used with this Trojan horse.)

When a user opens the file, the executable goes into action, extracting a different executable, which then downloads a backdoor from a remote server. This first executable only works on Intel-based Macs, and the backdoor does not work on Macs using a case-sensitive file system (which is not the default). The backdoor takes screenshots and sends them to a command and control server, and can perform other actions.

This PDF Trojan horse was not found in the wild, and is most likely simply a proof of concept. Its design is clunky, yet it can work, and does connect to an active server. VirusBarrier X6 users will find that the program’s Anti-Spyware feature would alert them when the first executable attempts to download the backdoor, preventing its installation. Intego VirusBarrier X6 protects against this malware detecting it as OSX/Revir.A, for the Trojan horse part, and OSX/Imuler.A for the backdoor. We consider the threat to be very low, as this is not found in the wild.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}