A novel new malware sample affecting Mac OS X has been discovered. It is an application masquerading as a PDF file, which connects to a remote server to download a backdoor. This application displays text, like a PDF, to fool users who open it, and don’t notice what really happens. (The current sample contains Chinese text, but any type of text could be used with this Trojan horse.)
When a user opens the file, the executable goes into action, extracting a different executable, which then downloads a backdoor from a remote server. This first executable only works on Intel-based Macs, and the backdoor does not work on Macs using a case-sensitive file system (which is not the default). The backdoor takes screenshots and sends them to a command and control server, and can perform other actions.
This PDF Trojan horse was not found in the wild, and is most likely simply a proof of concept. Its design is clunky, yet it can work, and does connect to an active server. VirusBarrier X6 users will find that the program’s Anti-Spyware feature would alert them when the first executable attempts to download the backdoor, preventing its installation. Intego VirusBarrier X6 protects against this malware detecting it as OSX/Revir.A, for the Trojan horse part, and OSX/Imuler.A for the backdoor. We consider the threat to be very low, as this is not found in the wild.