PDF Trojan Appears on Mac OS X

Discussion in 'malware problems & news' started by SweX, Sep 23, 2011.

Thread Status:
Not open for further replies.
  1. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    More at the ESET Threat Blog
     
  2. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I welcome these things, cocky Mac users and Apple need to learn their lessons.
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    F-Secure writes about it on their Weblog

    This is interesting and worth pointing out...
     
    Last edited: Sep 24, 2011
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So it doesn,t ask for user passowrd for its installation?
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I just spoke with a MAC user and he says it does.

    Meaning that to be hit with a remote code execution exploit, the user has to have the prompt disabled.

    From the article,

    Just like in Windows.

    Nothing is new in the cybercrime game!

    regards,

    -rich
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. It is straneg that no article mentioned about password request.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The way I interpreted is that, the malware will present the user with an actual PDF file, blinding the user to what's really happening.

    If a password was needed, then the surprise effect would no longer work.

    This is from F-Secure:

    Source: http://www.f-secure.com/weblog/archives/00002241.html

    If the user gets a prompt to enter his/her password for a PDF file, wouldn't the user be suspicious about it?

    Source: http://www.h-online.com/security/news/item/Mac-trojan-masquerades-as-a-PDF-1349526.html

    The question is: Does the backdoor download trigger for a password?

    -edit-

    Then again, it wouldn't be the first time that security vendors make it sound like it's all doom. ;)
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    According to the source you cite,

    So, it appears that the user initiates the action by clicking on a PDF file to open.

    I'm assuming that there is no prompt to open a PDF file, but I will confirm that.

    Then, code in the PDF file downloads the malware automatically.

    Or maybe not:

    According to what I was told, normally there is a trigger for a password to install any executable, but that there is the option to disable this nag.

    I will reconfirm that also.

    Regards,

    -rich
     
    Last edited: Sep 26, 2011
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The user doesn't open a real PDF file. It's a fake PDF file (or, in other words, an executable) that has an embedded PDF file. So, when the user clicks the "PDF" file, the user is actually opening the executable. Only then, once the executable is opened, the user will be presented with an actual PDF file to divert the user's attention to what's really happening.

    So, if running the "PDF" file (the executable) prompts for a password, then what would be the point of this malware?
    Or, is this malware actually exploiting something more and no password will be prompted?
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I understand that, but the point is that the exploit is initiated by convincing the user to open a PDF. In other words, the first step is a social engineering ploy.

    From the Sophos writup:

    Mac OS X Trojan hides behind malicious PDF disguise
    http://nakedsecurity.sophos.com/2011/09/23/mac-os-x-trojan-hides-behind-malicious-pdf-disguise/
    I've just confirmed that the password prompt is enabled by default on MAC. My friend says that no new executable can run w/o getting the password prompt.

    So, doesn't it seem that the exploit targets users who will have the password prompt disabled?


    • On Windows, it would target those running in an non-limited user account.

    • At that point, in both MAC and Windows, the exploit succeeds, barring other protection in place.

    Same exploit. Same target base of lazy users (can't be bothered with a password), just different operating systems, it seems to me.

    By the way: all of the articles on this trojan just parrot the Sophos advisory, so offer nothing in addition to their findings.

    It's curious that none have thought to mention anything about a password. I've polled two MAC users now (password prompt is enabled), so with them, this exploit goes nowhere (assuming they are tricked into opening the PDF in the first place).

    Further questioning revealed that these two do not open unsolicited files either received by email, or from the web.


    regards,

    -rich
     
    Last edited: Sep 26, 2011
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Of course the password is necessary... if there were an exploit that allowed elevation without prompt that would be the title of the article. That would be huge. Elevation exploits are a big deal.

    It really doesn't matter whether or not you need the password since everyone's going to put it in anyway.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    And those who, despite having a password, to protect their system from physical users, still fall for social engineering attacks. :D
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Everyone?

    That is the silliest, most uninformed statement I've seen in recent times.

    regards,

    -rich
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah I bet I meant it literally too!

    The fact is that... what... 20% of mac users feel threatened by mac malware at ALL? (Maybe 40, I forget that statistic.) And that if someone clicks a link thinking "Oh I'm opening a PDF to show me blah blah blah" and their password comes up they probably won't even question it.

    And really, that goes for Windows users too. UAC prompt? Well gosh when I installed Firefox I needed one of those! And that's a legit program! *Clicks yes, gets infected*

    Socially engineered malware has led to nearly 1million infected android users. You really think it's a minority of people who fall for it?
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Not everyone, of course. But such exploits against MAC users are notnew. From almost 4 years ago, my favorite one:

    DNS changer Trojan for Mac (!) in the wild
    Published: 2007-11-01
    http://isc.sans.org/diary.html?storyid=3595

    regards,

    -rich
     
    Last edited: Sep 26, 2011
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The fact is that many people come to these forums looking for information, maybe not as experienced as you. To make such a statement, even in jest, doesn't add anything to the discussion.

    What good does it do to dwell on statistics? That's just fodder for sensational and useless journalism.

    Those who really care will work and help people to become more informed.

    And how many more have not been infected because they have sound security policies in place? I spoke yesterday with an Android user about this, and was happy to learn that he is aware of such scams.

    More helpful, it seems to me, is to focus on getting the word out to those within our sphere of influence who will listen, rather than dwelling on the misfortunes of others.

    Regards,

    -rich
     
  18. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    At first I also thought that the password wasn't needed after reading the blog posts. But clearly that's not the case.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Most of the blogs just echoed the Sophos advisory, which was short on some "minor" details, such as this from cnet.com:

    http://news.cnet.com/8301-1009_3-20...se-sends-screenshots-files-to-remote-servers/
    Of course, Sophos wants you to purchase their product:

    http://nakedsecurity.sophos.com/2011/09/23/mac-os-x-trojan-hides-behind-malicious-pdf-disguise/
    Nothing wrong with their product, I'm sure, but not to mention built-in protective measures in the OS in an analysis of an exploit is a bit questionable.

    regards,

    -rich
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The only point I was making is that it really doesn't matter whether there's a password prompt or not. Either way a user's almost always going to either trust a file or not trust a file. I would bet that very little of the time someone says "Oh it needs a password I won't do this."

    Same thing with UAC.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Understood! We'll leave it at that.

    Regards,

    -rich
     
Loading...
Thread Status:
Not open for further replies.