Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,289
30,364



Late last week, CNET reported on a new trojan horse threat targeting Mac users. While the threat was initially discovered back in late July and had yet to become fully functional, only recently was the malware highlighted by antivirus companies targeting such threats.

revir.a.malware.pdf-500x464.jpg



Blurred screenshot of PDF file deployed by OSX/Revir.A (Source: F-Secure)
The new threat consists of two parts, with the first being a trojan downloader known as "OSX/Revir.A" that serves to distract users by downloading and continually opening a PDF document containing "offensive political statements" written in Chinese. But the actual damage from OSX/Revir.A comes as it installs a backdoor known as OSX/Imuler.A to potentially allow malicious parties to access the user's machine.
When the backdoor is installed, it will set up a launch agent on the system that is used to continually keep the malware active on the system. It will then connect to a remote server and send the system's current username and MAC address to the server, after which the server will instruct it to either archive files and upload them, or take screenshots and upload them to the server.
The report noted that the malware did not appear to function properly due to a lack of instructions being delivered from a remote server, but malicious activity could still be possible.

osx_revir_a_xprotect.jpg



OS X malware definition entry for OSX/Revir.A
Apple has moved quickly to counter the threat, updating its malware definitions for Snow Leopard and Lion systems to allow them to recognize the trojan. Apple updated its tools earlier this year in response to the MacDefender threat, and Snow Leopard and Lion system now automatically check for new malware definitions on a daily basis.

Apple's battles with malware authors continue, however, as CNET discloses that another trojan horse, known as OSX/flashback.A, has been discovered. Like a similar threat that surfaced early last month, the new trojan masquerades as a Flash Player installer to trick users into installing the package.
Unlike the previous Flash Trojan (called Bash/QHost.WB), which changed one file on the system, this new Trojan is a bit more complex and first deactivates network security features, then installs a dyld library that will run and inject code into applications that the user is running. The Trojan will also try to send personal information and machine-specific information to remote servers.
Users requiring Adobe's Flash Player software are of course advised to download it directly from Adobe's site rather than attempting to install it from sites which may be trying to trick users into installing malware. If past history is any indication, Apple should quickly update its malware definitions to help recognize the new threat, alerting users to the known malicious nature of the package should they attempt to download and install it.

Article Link: Apple Updates Anti-Malware Tools to Address New Trojan Threat
 

Mal

macrumors 603
Jan 6, 2002
6,252
18
Orlando
I'm wondering if I came across that second one yesterday. I pulled up a video and got a pop-up that looked very authentic asking me to update my Flash Player. I closed it without clicking anywhere within it, and nothing downloaded, but I may have dodged a bullet by not installing it. I consider myself a very educated Mac user, but even I might have been convinced if that was it, had I not been in a hurry and not willing to wait for it to install.

Where is the update i don't even see it..

You won't. It downloads in the background, as long as you're running the latest OS update. GGJStudios should be in here soon enough with instructions on how to find the file and check if it's updated.

jW
 

starvingartist8

macrumors regular
Sep 5, 2011
133
0
Note that Flash is somehow involved. LOL

I was just thinking that. Funny how all the malware is always disguised under flash. Here I thought flash could't get any worse :p

Strange to cloak it under flash because a lot of people choose not to have flash so they wouldn't jump at this malware smart or not so smart.

EDIT: Good to see Apple jumping on the issue almost instantly as usual. No safer OS
Also seems that the devils didn't finish writing it before Apple killed it lol
 

Yamcha

macrumors 68000
Mar 6, 2008
1,825
158
Looks like Mac OS is finally getting more and more trojans, I understand its still nothing compared to Windows, but the more relevant Mac OS becomes I think we can expect a lot more serious ones soon..

It will be interesting to see how Apple deals with this, the problems with Trojans, Viruses, Spyware etc.. is that new ones come out frequently and even software that removes them can't always keep up, so your always under some risk..
 

bbdd005

macrumors newbie
Sep 26, 2011
3
0
how do we know if we may have this?? Had the flash thing pop up a few days ago... hoping it was a legit flash update
 

Nermal

Moderator
Staff member
Dec 7, 2002
20,595
3,935
New Zealand
Update installs in the background. Check your "Security and Privacy" tab and make sure "automatically update safe downloads list" is checked.

Which app is this Security and Privacy tab in?

Edit: It's System Preferences > Security > General. I looked there, but for some reason I didn't see the box while skimreading for it! :eek:
 

CorbinDallas

macrumors member
Sep 7, 2011
45
0
PA
I'm wondering if I came across that second one yesterday. I pulled up a video and got a pop-up that looked very authentic asking me to update my Flash Player. I closed it without clicking anywhere within it, and nothing downloaded, but I may have dodged a bullet by not installing it. I consider myself a very educated Mac user, but even I might have been convinced if that was it, had I not been in a hurry and not willing to wait for it to install.



You won't. It downloads in the background, as long as you're running the latest OS update. GGJStudios should be in here soon enough with instructions on how to find the file and check if it's updated.

jW

This happened to me yesterday as well and I actually did download and install it. It looked 100% authentic...even prompted me to close spotify and chrome before installing. Is there anyway to tell?
 

Amazing Iceman

macrumors 603
Nov 8, 2008
5,242
3,987
Florida, U.S.A.
Don't these threats still require the user to enter the admin password to be able to install? Unless these new Trojans are bypassing that layer of security.
Of course it's easier to deceive a user than directly breach security.
 

vartanarsen

macrumors 6502a
Jul 2, 2010
712
307
[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]


Late last week, CNET reported on a new trojan horse threat targeting Mac users. While the threat was initially discovered back in late July and had yet to become fully functional, only recently was the malware highlighted by antivirus companies targeting such threats.

Image


Blurred screenshot of PDF file deployed by OSX/Revir.A (Source: F-Secure)
The new threat consists of two parts, with the first being a trojan downloader known as "OSX/Revir.A" that serves to distract users by downloading and continually opening a PDF document containing "offensive political statements" written in Chinese. But the actual damage from OSX/Revir.A comes as it installs a backdoor known as OSX/Imuler.A to potentially allow malicious parties to access the user's machine.The report noted that the malware did not appear to function properly due to a lack of instructions being delivered from a remote server, but malicious activity could still be possible.

Image


OS X malware definition entry for OSX/Revir.A
Apple has moved quickly to counter the threat, updating its malware definitions for Snow Leopard and Lion systems to allow them to recognize the trojan. Apple updated its tools earlier this year in response to the MacDefender threat, and Snow Leopard and Lion system now automatically check for new malware definitions on a daily basis.

Apple's battles with malware authors continue, however, as CNET discloses that another trojan horse, known as OSX/flashback.A, has been discovered. Like a similar threat that surfaced early last month, the new trojan masquerades as a Flash Player installer to trick users into installing the package.Users requiring Adobe's Flash Player software are of course advised to download it directly from Adobe's site rather than attempting to install it from sites which may be trying to trick users into installing malware. If past history is any indication, Apple should quickly update its malware definitions to help recognize the new threat, alerting users to the known malicious nature of the package should they attempt to download and install it.

Article Link: Apple Updates Anti-Malware Tools to Address New Trojan Threat

Dang it....that Apple specialist in the store told me mac is virus free when I was purchasing my MBP....wth....
 

polaris20

macrumors 68020
Jul 13, 2008
2,491
753
You won't. It downloads in the background, as long as you're running the latest OS update. GGJStudios should be in here soon enough with instructions on how to find the file and check if it's updated.

jW

Here's how you can check via Terminal, and then update it if it's old:

Check to see how old the definitions are:


Code:
defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta LastModification

Update Manually


Code:
sudo /usr/libexec/XProtectUpdater

Hope this helps. Note that this works in both SL and Lion.
 

born4sky

macrumors 6502a
Mar 14, 2008
527
43
So now everybody jumped on hacking mac... couple more years and windows will virus free )))
 

42streetsdown

macrumors 6502a
Feb 12, 2011
655
3
Gallifrey, 5124
I'm wondering if I came across that second one yesterday. I pulled up a video and got a pop-up that looked very authentic asking me to update my Flash Player. I closed it without clicking anywhere within it, and nothing downloaded, but I may have dodged a bullet by not installing it. I consider myself a very educated Mac user, but even I might have been convinced if that was it, had I not been in a hurry and not willing to wait for it to install.



You won't. It downloads in the background, as long as you're running the latest OS update. GGJStudios should be in here soon enough with instructions on how to find the file and check if it's updated.

jW

The flash updater is in /Applications/Utilities so you should be able to right click the updater that pops up in the dock and click "Show in Finder" if it's in the right place you should be fine. If it's running from the downloads folder or something you might be more concerned.


I'm confused, when did Malware become classified as a Virus?

Viruses are malware. Not all malware are viruses. Squares and rectangles

Another one bites the dust.

wait... there was another one? Seems to be true that macs are getting targeted more.

It seems that way. None have been too scary so far though.

Don't these threats still require the user to enter the admin password to be able to install? Unless these new Trojans are bypassing that layer of security.
Of course it's easier to deceive a user than directly breach security.

It's possible that they don't. As long as a program were to only edit User level files it could bypass quite a few password prompt. Any real damage to the system though would require root access
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.