Mac Trojan Poses as PDF to open botnet backdoor

Discussion in 'macOS' started by MacFever, Sep 25, 2011.

Thread Status:
Not open for further replies.
  1. alexbates macrumors 65816

    alexbates

    Joined:
    Nov 24, 2008
    Location:
    Georgia, USA
    #2
    Good find. I tipped the MR blog, gave you credit.

    There are trojans out there, but OS X and Linux are still much more secure than Windows. Windows should require an admin password to modify anything in the filesystem.
     
  2. MacFever thread starter macrumors regular

    MacFever

    Joined:
    Feb 1, 2007
    #3
    cheers.

    yep..also one could say this is Adobe's bug but since PDF reading is built straight into the OSX "preview" app....it's now also an Apple's security issue.

    most browsers will open a PDF automatically too..but the installation part of the trojan will probably still prompt for user credentials to get further.
     
  3. interrobang macrumors 6502

    Joined:
    May 25, 2011
    #4
    It's not a problem with Preview. It's not a PDF at all; it's just a trojan (an .app, probably) that disguises itself as a PDF.

    And it's already been added to the OS X Quarantine filter, so OS X will prompt you to delete it if you download it.
     
  4. r0k macrumors 68040

    r0k

    Joined:
    Mar 3, 2008
    Location:
    Detroit
    #5
    Shame on Adobe for allowing executable content in a pdf file. It's supposed to be a document format. Shame on Apple if Preview would have allowed infected PDF files to install malware. I don't use Adobe Reader. I have it installed but only use it when a Windows user sends me a pdf with some fonts or equations missing in Preview.

    I'm curious to know how Preview would have dealt with this particular threat. Would it have ignored the executable content or were we in danger of having this thing spread before Apple put it in their quarantine list?
     
  5. Hansr macrumors 6502a

    Joined:
    Apr 1, 2007
    #6
    This is a .app bundle with a PDF icon and .pdf.app extension. It has nothing to do with the PDF file format.
     
  6. mrgraff macrumors 6502a

    mrgraff

    Joined:
    Apr 18, 2010
    Location:
    Albuquerque
    #7
    Thank you... can someone make this the thread title?
     
  7. cmChimera macrumors 68040

    cmChimera

    Joined:
    Feb 12, 2010
    #8
    How can you check this?
     
  8. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #9
    That applies if you have Snow Leopard or Lion:

    /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
     
  9. Simplicated macrumors 65816

    Simplicated

    Joined:
    Sep 20, 2008
    Location:
    Waterloo, Ontario, Canada
    #10
    Wow, just wow. This is one of the most pathetic replies I've seen in a while. How come MacRumors has become a place for endless Adobe rants?

    I mean, I love Apple and hate Flash too, but come on, it's not the right time to blame everything on Adobe.
     
  10. Peace macrumors Core

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #11
    "When we tested the malware inside our labs, we couldn't manage to get it to execute as the author probably intended," Cluley admits, "however, strings embedded deep inside its code make it clear that it was written with malicious intent."

    The message is clear: Apple's success in recent years is coming at a cost, as attackers start to see the company's growing market share as a valuable target for their attentions.

    Despite this, it will be quite some time before Mac OS X reaches the heady heights of malware distribution from which its Microsoft-made rival platform suffers"
     
  11. andymac2210 macrumors regular

    Joined:
    Jul 18, 2011
    #12
    From the articles I've read it says it executes without any prompt for admin password.
     
  12. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #13
    It doesn't do anything at all if you're on Snow Leopard or Lion, and not much at all on other versions.
     
  13. 50548 Guest

    Joined:
    Apr 17, 2005
    Location:
    Currently in Switzerland
    #14
    This is absolutely NOTHING new, as even back in 2003 I was affected by a similar disguised file sent by disgruntled script kiddies from another Mac forum...

    AGAIN: This is simply an app masked as a PDF file, and not at all a self-replicating virus or anything of the like. As long as you don't have Safari set to open files automatically or, obviously, you DON'T double-click on suspect files, you're fine.
     
Thread Status:
Not open for further replies.

Share This Page