Mac Trojan Poses as PDF to open botnet backdoor

Discussion in 'macOS' started by MacFever, Sep 25, 2011.

Thread Status:
Not open for further replies.
  1. alexbates macrumors 65816


    Nov 24, 2008
    Georgia, USA
    Good find. I tipped the MR blog, gave you credit.

    There are trojans out there, but OS X and Linux are still much more secure than Windows. Windows should require an admin password to modify anything in the filesystem.
  2. MacFever thread starter macrumors regular


    Feb 1, 2007

    yep..also one could say this is Adobe's bug but since PDF reading is built straight into the OSX "preview"'s now also an Apple's security issue.

    most browsers will open a PDF automatically too..but the installation part of the trojan will probably still prompt for user credentials to get further.
  3. interrobang macrumors 6502

    May 25, 2011
    It's not a problem with Preview. It's not a PDF at all; it's just a trojan (an .app, probably) that disguises itself as a PDF.

    And it's already been added to the OS X Quarantine filter, so OS X will prompt you to delete it if you download it.
  4. r0k macrumors 68040


    Mar 3, 2008
    Shame on Adobe for allowing executable content in a pdf file. It's supposed to be a document format. Shame on Apple if Preview would have allowed infected PDF files to install malware. I don't use Adobe Reader. I have it installed but only use it when a Windows user sends me a pdf with some fonts or equations missing in Preview.

    I'm curious to know how Preview would have dealt with this particular threat. Would it have ignored the executable content or were we in danger of having this thing spread before Apple put it in their quarantine list?
  5. Hansr macrumors 6502a

    Apr 1, 2007
    This is a .app bundle with a PDF icon and extension. It has nothing to do with the PDF file format.
  6. mrgraff macrumors 6502a


    Apr 18, 2010
    Thank you... can someone make this the thread title?
  7. cmChimera macrumors 68040


    Feb 12, 2010
    How can you check this?
  8. GGJstudios macrumors Westmere


    May 16, 2008
    That applies if you have Snow Leopard or Lion:

  9. Simplicated macrumors 65816


    Sep 20, 2008
    Waterloo, Ontario, Canada
    Wow, just wow. This is one of the most pathetic replies I've seen in a while. How come MacRumors has become a place for endless Adobe rants?

    I mean, I love Apple and hate Flash too, but come on, it's not the right time to blame everything on Adobe.
  10. Peace macrumors Core


    Apr 1, 2005
    Space--The ONLY Frontier
    "When we tested the malware inside our labs, we couldn't manage to get it to execute as the author probably intended," Cluley admits, "however, strings embedded deep inside its code make it clear that it was written with malicious intent."

    The message is clear: Apple's success in recent years is coming at a cost, as attackers start to see the company's growing market share as a valuable target for their attentions.

    Despite this, it will be quite some time before Mac OS X reaches the heady heights of malware distribution from which its Microsoft-made rival platform suffers"
  11. andymac2210 macrumors regular

    Jul 18, 2011
    From the articles I've read it says it executes without any prompt for admin password.
  12. GGJstudios macrumors Westmere


    May 16, 2008
    It doesn't do anything at all if you're on Snow Leopard or Lion, and not much at all on other versions.
  13. 50548 Guest

    Apr 17, 2005
    Currently in Switzerland
    This is absolutely NOTHING new, as even back in 2003 I was affected by a similar disguised file sent by disgruntled script kiddies from another Mac forum...

    AGAIN: This is simply an app masked as a PDF file, and not at all a self-replicating virus or anything of the like. As long as you don't have Safari set to open files automatically or, obviously, you DON'T double-click on suspect files, you're fine.
Thread Status:
Not open for further replies.

Share This Page