|Home » Industry Watch (» The Technological » Hall of Monkeys » Heroes Banquet)
Re: Inside a Modern Mac Trojan
'If you didn't go looking for it, don't install it!'
THE INTERWEBS (Rixstep) — Brian Krebs is reporting on yet another social engineering trick to compromise OS X machines. The antivirus cottage industry players are out en masse again. Brian says you still don't need their products.
Trojan Droppers & Backdoors
As always the AV people came up with some fancy names for their discovery. F-Secure call the initial payload Trojan-Dropper:OSX/Revir.A, the trojan itself Backdoor:OSX/Imuler.A, and they're still working on a name for the third part.
For there are three parts to this monster, folks.
- The download - an executable disguised as a PDF file. The user unwittingly (and recklessly) double-clicks it and the file - actually an executable - gives birth to a real PDF file embedded within. This PDF file is placed in /tmp and opened. No suspicions raised as the user expects to see a PDF file.
This is possible on OS X because the system still allows arbitrary assignment of icons to files. The technique was used years ago by Oompa Loompa.
- Mamma Trojan-Dropper was actually carrying twins. The second one's the aforementioned Backdoor:OSX/Imuler.A (great name) and it immediately downloads yet another file as /tmp/updtdata.
- Backdoor:OSX/Imuler.A now runs /tmp/updtdata which in turn opens a backdoor onto the local machine.
Much ado about nothing? Not quite. The idea a rogue process can open a backdoor without user authorisation is a bit of a stretch - unless of course the black hats have finally been able to exploit the (unofficial) Apple hack written about so many times at this site.
As for the rest: yes it's much ado about nothing.
As for running files one's not familiar with, there's always Tracker (and not much else unfortunately - and no, AppZapper isn't going to fix you).
Brian winds up by pointing out yet again:
- 'If you didn't go looking for it, don't install it!' The Apple mantra goes a bit further and says you should never run untrusted or unknown software. That's even better advice.
- No you do not need 'antivirus' on your Mac.
I still don't believe it's necessary for Mac users to install antivirus software.
- Brian Krebs
ACP: Tracker: Why Chance It?
Krebs on Security: Inside a Modern Mac Trojan