More broken Mac malware
Published September 26th, 2011 at 10:00 AM EDT , modified September 26th, 2011 at 10:06 AM EDT
There hasn’t been much to say about Mac malware lately. Since the folks behind the MacDefender trojans got caught and put into Russian prison, things have been quiet. The last two things I’ve written about since then were a trojan that was Windows-only and a broken Mac trojan. This weekend, however, changes that streak. On Friday, F-Secure discovered a new Mac trojan masquerading as a PDF file.
This new trojan has been named Trojan-Dropper:OSX/Revir.A by F-Secure, and it is not actually a PDF file. The trojan is an application that somehow pretends to be a PDF file. Because of how this trojan was found – it has not actually been observed “in the wild,” being discovered only after it was submitted to VirusTotal – it is unclear how it poses as a PDF file. It could be given a filename ending in “.pdf.app” and given a custom icon identical to a PDF icon. This might seem like it wouldn’t fool anyone, but keep in mind that in a file named, for example, “benign.pdf.app”, the filename is “benign.pdf” and the extension is “.app”. Since extensions can be hidden, a visible filename “benign.pdf” coupled with a PDF file icon would make that file appear to be a PDF file.
When opened, this trojan opens a PDF file, which helps to complete the illusion that the user has opened a PDF file. In this case, the PDF is a Chinese document, though that would not have to remain the case in the future. In addition to opening a PDF file, the trojan also installs a backdoor app, named Backdoor:OSX/Imuler.A by F-Secure. This backdoor process remains running in the background, and contacts a remote server for instructions. It can be used to send files and screenshots from the infected machine back to the server.
This obviously could be a serious threat, except that it has been flubbed. The server is currently not functional, for the purpose of the malware, so the trojan does not currently do anything. This could change at any time, though that server will be blacklisted as a malware site by a number of ISPs before that happens, reducing its effectiveness. MacDefender caught the security companies completely by surprise and had stolen countless credit card numbers before any response was possible. In contrast, if Revir/Imuler is still a work in progress, and not just an experiment, it has caught the attention of the security community before it is ready for that spotlight.
Still, even if the current version of this malware is ineffective, it could still change into something more dangerous. In addition, other malware could use similar tricks. It is important that users take this as a warning and pay closer attention to what they are opening. One thing that is important is to be aware of the real extension of a file that is being opened. If you open the Finder’s preferences window (from the Finder menu) and click the Advanced icon, you’ll see a checkbox labelled “Show all filename extensions.” Turning this option on ensures that you will be able to see the real extension on any file that you are opening.
In addition, Mac OS X will warn you the first time you open a downloaded file that contains executable code. Some people find these warnings annoying and disable them. This is simply one more example of why I always advise against that… if you think you’re opening a PDF file and the system warns you that you’re opening an application downloaded from the internet, that will provide you a vital warning and a way to cancel opening an item that is probably malicious.
For those concerned about this malware, note that users of Snow Leopard or Lion (Mac OS X 10.6 or 10.7) should have a definition for this malware in the XProtect definitions file. To ensure that the latest updates have been downloaded, open System Preferences, go to the Security pane (or Security & Privacy in Lion) and uncheck then re-check the box labelled “Automatically update safe downloads list.” Note that you will probably have to click the lock in the lower left corner of the System Preferences window in order to change this setting.
Use of a firewall that blocks outgoing network connections, like Little Snitch, also provides an additional layer of security against malware like this. However, note that proper use of Little Snitch involves paying close attention to unexpected connection attempts and not automatically approving them. This requires some learning about which connection attempts are normal and which are not. Learning is never a bad thing, but those unwilling to spend that time should not try to use a such a tool.
You can easily check for infection and, if found, delete the trojan yourself. If you think you’re infected, open Activity Monitor and look for a process named “checkvir”. If you have that, force it to quit. Then, in the Finder, choose Go -> Go To Folder and enter “~/Library/LaunchAgents/” (minus the quotes, of course), then click the Go button. In the window that opens, delete items named “checkvir” and “checkvir.plist”.
In summary, although this particular malware is not currently a real threat, it’s important to keep in mind that this could change at any time. The server could start functioning at any time, and new variants could be released that contact a different server. These techniques could also be used by other more dangerous malware. It is important to keep your guard up and be aware of exactly what you are opening. Keeping yourself informed of threats and techniques for keeping your system secure is the most important part of avoiding malware!