September 28, 2011

Mac malware is back in the  news again. Last week, security firm F-Secure warned that it had discovered a Trojan built for OS X that was disguised as a PDF document. It’s not clear whether this malware is a present threat — it was apparently created earlier this year — but the mechanics of how it works are worth a closer look because it challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.

Image courtesy F-Secure.

F-Secure said the Mac malware, Trojan-Dropper: OSX/Revir.A, may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. F-Secure was careful to note that the payload installed by the dropper, Backdoor:OSX/Imuler.A, phones home to a placeholder page on the Web that does not appear to be capable of communicating back to the Trojan at the moment.

I wanted to understand a bit more about how this Trojan does its dirty work, so I contacted Broderick Aquilino, the F-Secure researcher who analyzed it. Aquilino said the sample is a plain Mach-O binary — which we’ll call “Binary 1”, that contains PDF file and another Mach-O binary (Binary2). Mach-O, short for Mach object, is a file format for executable files on OS X.

According to Aquilino, when you run Binary1, it will extract the PDF file from its body, drop it in the Mac’s temporary or “tmp” directory, and then open it. This is merely a decoy, as Binary1 continues to extract Binary2 from itself — also into the “tmp” directory — and then runs the file.

Upon execution, Binary2 downloads another binary from [omitted malware download site] and saves it as /tmp/updtdata. For the sake of continuity, we’ll call this latest file “Binary3.” Binary2 then executes and downloads the third binary, which opens up a backdoor on the OS X host designed to allow attackers to administer the machine from afar.

“All of this happens without the user needing to input their password,” Aquilino said.

Aquilino believes the Trojan drops its files into the “tmp” directory because the malware is not meant to be permanent.

“Another reason could be that the Trojan is avoiding the need for users running under a Standard account to be authenticated with an Admin account just to be able to infect the system,” he said. “Standard accounts only have access to their home directory and those such as /tmp. However the account created by OS X setup is an Admin account. Therefore, I believe most will be running under it. Given that assumption, other malwares can choose to run in directory such as /Application just like the case of the Fake MacDefender rogue. Take note though unlike in earlier Windows versions, Admin accounts in OS X are still required to input their password if a malware choose to put its files in system directory such as /System/Library. I don’t see the need for a malware to do that though.”

Aquilino said the malware nevertheless has the potential to be very persistent.

“Upon execution, the downloaded copy of the backdoor (/tmp/updtdata) will create a copy called /users/%user%/library/LaunchAgents/checkvir. It will also create a corresponding launch point in /users/%user%/library/LaunchAgents/checkvir.plist to make sure it still runs after the user rebooted the system. Take note of the casing in ‘library’ instead of ‘Library.’ This maybe the reason why the sample didn’t work on some test machines. Again, no password is needed since the backdoor install its files in the user’s home directory (%user%).”

Aquilino observed that the backdoor will only run when the infected account logs in, but he said this doesn’t mean that other accounts on the infected machine are safe.

“The risk is the same if these accounts save their files in shared volumes where the infected account has permission to,” he said.

Image courtesy Intego.

In other Mac malware news, Mac security vendor Intego is warning about an OS X Trojan called “Flashback” that disguises itself as a Flash update.

It’s worth noting that these threats, like most of those facing Windows users today, rely on social engineering — tricking the user into clicking an attachment or link. Regardless of which operating system you use, it’s a good idea to develop a healthy sense of skepticism and paranoia about any unexpected documents that arrive via e-mail, or random prompts to “update” software. Rule #1 from my 3 Basic Rules for Online Safety applies just as well to Mac users as it does folks using Windows: “If you didn’t go looking for it, don’t install it!”

I still don’t believe it’s necessary for Mac users to install anti-virus software, but for those who disagree there are certainly a number of free and affordable options for anti-malware protection on OS X. Sophos offers a free anti-virus product for the Mac, as does ClamXav and PCTools. There are also several non-free options.


31 thoughts on “Inside a Modern Mac Trojan

  1. Dmitry Dulepov

    Mac’s /tmp dir is cleared on reboot. So to get rid of this trojan, just reboot your Mac 🙂 This is not common in Mac world to reboot but it is the easiest clean up in the world for the malware.

    Another nice thing to do is to enable Mac firewal. It tales a single button click in the system settings. If a trojan tries to make an outbound network connection, the user will be notified and asked for permission.

    So it is not as bad as it sounds.

    1. BrianKrebs Post author

      Hi Dmitry, F-Secure is saying this persists after a reboot. From the article:

      “Upon execution, the downloaded copy of the backdoor (/tmp/updtdata) will create a copy called /users/%user%/library/LaunchAgents/checkvir. It will also create a corresponding launch point in /users/%user%/library/LaunchAgents/checkvir.plist to make sure it still runs after the user rebooted the system”

      Are you saying F-Secure is incorrect in its analysis? Thanks.

      1. Dmitry Dulepov

        If it is copied to some other place, it would not be enough to reboot the computer to get rid of it.

        I based my comment on another source read today, which said the file is copied and executed from /tmp. That source did not mention the other location. It appears that my information was incomplete. I am sorry about providing a wrong “reboot to remove” suggestion.

      2. dr strangep0rk

        1. How does it get three files onto the system. Note, the exact detail on how this is put onto a system left out. We have a copy that is an installer which installs a PDF and post install script. If they change the installer name, no dice, if you alter the installer no dice. Via email or web the user will need to download and open this file. With “Open Safe” in safari off and Xprotect, cannot happen

        2. The Mach file has to be 755 to execute, if you change any extension of any file on MAC OSX than you get an error. You can try this yourself, change a copy of TextEdit.APP to TextEdit.PDF. Make a simple BASH script and change the extension to PDF in the finder and try double clicking on it. No Matter what, You will get an error. We did it with fireforx.dmg in this example. https://www.magmatic.com/storage/post-images/ffPDF.jpg?__SQUARESPACE_CACHEVERSION=1316985108802

        3. Depending on the user you will have access to /tmp for the pdf and the users home directories as you state in you answer. However if the user is not the (root) ADMIN it will not affect any other user and permissions are needed. The installer of a general user can alter the user space but not the system space. Also that are PATH considerations.

        So some facts.

        1. A rouge installer can install files including Mach Binaries but there are some important things to consider.
        -You cannot change the extension because they will not execute.
        -You cannot install into any other users or system level without getting a password. If you work as ADMIN or ROOT, than well… You better know what you are doing.

        2. The decoy is a PDF file, it is opened by a shell script as described by you, in our sample this was a preinstall script in an installer, the PDF is opened and than a post install script ran. It was a visual deception, very weak. In your example the user will need to execute a shell script. How is it put into /users/%user%/library/LaunchAgents/checkvir . I will say that f-secure has an installer as well. This is just because that is the only way unless a user is clicking on a file that is nothing but a MACH Binary. You know what the icon looks for that, and you cannot change the extension because it will end up generating an error.

        Seems to me that this is a important find, and F-Secure is a a+ team, but they left off out a important detail. I think you are defending something that is, based on MAC OSX, unlikely to happen and it is clear that technical details have been omitted for no other reason than they are unknown by the analysts or it is an interesting find but a very unlikely useful threat.

        As of now, I think it is clear that you have half the facts and technical knowledge to create a accurate story. So, can you provide the mechanics of how it works? That is your opening paragraph.

        What we think…

        This is a PKG/MKPG file that does not request root. It will open a PDF as a visual decoy and than install some other packages in the background. These are the same on f-secure site in terms of HASH. There are a host of ways to mitigate this, MSFT tactics on MAC.

        Good news, criminals still are not familiar enough with MAC OSX to execute tactics from MSFT platform.
        Bad News, experts in the PC world here to protect us are still are not familiar enough with MAC OSX. They view all threats based on tactics used against the MSFT platform.

        Curious about your follow up, by all means run your own test. Create a Bash file, try to install it, see if you can change the extension, etc. See if all the technical possibilities are realistic or are we living the BAD new.

        As always good reporting…. Interesting READ…

      3. dr strangep0rk

        Oh, yes it will persists after a reboot if it is installed in that user LIBRARY directory, but not for every user and not for the ADMIN, unless you are running as ADMIN. (Like a unix or linux guy running as ROOT, crazy man, crazy.)

        As said, F-secure is A+ team, some more detail, glad to see that are watching but..

        OUT

        1. Nick P

          “but not for every user and not for the ADMIN, unless you are running as ADMIN. (Like a unix or linux guy running as ROOT, crazy man, crazy.)”

          The article noted that OS X setup creates an admin account by default. Mac’s target market are content creators, non-technical people, people that hate the hassles of windows, and gullible people who believe marketing ploys (“don’t get viruses”). By nature, these people are very unlikely to go digging through settings to check if they’re set to administrative & change it to a limited role. This is why the advisory is important and that comment was utterly ignorant.

          (The comparison to Linux isn’t so good either because many distro’s use sudo by default, where Mac uses their version of “root” by default. The first failure comes from Apple, then its users.)

  2. Gary

    The warning about “random prompts to “update” software” makes me wonder if I should now ignore the prompts I get from Adobe to update Flash or Reader. Can Apple’s “Software Update”, which often prompts users to download and install an update, be spoofed?

    1. Dmitry Dulepov

      Yes, it can. If somebody makes a malware app with the same look as Apple’s Software Update, most people will not notice the difference.

      I usually run update manually once a week. This gives me more control over my Mac.

    2. Russ

      Try the Secunia PSI. It is a free app at the time of this post. Helps you note all your applications and versions at a glance, tells you when updates are available and in many cases will allow you to update through the Secunia app to make it easy. It’s been great on my parents’ computers since I can never remember all the crap I need to manually keep up to date on their machines.

      I’ve also noticed this update monitoring feature in Orbit batch downloading software, but somehow I don’t have the same degree of faith in that company…

      1. Bart

        I used Secunia PSI on my old XP system, but now having changed to a Mac I am confused about whether they have a PSI version. On their web site I only see mention of the CSI version which looks expensive.

        Is there a free Secunia product for the Mac?

  3. BillLee

    “However the account created by OS X setup is an Admin account. Therefore, I believe most will be running under it. ”

    Isn’t this the REAL problem? Isn’t this the same as a user always running under root instead of a “normal” account in other unix or unix-like systems?

    Bill

    1. Kyle Jones

      Running as admin is big risk for the system itself, but running a Trojan as an ordinary user is still pretty bad. It is, for example, often all that’s necessary to get a keylogger installed. Log into your banking or brokerage account after that and soon you will be in a world of hurt.

    2. Joel

      The MacOS user account defaults are being completely misrepresented in the comments. Works the same as in Win7 or Ubuntu – you have to re-authenticate for any privileged access. The default is not a root account. In fact enabling the root account, while possible, is hidden behind a couple of steps so most users would never even attempt it.

  4. Andrew Mangy

    I visited a link on twitvid.com which brought up an adobe flash installer and although I know better I upgraded Flash. How can I definitively make sure my system is free of malware? I looked at dates on flash files which have not been changed in over a month. I checked the adobe site but could not find a release date for flash.

    1. dr strangep0rk

      Andrew, for Mac OSX this is easy.

      Goto System Preferences and select the Adobe Flash Player preferences pane under other. Select the advanced pane and than hit check for update. This will direct you to the site to see what you have installed as compared to the latest version.

      Adobe has not fixed it to download the update as of yet. You can than download it.

      Check your flash version-http://mcaf.ee/9a7e1

      Settings Manager- http://mcaf.ee/aec32

      Download Flash-http://mcaf.ee/312f6

  5. Heron

    Thanks for this, BK. I sent a link for it to my mother, and quoted the last couple of paragraphs.

  6. george

    Interesting article, as usual.
    I am wondering what information the PDF decoy display and why F-Secure (or Brian?) decided to blur the text in the image posted.

  7. dr strangep0rk

    Again, out of email. Tactics and document similar to phishing tactics in past. Check out the above link from intego, show the image unscrambled.

    1. george

      Thank a lot, dr stangepOrk,
      Too bad the image cannot go as it is into Google Translate.
      Interesting the name under which extracts is “trojan.pdf”.
      That might raise eyebrows in potential victims (albeit post-factum) which otherwise would just ignore the “document” as containing gibberish. In turn, this suggests me the author did not polish it very well or it was more of a “proof of concept” trojan.

      1. BrianKrebs Post author

        I haven’t asked F-Secure so I don’t know for sure, but they most likely renamed the PDF “Trojan” for the sake of clarity. I have seen other security firms do this when they are trying to explain how a threat works.

  8. Drstrangep0rk

    Still waiting for how it gets on a system, delivery method. Please, since this is an inside Mac Trojan article explain how it gets on the system. There is no upacker in the PDF. This is an important detail. Thanks.

    The PDF looks similar to others we have seen in past phishing attacks. Sure bk can provide sample.

    We have two scripts and a PDF, just want to confirm, delivery method…

    Also, again threat small, not a Trojan but visual decoy to download apache. That is what we got…

    By the way, flashback is more interesting since it is using the hardware uuid for encryption key. What can uuid as a single of information point chain to to represent greater risk.
    How about creating fake apple products for fake apple stores. Not to mention authorized devices in iTunes or by developers. Rouge adhoc installations?

    If I was a state or criminal org interested in Mac I would try to develop a way to get rouge app in the store or at least make it appear they are signed and get to developer code before it is sent to the store. Think this may be a more interesting angle for you to explore.

    The convergence of state and criminal actors are a benefit to China on military and economic level. Isn’t that what our lack of true cyber dfence has forgotten? It is not just IP, our commerce, information and communication points are not protected. They are playing for keeps, we better start.

    Just some rambling thoughts….

    1. pboss

      Somehow, I doubt they’re going to provide too much info, otherwise everyone will start creating their own trojans.

  9. Drstrangep0rk

    @pboss.

    No, they do not provide more information to have a edge over competitors. Based on what is here you can make this in 20 seconds, but not get all the moving parts to do anything malicious without a host of exceptions in the chain of attack.
    There needs to be a movement towards full discloser of any reported malicious software activity especially by vendors. It ensures that they are acting in good faith. Our current system is broken, we have 8 police departments which do not share the full facts with the public or with data with each other until after the event. Thus it is reactive policing. There are good companies and bad ones. When we have a major malware incident it is in part due to the failure of full discloser by end point vendors.

    Some things they should disclose.
    Delivery method.
    Beach front, namely the software of service which is the gateway.
    System or software versions which it has an effect on.
    What and where of the install. Any pivots that it does.
    True impact, what it does on local system
    True impact, network communication.
    Risk.

    We have lots of problems, vendor control the reporting. Our only hope is the press can get the information or at least call them out.

    Since these are criminal acts we need a press that demands a high bar of disclosure from the cops on the beat, especially since they are private enterprises.

    1. Nick P

      I totally agree with your speculated reason they haven’t done full disclosure. It’s more profitable these days for vulnerability hunters to keep some secrets. This ensures everyone gets paid off in some form or another. Of course, it’s hard for me to hate on them because software writers don’t actually provide any incentives for the hard work it takes to identify vulnerabilities. They don’t pay for it, consumers won’t pay extra for it, & demanding an independent bug-hunter give their labor for free in such a situation is ethically questionable.

      Disclosure for profit: it’s just capitalism by any other name.

  10. Drstrangep0rk

    Good, it seems that VRT has some information as well. That got a App a while back that did not run. As I said we have seen several different attempts to try to use a Msft tactics targeting Mac OSX. These are very low skilled attempts. Our copy was an installer with pre and post scripts. A PDF in Han Chinese opened to cover visually the install and download process. I think it is worth a read to see what they found, sounds close to FSecure.

    We have seen changes of extensions as attempts to get something to execute in Mac OSX, but these are DOA. Good read here so —- enjoy….

    http://vrt-blog.snort.org/2011/09/mac-trojans-this-past-weekend-osxrevir.html

  11. Rick

    > Standard accounts only have access to their home directory and those such as /tmp.

    Uh – NO.

  12. JCitizen

    It seems to me this is similar to Zeus infections. The Zeus family of trojan variants do not need to install and can work even on limited(standard) accounts. They simply reside in the temp folders like all other files that come from web page downloads, and lie in wait for a reboot. When the machine is restarted/shutdown, the trojan injects into the startup folder to survive the next reboot.

    These variants can also manipulate browsers in many ways that can be a great danger to the user on that account. The primary weakness is the browser technology itself, but ANY operating system running Adobe PDF, or flash, or javascipt can have further vulnerabilities that could espose even a well locked down operating system design. I don’t think any operating system is particularly invulnerable to this scenario. As was mentioned earlier, many newbies are entering the MAC OSX and Linux world and are not savvy enough not to use applications with vulnerabilities built in, or would never update them to lower their attack profile.

    I really think some of you are sticking your head in the sand, by constantly standing in utter disbelief that their is anything that exists that can break down what is considered a totally bulletproof operating system. Especially since people are involved and always make mistakes.

    1. Nick P

      Good points. On the Linux issue, though, the most popular desktop distributions have automatic update for the apps. My Ubuntu box I use for browsing makes it as simple as clicking a button & entering your password. It takes care of the rest, occasionally with a restart required. (It can be delayed, of course.)

Comments are closed.