Mac malware is back in the news again. Last week, security firm F-Secure warned that it had discovered a Trojan built for OS X that was disguised as a PDF document. It’s not clear whether this malware is a present threat — it was apparently created earlier this year — but the mechanics of how it works are worth a closer look because it challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.
F-Secure said the Mac malware, Trojan-Dropper: OSX/Revir.A, may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. F-Secure was careful to note that the payload installed by the dropper, Backdoor:OSX/Imuler.A, phones home to a placeholder page on the Web that does not appear to be capable of communicating back to the Trojan at the moment.
I wanted to understand a bit more about how this Trojan does its dirty work, so I contacted Broderick Aquilino, the F-Secure researcher who analyzed it. Aquilino said the sample is a plain Mach-O binary — which we’ll call “Binary 1”, that contains PDF file and another Mach-O binary (Binary2). Mach-O, short for Mach object, is a file format for executable files on OS X.
According to Aquilino, when you run Binary1, it will extract the PDF file from its body, drop it in the Mac’s temporary or “tmp” directory, and then open it. This is merely a decoy, as Binary1 continues to extract Binary2 from itself — also into the “tmp” directory — and then runs the file.
Upon execution, Binary2 downloads another binary from [omitted malware download site] and saves it as /tmp/updtdata. For the sake of continuity, we’ll call this latest file “Binary3.” Binary2 then executes and downloads the third binary, which opens up a backdoor on the OS X host designed to allow attackers to administer the machine from afar.
“All of this happens without the user needing to input their password,” Aquilino said.
Aquilino believes the Trojan drops its files into the “tmp” directory because the malware is not meant to be permanent.
“Another reason could be that the Trojan is avoiding the need for users running under a Standard account to be authenticated with an Admin account just to be able to infect the system,” he said. “Standard accounts only have access to their home directory and those such as /tmp. However the account created by OS X setup is an Admin account. Therefore, I believe most will be running under it. Given that assumption, other malwares can choose to run in directory such as /Application just like the case of the Fake MacDefender rogue. Take note though unlike in earlier Windows versions, Admin accounts in OS X are still required to input their password if a malware choose to put its files in system directory such as /System/Library. I don’t see the need for a malware to do that though.”
Aquilino said the malware nevertheless has the potential to be very persistent.
“Upon execution, the downloaded copy of the backdoor (/tmp/updtdata) will create a copy called /users/%user%/library/LaunchAgents/checkvir. It will also create a corresponding launch point in /users/%user%/library/LaunchAgents/checkvir.plist to make sure it still runs after the user rebooted the system. Take note of the casing in ‘library’ instead of ‘Library.’ This maybe the reason why the sample didn’t work on some test machines. Again, no password is needed since the backdoor install its files in the user’s home directory (%user%).”
Aquilino observed that the backdoor will only run when the infected account logs in, but he said this doesn’t mean that other accounts on the infected machine are safe.
“The risk is the same if these accounts save their files in shared volumes where the infected account has permission to,” he said.
In other Mac malware news, Mac security vendor Intego is warning about an OS X Trojan called “Flashback” that disguises itself as a Flash update.
It’s worth noting that these threats, like most of those facing Windows users today, rely on social engineering — tricking the user into clicking an attachment or link. Regardless of which operating system you use, it’s a good idea to develop a healthy sense of skepticism and paranoia about any unexpected documents that arrive via e-mail, or random prompts to “update” software. Rule #1 from my 3 Basic Rules for Online Safety applies just as well to Mac users as it does folks using Windows: “If you didn’t go looking for it, don’t install it!”
I still don’t believe it’s necessary for Mac users to install anti-virus software, but for those who disagree there are certainly a number of free and affordable options for anti-malware protection on OS X. Sophos offers a free anti-virus product for the Mac, as does ClamXav and PCTools. There are also several non-free options.