New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple Updates Anti-Malware Tools to Address New Trojan Threat

Monday September 26, 2011 11:33 am PDT by Eric Slivka
Late last week, CNET reported on a new trojan horse threat targeting Mac users. While the threat was initially discovered back in late July and had yet to become fully functional, only recently was the malware highlighted by antivirus companies targeting such threats.


Blurred screenshot of PDF file deployed by OSX/Revir.A (Source: F-Secure)

The new threat consists of two parts, with the first being a trojan downloader known as "OSX/Revir.A" that serves to distract users by downloading and continually opening a PDF document containing "offensive political statements" written in Chinese. But the actual damage from OSX/Revir.A comes as it installs a backdoor known as OSX/Imuler.A to potentially allow malicious parties to access the user's machine.
When the backdoor is installed, it will set up a launch agent on the system that is used to continually keep the malware active on the system. It will then connect to a remote server and send the system's current username and MAC address to the server, after which the server will instruct it to either archive files and upload them, or take screenshots and upload them to the server.
The report noted that the malware did not appear to function properly due to a lack of instructions being delivered from a remote server, but malicious activity could still be possible.


OS X malware definition entry for OSX/Revir.A

Apple has moved quickly to counter the threat, updating its malware definitions for Snow Leopard and Lion systems to allow them to recognize the trojan. Apple updated its tools earlier this year in response to the MacDefender threat, and Snow Leopard and Lion systems now automatically check for new malware definitions on a daily basis.

Apple's battles with malware authors continue, however, as CNET discloses that another trojan horse, known as OSX/flashback.A, has been discovered. Like a similar threat that surfaced early last month, the new trojan masquerades as a Flash Player installer to trick users into installing the package.
Unlike the previous Flash Trojan (called Bash/QHost.WB), which changed one file on the system, this new Trojan is a bit more complex and first deactivates network security features, then installs a dyld library that will run and inject code into applications that the user is running. The Trojan will also try to send personal information and machine-specific information to remote servers.
Users requiring Adobe's Flash Player software are of course advised to download it directly from Adobe's site rather than attempting to install it from sites which may be trying to trick users into installing malware. If past history is any indication, Apple should quickly update its malware definitions to help recognize the new threat, alerting users to the known malicious nature of the package should they attempt to download and install it.

[ 137 comments ]


Top Rated Comments

(View all)

Avatar
dOoBiX
103 months ago

I'm wondering if I came across that second one yesterday. I pulled up a video and got a pop-up that looked very authentic asking me to update my Flash Player. I closed it without clicking anywhere within it, and nothing downloaded, but I may have dodged a bullet by not installing it. I consider myself a very educated Mac user, but even I might have been convinced if that was it, had I not been in a hurry and not willing to wait for it to install.


I installed a flash update yesterday, and after reading this article, it got me worried. So I checked the CNET article (http://reviews.cnet.com/8301-13727_7-20111639-263/another-os-x-trojan-imitates-adobe-flash-installer/) and they have screenshots of the fake and real flash installers. My mac is good... for now. :)

Fake:


Real:
Rating: 9 Votes
Avatar
benthewraith
103 months ago

Note that Flash is somehow involved. LOL


Yes, I'm sure taking a copy of Flash and rewriting it to make it malicious is the fault of Adobe just as much as torrented copies of iWork may or may not have been rewritten to install malware is the fault of Apple.:rolleyes:
Rating: 8 Votes
Avatar
gmcalpin
103 months ago

Dang it....that Apple specialist in the store told me mac is virus free when I was purchasing my MBP....wth....


Even the virus's have bugs :D


This is not a virus. It's a Trojan horse. They are two very different kinds of malware.
Rating: 8 Votes
Avatar
Dr McKay
103 months ago

Its good to see that apple actually update their os to stop this trojan threat. If only windows was as reliable...


Ahh good to see you're still clinging to the 10 year old idea of Windows and Microsoft.


Macs are being infected more because of all those stupid Windoze users who switched because of the "Mac vs PC" ads. Doh!



I do hope that was sarcasm, please say it was. If it wasn't I feel compelled to point out how wrong you are, Mac users are not smarter than PC users, nor are PC users smarter than Mac users. They are just computer users, no different from each other.
Rating: 6 Votes
Avatar
fahadqureshi
103 months ago
wonder what these "offensive political statements" are:rolleyes:
Rating: 5 Votes
Avatar
AppleScruff1
103 months ago

Bottom line is Windows is now more secure then OS X. Take that to the bank!


OSX is obviously a very secure OS and so is Windows 7.
Rating: 5 Votes
Avatar
topmounter
103 months ago

Viruses, Malware, Trojans... it's all the same *****. In fact, Viruses are Malware, since Malware is Malicious Software. Either way, you're looking at data loss and/or theft.

Stick that in your pedantic pipe and smoke it



Actually it is not "all the same", but I'll defer to your eRage.
Rating: 4 Votes
Avatar
TheSideshow
103 months ago

Its good to see that apple actually update their os to stop this trojan threat. If only windows was as reliable...


Are you aware of how Windows handles these at this time? Seems not.
Rating: 4 Votes
Avatar
sulliweb
103 months ago

A Trojan needs to trick the user into installing it before it can do any damage. That's the price we pay for being able to run any program we want on our Macs without needing Apple to approve them first - someone can make a bad program and fool us into thinking it's good. Once you give the program permission to run, OS X will get out of its way. If it turns out it's a malicious program, it's your fault for allowing it to run, not OS X's.


Yes and no... We've seen a couple of minor exploits in iOS (ie - Jailbreakme.com) where a site gained root level access without Apple's permission in an arena supposedly completely controlled by Apple. There is no such thing as a perfectly secure OS. Apple does a better job than Windows in some respects, but Win 7 is remarkably better in that regard. Also, MS now provides free AV protection as well, cleaning up their own mess, so to speak...

I know I'll get blasted for saying it, but Windows and Macs are mostly being targeted the same way now (Windows more so, but there are still more Windows boxes out there). It's all about tricking the user, not breaking the system. Both OS's are reasonably rock solid when it comes to system attacks... Windows patches more often, but really, they haven't had anything in the way of major attacks in a great while... Conficker happened when? And it was kind of a dud in a lot of ways... Pretty much, now the user has to allow stuff to happen outside of their profile.
Rating: 4 Votes
Avatar
Renzatic
103 months ago

It does matter greatly, when it comes to developing a defense against them. To say it doesn't matter is to display a gross lack of awareness about malware and how to protect against it.


It's more like we're talking generic terms, and you're splitting hairs. Viruses per the classical term are practically nonexistent now. They're nigh impossible to get on OSX, and don't show up all that often (if at all) on modern Windows machines. But the term has stuck around, and has more or less become a blanket statement for any type of malicious piece of software designed to screw over you or your computer nowadays.

So if someone accidentally mentions virus, that doesn't necessarily mean they don't know what they're talking about. They're just using it as the catch-all phrase it's become these days.

The same old tired market share theory, which is complete hogwash. Macs have a larger market share and installed base than ever before and yet malware is a fraction of what it used to be. As the Mac has grown in popularity, the available malware in the wild has decreased, not increased.


You know what form most bugs take these days? Socially engineered malware. They don't actually exploit any OS weakness. No. They go after the weakest link of security of any computer: the user. I mean why spend all this time trying to find a hole in an operating system, then spend even more time finding another when it's eventually closed when it's so much easier to scare the hell out of someone and trick them into installing the [s]virus[/s] malware themselves?

[s]Viruses[/s]Malware such as this isn't incredibly difficult to write. But you do want to target the largest demographic most likely to install it. Right now, it's Windows. Macs users are more the enthusiast types, and are more likely to know better. Windows, by dint of market share, is more likely to be used by people who aren't quite as comfortable with their machines, and are thus more likely to grab something they shouldn't, and freak out over a popup saying they're infected with a virus.

Now if you were a malware manufacturer, which platform would you prefer to take advantage of? The OS with the smaller market share, used mostly by professionals and enthusiasts, or the OS most commonly used by millions of gullible grandmas?

And if Macs are selling a million a month, do you think all those sales are to professionals and enthusiasts?

Ultimately, what you'd have is the Windows malware scene, transplanted to OSX. It's all about who's using what the most. Malware programmers don't give a damn about which OS is better. They don't argue about it. They don't care. What they do care about are credit cards and exploitable email addresses. And they're going to go where the action is.

Course it isn't all doom and gloom. If Apple were to sale a billion iMacs tomorrow, the Apple scene wouldn't suddenly turn into a stark wasteland of malware, requiring you to repair you OS install every other day. Ultimately, things wouldn't be much different for most of us here, besides getting updates a little more often than what you used to. What you would have is a bunch of moms and dads running en masse to the Apple store, cuz they all want to know why Buddy Bear The Freeware Game Genius is sending midget porno to grandma and asking for their social security number to make it stop.
Rating: 4 Votes

[ Read All Comments ]