Author Topic: Another Trojan -- merged with ... (Read 2036 times)

Xairbusdriver · « **on:** September 23, 2011, 05:22:38 PM »

Just read about yet another Trojan for the Mac. No one seems sure where it comes from but it is usually accompanied by a Chinese PDF. It also doesn't appear to be working properly, yet. You can see if its been installed my running Activity Monitor, selecting "All Processes" and clicking the 'Process Name' column header. If you see "checker" you have the Trojan installed. It is easily deleted along with a similarly named .plist file. Some think it may be getting installed by a Java (not javascript) routine.

gunug · « **Reply #1 on:** September 24, 2011, 03:01:59 PM »

I really wish I could remember the marvelous nonsense I heard on the radio about this:

QUOTE

The new piece of malware hides inside a PDF file and delivers a backdoor that hides on the user's machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user's machine and then opens it as a way to hide the malicious activity that's going on in the background, according to an analysis by researchers at F-Secure. The Trojan then installs the backdoor, which is named Imuler.A, which attempts to communicate with a command-and-control server.

https://threatpost.com/en_us/blogs/new-mac-...ious-pdf-092311

Apparently this is a threat to Macs!

Xairbusdriver · « **Reply #2 on:** September 24, 2011, 04:39:59 PM »

Yes, see the "<Another Trojan, ...from China with Love??>" thread. But you probably won't be able to read the PDF since it is usually in Chinese.

kimmer · « **Reply #3 on:** September 24, 2011, 05:28:07 PM »

Would you like these 2 threads merged? Might be more helpful.

Paddy · « **Reply #4 on:** September 24, 2011, 08:52:25 PM »

Really low threat, apparently - not found in the wild and quite clunky.

http://www.macnews.com/2011/09/23/mac-pdf-...e-gallops-scene

gunug · « **Reply #5 on:** September 25, 2011, 02:45:44 PM »

If someone wants to merge them it's okay by me!

Xairbusdriver · « **Reply #6 on:** September 25, 2011, 03:28:16 PM »

Just don't convert them into a Chinese PDF!

kimmer · « **Reply #7 on:** September 25, 2011, 06:41:02 PM »

Merging done.

Xairbusdriver · « **Reply #8 on:** September 27, 2011, 01:29:43 PM »

And yet another, for someone who thinks they really need Flash and can't remember who makes it so they go to some off-the-wall site and download it and then run the installer and wonder why they are so... <INTEGO SECURITY MEMO: Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package>

Later: Some info on how to check when your last update occurred and force it to update immediately: <http://www.macworld.com/article/160253/2011/06/force_mac_update_malware_definitions.html>

[attachment=2332:XProtect...Run_Time.gif]

Paddy · « **Reply #9 on:** September 27, 2011, 02:53:29 PM »

Apple has updated the definitions for the malware found in the PDF trojan. So...if you're running either Snow Leopard or Lion, you are fine. (NOTE: no updating by the user is required - read the article linked below)

http://www.macworld.com/article/162535/201...l#lsrc.rss_main

The Flashback trojan that Jim mentions still hasn't been addressed, however.

Xairbusdriver · « **Reply #10 on:** September 28, 2011, 01:47:43 PM »

And another one has been updated. First appeared back in January/February. The third version is now available for downloading for those who do that sort of thing.

<http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/OSX~MusMinim-C.aspx>

Xairbusdriver · « **Reply #11 on:** October 03, 2011, 03:30:48 PM »

New version of the "Chinese PDF" trojan released:

OSX/Revir-B info at Sophos

I think XProtect was updated for Revir-A last Thursday. :thumb up:

kimmer · « **Reply #12 on:** October 03, 2011, 07:05:13 PM »

Do I have to download and install this software from Sophos in order to find/quarantine this trojan?

Paddy · « **Reply #13 on:** October 03, 2011, 08:33:56 PM »

QUOTE(kimmer @ Oct 3 2011, 08:05 PM) <{POST_SNAPBACK}>

Do I have to download and install this software from Sophos in order to find/quarantine this trojan?

No. You can also do it by hand:

http://www.infosecurity-magazine.com/view/...ac-pdf-trojan-/

But why would you download this PDF anyway? I don't imagine it's out there on trusted sites, just lurking, ready to pounce.

As Brian Krebs writes in his dissection of the Trojan:

QUOTE

It’s worth noting that these threats, like most of those facing Windows users today, rely on social engineering — tricking the user into clicking an attachment or link. Regardless of which operating system you use, it’s a good idea to develop a healthy sense of skepticism and paranoia about any unexpected documents that arrive via e-mail, or random prompts to “update” software. Rule #1 from my 3 Basic Rules for Online Safety applies just as well to Mac users as it does folks using Windows: “If you didn’t go looking for it, don’t install it!”

Xairbusdriver · « **Reply #14 on:** October 03, 2011, 08:59:37 PM »

At least one site is claiming the XProtect update last Thursday fixed both the version a and b of this trojan. It may be that it simply adds the "OSX/Imuler-A" signature to the XProtect definitions.

At any rate, if you spot any PDF's that you don't recognize in your "downloads" folder (where ever that may be on your set up). Simply delete it and Empty the Trash, as well. Then, try to refrain from visiting the some of the types of sites you visit.

News:

Author Topic: Another Trojan -- merged with ... (Read 2036 times)