|"Then, Lancelot, Galahad and I jump OUT of the rabbit..."|
Summary: A newly discovered Mac vulnerability disguises itself as a PDF to trick users into opening it, which installs an Apache server on your Mac. Luckily it hasn’t been weaponized. Yet.
Just when you thought that it was safe to start using your Mac again comes a report that a new PDF vulnerability may be targeting Mac users.
Fellow ZDNet blogger Ryan Naraine brings the news via his Zero Day blog, that the malware, Trojan-Dropper:OSX/Revir.A “installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.”
F-Secure notes that the vulnerability disguises itself as an Adobe Acrobat (PDF) file in an effort to trick users into opening it, which of course, triggers its payload. It even opens a bogus Chinese-language PDF in order to deceive the user and avoid detection. The payload, Backdoor:OSX/Imuler.A according to F-Secure, then runs in the background.
The good news, I suppose, is that Revir.A is fairly innocuous at this point. The payload is a bare Apache installation that is “not capable of communicating with the backdoor yet.” The going theory is that the author may have leaked it to see if any of the antivirus detectors picked it up. Luckily, someone did.
It’s important for Apple to act swiftly on this one. From the looks of things Revir.A probably wouldn’t be too hard to weaponize and we’re not sure how many people might already have the source code.
Apple: you’re on the clock.
MD5 hashes for the samples:
• Trojan-Dropper:OSX/Revir.A: fe4aefe0a416192a1a6916f8fc1ce484
• Trojan-Downloader:OSX/Revir.A: dfda0ddd62ac6089c6a35ed144ab528e
• Backdoor:OSX/Imuler.A: 22b1af87dc75a69804bcfe3f230d8c9d