Security specialist Intego (http://www.intego.com) says a new malware sample affecting Mac OS X has been discovered.
It’s an application masquerading as a PDF file, which connects to a remote server to download a backdoor. This application displays text, like a PDF, to fool users who open it, and don’t notice what really happens, says Intego.
When a user opens the file, the executable goes into action, extracting a different executable, which then downloads a backdoor from a remote server. This first executable only works on Intel-based Macs, and the backdoor doesn’t work on Macs using a case-sensitive file system (which is not the default). The backdoor takes screenshots and sends them to a command and control server, and can perform other actions.
“This PDF Trojan horse was not found in the wild, and is most likely simply a proof of concept,” says Intego. “Its design is clunky, yet it can work, and does connect to an active server. VirusBarrier X6 users will find that the program’s Anti-Spyware feature would alert them when the first executable attempts to download the backdoor, preventing its installation. Intego VirusBarrier X6 protects against this malware detecting it as OSX/Revir.A, for the Trojan horse part, and OSX/Imuler.A for the backdoor. We consider the threat to be very low, as this is not found in the wild.”