New Mac malware poses as PDF doc

23.09.2011
Security firms today warned Mac users of a new Trojan horse that masquerades as a PDF document.

The malware, which was spotted by U.K.-based Sophos and Finnish antivirus vendor F-Secure, uses a technique long practiced by Windows attackers.

"This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a '.pdf.exe' extension and an accompanying PDF icon," said today.

That practice relies on what is called the "double extension" trick: adding the characters ".pdf" to the filename to disguise an executable file.

The Mac malware uses a two-step process, composed of a Trojan "dropper" utility that downloads a second element, a Trojan "backdoor" that then connects to a remote server controlled by the attacker, using that communications channel to send information gleaned from the infected Mac and receiving additional instructions from the hacker.

Because it doesn't exploit a vulnerability in Mac OS X -- or any other software -- the malware instead must dupe users into downloading and opening the seemingly-innocuous PDF document, which is actually an executable.