MacNN | Intego uncovers new image-based Trojan, installs backdoor on Macs
Mac News Network View: Standard | Headlines | Categorized | Slim
Mac News Network
Mac News iPod News Reviews Forums
 

Desktop Headlines
Intego uncovers new image-based Trojan, installs backdoor on Macs
Tuesday, September 17, 2013 @ 6:52pm

A file that looks like a image file and bears a camera-like filename with the extension not visible by default has been discovered to actually be a rogue application that could install a permanent "backdoor" on Mac systems and triggers Preview to open an image, fooling the user into thinking it was simply an unusual picture file. The purpose of the Trojan appears to be supportive of the hacker Syrian Electronic Army, which is in league with the totalitarian regime of Syria's present government. It is currently considered low-risk for a number of reasons.



The main reason why this new threat is seen as minimal is because the controlling server behind the attack is currently down and is not sending commands to affected users, with US and other law-enforcement authorities likely to assure that it remains inactive. The spread of the Trojan appears to be a targeted attack aimed at certain groups opposed to Syrian President Bashal al-Assad, and isn't seen to be aimed at widespread distribution. Further, installing the Trojan requires an admin password, alerting users to the fact that the so-called "image" file is in fact an application; genuine image files do not require installation procedures. Finally, Mac users running either OS X Lion or Mountain Lion (10.7 or 10.8, estimated to be around 70-80 percent of the active Mac user base) who have Gatekeeper (or are running an up-to-date anti-malware product) will find the Trojan blocked automatically. Apple may further update its own built-in XProtect anti-malware system (available to Snow Leopard, Lion and Mountain Lion users) to prevent accidental installation and indeed may have already done so; updates to XProtect are done silently without user knowledge. Intego says that while the Trojan has been spotted "in the wild" among users, and despite the Trojan's attempts to disguise itself, the overall threat level "appears to be low." The Trojan, called OSX/Leverage.A by Intego, disguises itself as a picture file. Once installed by a user with admin privileges, it installs a backdoor that allows an attacker to send a variety of commands, the company says. It's unclear how the malware was intended to be distributed, but could have been intended for email or placed on a website as part of a "watering hole" attack. Users who try to download the application from a website, through a browser or in email will likely get flagged by Gatekeeper unless the latter has been disabled. Once installed, OSX/Leverage.A copies itself to the Shared folder in Users as "UserEvent.app" and creates a launch agent so that it is activated at startup. The app shows no sign of appearing in the dock or via Command-Tab, and once inserted opens a JPG file inside the Application bundle calling Preview in an attempt to fool the user that the "picture" is harmless. It then tries to connect to the currently-disabled "command and control" (C&C) server on port 7777. Intego says that "in testing, we observed the C&C receiving a variety of system information about the affected machine, sending Pings to monitor the connection, and trying to download [a Syrian Electronic Army] image file to the machine, among other commands." The company advises users to keep software, OS versions, browsers and plugins (particularly Flash and Java, if used) up to date, and to avoid supplying a password for any image file downloaded from the web or received in an email.

Comments on this Article
Print Friendly Version
Email to a Friend
Add MacNN to Your RSS Feeds
Buy from the Apple Store


Related Stories:

Today's MacNN Stories:

  • Yosemite adoption outpacing last year's Mavericks, now at 12.8 percent - 9:45 PM EST
  • Memo shows Rite-Aid's disabling of Apple Pay, NFC systems deliberate - 7:16 PM EST
  • Sprint adds 12-month option to 'iPhone for Life' leasing plan - 4:58 PM EST
  • Apple submits revised plans for Phase 2 of new Cupertino campus - 4:51 PM EST
  • Friday Deals: iOS Grand Theft Auto, 240GB SSD, 1TB external, more - 4:25 PM EST
  • AT&T locking Apple SIMs in new iPad models, buyers complain - 3:52 PM EST
  • Forums: Yosemite is a big win (or fail depending on who you ask) - 3:46 PM EST
  • Apple deals: Mac desktops from $419 - 3:45 PM EST
  • DealNN: Mac mini from $494, 256 SSD for $135 and more - 3:44 PM EST
  • WSJ says iTunes Stores sales down 13-14 percent in 2014 - 2:56 PM EST
  • Giveaway: Tomb Raider - 2:10 PM EST
  • Hands On: Tomb Raider (OS X, Windows) - 2:00 PM EST
  • Editorial: In defense of the new $499 Mac mini - 1:58 PM EST
  • Deezer acquires Stitcher, will keep iOS, Android apps alive - 1:42 PM EST
  • Amazon Rewards Visa card gets added to Apple Pay - 11:54 AM EST
  • BBEdit 11 gets improvements to Clipping, syntax highlights, more - 10:51 AM EST
  • Bringing Apple Pay to China a high priority, says Cook - 10:06 AM EST
  • Samsung's Knox Android security suite under fire from new researcher - 8:59 AM EST
  • Review: Sound Blaster Roar Bluetooth speaker - 4:00 AM EST

    Today's iPodNN Stories:
  • MetroPCS adds data plans for tablets, sells Alcatel Onetouch Pop 7 - 3:21 PM EST
  • Ransomware found on online advertising networks used by major sites - 11:41 AM EST
  • Sprint increases Family Share Pack range with 1GB plan for $20 - 8:08 AM EST
  • Briefly: More Inbox invitations sent, LG G Watch R rollout details - 7:04 AM EST
  • LG reveals Nuclun octa-core processor, confirms G3 Screen smartphone - 6:32 AM EST
  • No comments posted on this story yet. Please post yours.
    Your Comments
    In order to post comments, you must be a registered member of the MacNN Forums and logged in. Please login with your MacNN Forums username and password.

    MacNN Forums Login:

    MacNN Forums Password:

    Not a member of the MacNN forums? Register now for free.