GMA Brandtalk
Tracking
Archives
Filtered By: Scitech
SciTech
Mac users warned vs new Trojan malware
Here's one more reminder for Mac users that their machines aren't invincible against viruses and malware.
Security vendor Sophos on Tuesday said a new Trojan targets victims by pretending to be an "undelivered courier item" message.
"By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an empty Safari window with the icon of the downloaded file in the Dock at the bottom of the screen. Clicking on the download button shows you what looks like a PDF file," Sophos' Paul Ducklin said in a blog post.
While there is no PDF file, Safari may have automatically unzipped the download and produced an Application bundle that has a PDF icon, he added.
Ducklin said the temptation for the victim is to click on what looks like a PDF file to see what it contains.
While clicking on the "Open" button will not appear to do anything, it actually triggers a process running in the background, dubbed "foung."
And here's the rub: "foung" is a bot detected by Sophos' anti-malware software as OSX/LaoShu-A.
"LaoShu-A as good as hands control of your Mac over to the attackers, though its primary functions appear to be more closely associated with data stealing than with co-opting you into a traditional botnet," Ducklin said.
Ducklin said LaoShu-A can:
- Search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX.
- ZIP files with such extensions.
- Upload (exfiltrate) the files to a server operated by the attackers.
- Download new files.
- Run arbitrary shell commands.
Masquerading as email
Ducklin said the malware works by masquerading as an email that claims to be from a courier company "having trouble delivering your article."
The email contains a link to an attachment that claims to be a tracking note, and invites the recipient toreview the supposed document and respond.
However, Ducklin said that if the email recipients use a mobile device, the server delivers an error message.
Windows users
On the other hand, users of desktop browsers that are not detected as Safari will get a ZIP file containing a Windows program detected as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware.
In the meantime, Ducklin advised email recipients to be more suspicious of the email they get.
"E-mail is still one of the most common ways people get infected, and it is predominantly through social engineering attacks... So when you receive an e-mail from someone you've never heard of before, or you've never communicated with before, and there's some interesting attachment to the e-mail or [a link to click], ...don't do that! That's one of the that most common ways people get infected," he said. — TJD, GMA News
More Videos
Most Popular
