A new Mac OS X Threat has been discovered masquerading as an innocent PDF document with a controversial topic. It is implementing one of the techniques used by windows malware to hide its malicious activity.
When the Mac malware is executed, it attempts to drop and execute a non-malicious PDF file in the /tmp folder [Figure 1]. The PDF file and the content is intended to distract the user and hide the malicious activity in the background. The dropper is detected as OSX/Revir.A.
[Figure 1 - Non Malicious PDF File]
While the user is convinced that they have opened a harmless PDF document, the malware is already running in the background and attempts to drop and execute a downloader component in /tmp/host. The downloader component is also detected as OSX/Revir.A.
The downloader component will download and execute the file "cdmax" from the URL "tarmu.narod.ru" and will be saved in /tmp/updtdata. The file "cdmax" is detected as OSX/Imuler.A.
Once OSX/Imuler.A is executed, it will attempt to drop a copy of itself as "checkvir" in /user/%user%/library/LaunchAgents/. It then creates "checkvir.plist" in the /user/%user%/library/LaunchAgents/, to ensure that the backdoor is active on the system.
It contacts the remote server "www.teklimakan.org", and it is capable of performing the following commands:
- Capture the screen
- Upload files to Command and Center
How to Remove OSX/Revir.A and OSX/Imuler.A:
1) Kill the running process.
Using spotlight, type-in Activity Monitor and filter by searching "checkvir", select it and click Quit Process.
2) Delete OSX/Revir.A and OSX/Imuler.A files and components.
Go to /tmp/host, delete OSX/Revir.A
Go to /user/%user%/library/LaunchAgents/, delete checkvir and checkvir.plist
Ensure that your Total Defense Products are updated with the latest signatures at all times.