Although Macs have the squeaky clean image of being malware-free, things may start to change as the platform gets increasingly more popular. Researchers at F-Secure and Sophos have discovered a new trojan horse malware that targets Mac OS X and is disguised as a PDF file. The malware was first seen in July but has now been identified as two utilities that work together to install a backdoor.
The first is the trojan dropper that installs a downloader component while disguising the action by opening up a PDF file. The PDF file contains Chinese characters and is mainly to distract the user as a backdoor program is downloaded and installed on the system. When this happens, it will create a launch agent that keeps the malware active to send the system’s current username and MAC address to a remote server. The server will then instruct it to archive files for upload or to upload screenshots.
At the moment, F-Secure says that the malware doesn’t work very well and appears quite crude. It’s possibly still in the testing phase and could become more advanced. It’s not known yet how the malware is being distributed, but it’s likely through e-mails and underground web sites. Therefore, it’s best to avoid downloading any PDF files from unknown sources.
If you suspect that your Mac may be infected and you do not have a malware scanner, then you should check your Activity Monitor for any processes called “checkvir.” If so, click the red button to stop the activity, quit your Activity Monitor, and proceed to remove the files “checkvir” and “checkflr.plist” from this directory: /username/Library/LaunchAgents/