The initial report on the trojan was written by Lisa Myers at Intego. "The Trojan," she wrote, is an application that is disguised as a picture – the .app file-extension is not visible by default."
Ken Westin, a security researcher at Tripwire, explains, "This Trojan tricks the user by disguising an executable file as a different file type, such as an MP3 or an image or a harmless application." But, he adds, it also "proves it’s possible to write trojans for Macs and it’s not particularly difficult.”
He explains that Apple's method of defending against this type of attack is to display '.app' as the file extension for executable files. " However," he says, "this mechanism is easy to circumvent by utilizing homoglyphs (characters that look similar). I found another unicode character that looked like a period, a Turkish character called the ‘ogonek’, and inserted it followed by ‘mp3’. When this happens OSX doesn’t show the ‘.app’ extension that tells the user the file is an executable.”
Now he has published a new blog explaining how. "I stumbled upon a way to create Trojans for OS X by utilizing homoglyphs and a bit of social engineering," he says. "I was able to show how it is possible to create a binary that appears to the end user as a harmless file such as an MP3 file or image."
As a proof of concept he created an Applescript application that gathers data from the system. He called the file nnn[ogonek]mp3, which fooled the OS into not recognizing it as a fake executable. "I then changed the icon of my application to the standard MP3 icon and the disguise was complete. When the file is double clicked it would open iTunes and pass a URL with data encoded in the query string to a remote server where I logged the data collected from my semi-willing test victims."
To Apple’s credit, he added, "they made “DeveloperID and Gatekeeper” available as of Mountain Lion which helps to mitigate the risk of this particular attack, but only if it is enabled."
There are three takeaways from this incident. Firstly, that Apple Macs are not as immune to malware as many users still believe. Secondly, that trojan should not necessarily be taken at face value. When Infosecurity contacted the Syrian Electronic Army, widely credited with the trojan because it downloads the SEA logo, the group responded, "No, it's not associated with us." That proves nothing, of course, but SEA is not normally backward in taking credit.
And finally, it also shows that Apple is far more willing to work with the security industry for OS/X than it is for iOS. "My understanding is that Apple has now added a signature to its XProtect utility and quite a few AV companies now have specific detection," David Harley, ESET senior research fellow and a Mac specialist at Mac Virus told Infosecurity. "In any case its spread always seems to have been limited, probably highly targeted, so it isn’t a major threat to the average Mac user, especially those using a recent version of OS X. It’s good to see cooperation between Apple and the AV industry in addressing these things, though."
Harley will be delivering a presentation on Mac malware at this year’s Virus Bulletin 2013 conference in Berlin, Germany, from 2-4 October.