Revir's Ride not a Derby Winner

Written by

Since new Mac-specific malware is pretty rare, I suppose I can't really ignore the malware that most AV companies are calling Revir.A (the dropper and downloader) and Imuler.A (the backdoor that carries the sting, such as it is), though Sophos is calling it Revir.B. (Sophos doesn't have an earlier variant: that's apparently just an artifact of the company's naming system).

While the impact of this pair of beauties in the real world is not likely to be significant at their present stage of development, the approach they use is kind of interesting.

The malicious application poses as a PDF, and in fact displays a PDF embedded in its own body (not vice versa, as you may have read). This shows a page of somewhat politically contentious Chinese text (apparently - reading Chinese is not in my skillset) while the app goes about its real business of extracting a downloader that fetches and installs a backdoor Trojan (the Imuler.A component). The backdoor is supposed to communicate with a C&C (Command and Control) server - standard botnet stuff - but the server is, according to F-Secure just a barebones Apache installation at present, and there is no communication channel between it and the backdoor/agent malware at present.

Much has been made of the similarity between this and established techniques for infection used in Windows malware. In fact, I'd say the most striking similarity is in the use of a phased infection process using several components.

Of course, PDFs are, in some form, a common infection vector, but the case here is slightly different. The PDF is "real" but not booby-trapped with some kind of 0-day, as is common with targeted malware connected with that part of the world. And while some have mentioned the venerable Windows trick of using a double extension like *.pdf.exe to trick the victim into opening an executable by kidding them it's a PDF, that isn't really an exact parallel. While many file formats (including PDF) may carry a DOS/Windows style filename extension, the OS doesn't necessarily take much notice of them. (Actually, the same goes for Windows in some contexts, but let's not get .BOG-ged down in that.)

There is an oddity here in that the one sample I know of, originally received from Virus Total [], has neither a file extension nor an icon. Since the OS doesn't need a file extension (except when running a different OS under emulation), the first omission isn't necessarily significant. Using an icon to con the victim into running an executable when he thinks he's opening a document is, however, not uncommon among Windows Trojans, and not unknown on Macs - I seem to remember at least one trojan trying a similar approach way back in pre-OS X days.

It's possible, as F-Secure suggests, that the icon simply fell off the sample somewhere along the line: these things happen sometimes with Apple applications, which may have both a resource fork and a data fork, a concept that sometimes sits uneasily with other operating systems such as Linux. It's also perfectly possible that this is just a proof of concept trial run that somehow got submitted to Virus Total. As Intego quite rightly point out , the design is pretty clunky. Sophos note that they were unable to persuade it to execute. Intego also reports that the initial app can only execute on Intel-based Macs, while the backdoor can't work on a Mac using a case-sensitive file system - HFS+, unlike other Unix or Unix-like implementations, is case-insensitive

It is, of course, quite possible that this is a work in progress: if so, it doesn't seem to be progressing very fast, but who knows how fast its little feet are paddling under the surface?




What’s hot on Infosecurity Magazine?