Apple Updates Anti-Malware Tools to Address New Trojan Threat

Blurred screenshot of PDF file deployed by OSX/Revir.A

Late last week, a new trojan threat has targeted Mac users. It consists of two parts, with the first being a trojan downloader known as "OSX/Revir.A" that downloads and opens a PDF document containing "offensive political statements" written in Chinese, and installs a a backdoor known as OSX/Imuler.A that allows to get access to the user's machine.

When the backdoor is installed, it will set up a launch agent on the system that is used to continually keep the malware active on the system. It will then connect to a remote server and send the system's current username and MAC address to the server, after which the server will instruct it to either archive files and upload them, or take screenshots and upload them to the server.

Apple has quickly responded having updated its malware definitions for Snow Leopard and Lion systems so that they can recognize the trojan.

CNET has also reported that another trojan horse, known as OSX/flashback.A, has been discovered. The new trojan masquerades as a Flash Player installer to trick users into installing the package.

Unlike the previous Flash Trojan (called Bash/QHost.WB), which changed one file on the system, this new Trojan is a bit more complex and first deactivates network security features, then installs a dyld library that will run and inject code into applications that the user is running. The Trojan will also try to send personal information and machine-specific information to remote servers.

The situation requires from Apple to quickly update its malware definitions to help recognize the new threat and to warn users about malicious nature of a file/package they are going to download.