However, it was still unclear exactly what was going on, and how this special character allowed the malware to be treated as an application.Īfter further consultation with Abbati, it turned out that there’s something rather surprising about macOS: An application does not need to have a. It was at this point that Abbati’s tweet referring to “its very nice small Roman Unicode” began to make sense.
Best mac anti malware 2017 pdf#
pdf extension was not actually a ‘d.’ Instead, it was the Roman numeral ‘D’ in lowercase, representing the number 500.
Instead, it turned out that the ‘d’ in the. However, this deception was not used in HiddenLotus. In other words, Janicab’s real filename was actually “,” but the presence of the RLO character after the first period in the name caused everything following to be displayed in reverse in the Finder. Janicab used the old fake document technique, being distributed as a file named (apparently) “.” However, the use of an RLO (right-to-left override) character caused characters following it to be displayed as if they were part of a language meant to be read right-to-left, instead of left-to-right as in English. There was also no sign of a trick like the one used by Janicab in 2013. Further investigation did not turn up a hidden extension. Yet the Finder somehow identified it as an application anyway. app extension to indicate that it was an application. Unlike past malware, this one didn’t have a hidden. OceanLotus was last seen earlier this summer, disguised as a Microsoft Word document and targeting victims in Vietnam.īut there was something strange about HiddenLotus. So HiddenLotus didn’t seem all that interesting at first, other than as a new variant of the OceanLotus backdoor first seen being used to attack numerous facets of Chinese infrastructure. Even earlier this year, repeated outbreaks of the Dok malware were distributed in the form of applications disguised as Microsoft Word documents. Malware authors have been using this trick ever since, despite file quarantine. File quarantine was meant to combat this problem. Even back in 2009, malicious apps were masquerading as documents. The intent behind this feature was to ensure that the user knew that the file they were opening was an application, rather than a document. Introduced in Leopard (Mac OS X 10.5), this feature tagged files downloaded from the Internet with a special piece of metadata to indicate that the file had been “quarantined.” Later, when the user tried to open the file, if it was an executable file of any kind, such as an application, the system would display a warning to the user.
Best mac anti malware 2017 mac os#
This is the same scheme that inspired the file quarantine feature in Mac OS X. The HiddenLotus “dropper” is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document-in this case, an Adobe Acrobat file.
It was a mystery what HiddenLotus was until, later that same day, Arnaud Abbati found the sample and shared it with other security researchers on Twitter.
On November 30, Apple silently added a signature to the macOS XProtect anti-malware system for something called.
0 kommentar(er)
