New Mac Malware Uses Right-to-Left Override To Trick Users


By Michael Sweeting

After a relatively long lag period without seeing any particular new and exciting Mac malware, last week we saw the surfacing of a new and interesting method of compromising the OSX system. Malware authors have taken a new approach by altering file extensions of malicious .app packages in order to trick users into thinking they are opening relatively harmless .pdf or .doc files. Changing file extensions in Mac OSX can be tricky due to a built in security feature of the OS that detects attempts to change the extension and automatically annexes the extension of its correct file or package type. So what’s the trick you may ask? Well, in order for malware authors to get around this built in OSX security feature, they are implementing what is called “right-to-left encoding” using the built in Mac OSX Character Viewer. OSX Character Viewer allows the user to very easily insert a vast array of characters and text input methods, which in this case, gives the malware author the ability to insert a fake file extension using the “right-to-left” encoding character.

So, how does this work? It is actually quite simple and can be done by just about any Mac user by following a few simple steps using the Mac OSX Character Viewer. The OSX Character Viewer contains a “right-to-left” character code that can be used for writing in languages, such as Hebrew, that are written from right-to-left as opposed to the standard left-to-right format that is used when writing in English, or many other western European languages. The “right-to-left” Unicode character code that is being used in this case is “U+202e”. By opening the OSX Character Viewer and using the Unicode character code “U+202e”, the malware author can select the encoding character and insert it when attempting to change the file extension in the name of the .app package. The catch is that the malware author has to type the desired file extension backwards in order to get the desired result. For example, in order to change an extension to “pdf”, the malware author will need to type “fdp” when using the unicode character code “U+202e”. After hitting enter to apply the change to the package name, the package will now have the .pdf extension and will have circumvented the built in security feature that appends the .app extension.

Although the malware author can use this technique to effectively change the file extension that the user sees in the Finder, the Mac OS still knows that this file is an .app package. As a part of the built-in Mac OSX Gatekeeper malware security, when a user attempts to open an .app package that has been downloaded from the internet, the OS alerts the user with a warning asking the user if they would like to continue with the .app installation. In this case however, since the .app package has been renamed using the Unicode right-to-left character encoding, the OS will display the typical warning message written completely backwards, which becomes very confusing to the user, since they can’t understand what is being asked of them. The malware author of course hopes that in the confusion, the user will simply click “open” and continue with the installation. In addition to the OSX warning message, Apple’s Gatekeeper has an additional setting that allows users to choose to only install .app packages that are signed with a valid Apple Developer ID. In the case of OSX.Janicab.A, the malicious .app package is actually signed with a legit Apple Developer ID. Although this does allow the malware author to meet the requirement of a signed .app, it also does allow Apple to easily stop this type of malware distribution in its tracks by revoking the developer account.

In the case of the new OSX.Janicab.A malware, once the user has allowed the installation of the disguised .app package, the malware drops and opens a decoy document, creates a cron job, and creates a hidden folder in the user’s home directory in order to store it’s components. The malware then connects to various malicious URLs in order to obtain the address of its command and control server. Once connected to the command and control server, the malware takes screen shots and records audio and uploads then to the remote server. In addition, the malware listens for additional commands to execute from the command and control server, so the malware author may implement additional functionality to the malware. In addition to stealing personal confidential user information, I could see this malware possibly being used to make the user’s machine part of a botnet.

After a long period of not seeing many new techniques for compromising Mac OSX, this new technique of right-to-left Unicode character encoding is a very interesting approach. It shows that malware authors are actively working to come up with new ways to circumvent Apple’s built in Gatekeeper security settings and that the creativity of malware authors will continue to pose threats to the OSX platform in the future.

Webroot SecureAnywhere users are protected against this type of attack.

24 thoughts on “New Mac Malware Uses Right-to-Left Override To Trick Users

  1. Pingback: Equal-opportunity malware targets Macs and Windows | RSS Feeds die Dennis graag leest

  2. Pingback: Equal-opportunity malware targets Macs and Windows | W 8 . M S

  3. Pingback: Equal-opportunity malware targets Macs and Windows | Inter Trust Service

  4. Pingback: EGO2ECO The sustianable intellectual & material luxury life style Equal-opportunity malware targets Macs and Windows

  5. Pingback: Equal-opportunity malware targets Macs and Windows | Techno Alchemy

  6. Pingback: Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog] | Frog In The Box

  7. Pingback: Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog] | chicagogeek

  8. Pingback: Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog] | Ninja Hangout

  9. Pingback: Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog]

  10. Pingback: Janicab.A Malware Targets Computers Running OS X and Windows

  11. Pingback: Rear Shell of Apple's Low-Cost iPhone Compared to Other iPhones and iPod Touch in New Video

  12. Pingback: Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog] ← Jailbreaking 4 You

  13. Pingback: Janicab.A Malware Uses Right-To-Left Override Trick to Compromise the Mac OS X System | iPhone in Canada Blog - Canada's #1 iPhone Resource

  14. Pingback: Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog] | CodeBlue Technology

  15. Pingback: Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog]

  16. Pingback: TechBoss – Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog]

  17. Pingback: Partners In Sublime Janicab.A Malware Targets Computers Running OS X and Windows [Mac Blog] - Partners In Sublime

  18. Pingback: TkJ.se - Sveriges ledande IT-blogg

  19. Pingback: OSX.Janicab.A Trojaner am Mac – Erkennen und Entfernen der Malware

  20. Pingback: Equal-opportunity malware targets Macs and Windows - Sysnative Forums

  21. Pingback: Webroot threat blog | Wanderer

  22. Pingback: Sherman's Security Blog » Equal-opportunity malware targets Macs and Windows

  23. Pingback: TechBoss – Equal-opportunity malware targets Macs and Windows

  24. Pingback: Neue Malware schleicht sich trickreich auf Macs | ifun.de

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s