Slashdot Mirror
MacControl Trojan Being Used In Targeted Attacks Against OS X Users
Trailrunner7 writes "Welcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers have now taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world. Researchers have found a new attack that employs two separate pieces of malware, a malicious Word document and some techniques for maintaining persistence on compromised machines, and the campaign is specifically targeted at Mac users. The command-and-control domain involved in the attack is located in China and the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files, according to researchers at AlienVault, who discovered and analyzed the attacks."
Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course. :D
It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it
Apple exploit found in the wild... targets Microsoft product running on Apple OS.
I like the persistence bit though - use the standard plist files to maintain persistence just like any normal piece of code (like maintaining persistence by running a Windows Service).
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Another reason to use Open Office.
So that's an error in a Microsoft product that allows for Mac to get owned?
Interesting that this Mac exploit only applies to Mac users who use Microsoft Word. Not saying that Macs are ultra-secure, but maybe the malware authors are just going after the low-hanging fruit, which is Microsoft software, regardless of what platform it's installed on.
Maybe this is how MS will finally put to rest the notion that Linux is more secure than Windows: they'll release MS Office For Linux, which will then open Linux users up to the same level of insecurity Windows users have had forever.
Oh wait, this isn't an iPhone thread.
Damnit Slashdot, you got me again!
another reason not to use office software outside a virtual machine...
I've used Libreoffice, Neooffice or OO on my mac, and all of those prompt me to update reasonably regularly - certainly more often than every 3 years! While it can be annoying, it's probably better than a compromised computer.
( Insert Microsoft bashing for karma-whore points here)
It's gone mainstream. Now that it has viruses, it's like the Miley Cyrus of computing.
Time to find something more obscure. OpenVMS on an Atom system with a retro GEOS interface. That's the ticket.
I used to like Apple before it was mainstream, but now I've moved on. Just like with White Ring and fixies.
Futurist Traditionalism
Any OS that can be pwned by an exploit in *any* software running in user mode is insecure. Sorry, but those are the facts.
The reason for using an exploit in MS-Office is because is one of the most commonly used software products on Macs since its very beginning. So developing an exploit that uses a commonly used software means a better chance of spreading it.
Actually this is what you get when you shut/put off updates.
Macs had a flurry of trojans that hit them last year too. Apple put out the 10.6.8 update that allowed them to deliver daily anti-malware updates, and then used it to block every variant of the trojan within a matter of hours after it first appeared. Since 10.6 or above has been the default on all new Macs for the last 2.5 years, and Software Update is enabled by default to regularly check for updates, you can bet that the vast majority of Mac users will be receiving an automatic anti-malware update sometime later this week or next to deal with the trojan.
Really? Aren't we just getting a little paranoid? Why not take it one step further and suggest to sandbox every application inside the VM OS?
Cool, that leaves me out, unless libreoffice is vulnerable too.
---- Booth was a patriot ----
Didn't Apple force Microsoft to continute developing Office for Mac with some legal bollocks?
Pretty sure Hipsters are still safe.
Nerds who mock hipsters however, remain ever in peril from a universe who loves to inflict identical troubles on those who mock.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Really? Aren't we just getting a little paranoid? Why not take it one step further and suggest to sandbox every application inside the VM OS?
Great idea! Is someone working on that?
While I know that some Linux viruses have been done as proof of concept, I don't think anybody has ever successfully made a linux virus that has actually gone "into the wild", as it were.
File under 'M' for 'Manic ranting'
You know if you don't update openoffice for 3 years you are probably just a vulnerable.
I agree...somehow when there's a post on an MS app being exploited on an MS OS, the attitude is that the OS is so insecure that it allows an apps insecurity to compromise the system--but for some reason if you get an MS app being exploited on a 3rd party OS, it's all about how it's only the apps fault, and has nothing to do with the OS in any way shape or form.
Vulnerability is in Microsoft Office, path of infection is opening a loaded Word document.
Not likely; OO.o has a much smaller number of known users than MS Office, so there probably aren't many malware writers bothering with it.
However, MS always seems to have a bad habit of totally ignoring security with their architectural decisions, such as their macro language use in MSO. Someone more knowledgeable than me could comment on how OO.o's (and LO's) macro language compares with MSO's in regard to security.
From TFA: /tmp/ folder and then executes a script
The second stage then executes and some files are copied to the
The problem is NOT the Word document, or even M$, but that some nong has a world-writable temporary file from which programs or scripts can be executed. "noexec" in fstab should put an end to it.
For Macs, yes, it was mostly bullshit.
Microsoft patched this in 2009
however this from OO-2 is still unpatched
http://secunia.com/advisories/38567/
"the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files"
Sooooo.. It's really a targeted attack on MS Office (Mac) users.... Not Mac users.. So Mac users that use, NeoOffice, libreoffice, writeroom, or iWork can resume normal programming...
Or, am I missing something?
Microsoft get all the credit for os vulns. Even on other platforms other than Windows.
From Walking on thin ice By Peter de Jager, an international speaker on the subject of change and technology. He recently testified before Congress on the Year 2000 problem, he used to have a www site devoted to the issue. ... ... ...
Here's a good example of a well-known Mac application that can't handle a very simple Year 2000 entry.
When I purchased * (in 19XX, version 1.5), I didn't intend to use it for a limited time only. I bought it to perform a particular task for as long as I had reason to perform that task. "Ah ha!" I can hear you cry, "he's not on the most recent version! That's why he's having a problem!" Sorry, but you're missing the point and making a very interesting assumption about the computer software industry. * version 1.5 does everything I want an accounting product to do, so why should I shell out more money for features I don't need, can't afford, or choose not to acquire?
I don't know if the concept of mandatory upgrades has been communicated to corporate America. And I don't believe the concept is ethical.
One could argue that the Year 2000 problem in * is a bug, and we all know unexpected bugs are beyond our control. We accept that it's impossible to eradicate all bugs. We live in the real world.
Fair enough. But this expiration date is not unexpected. The programmers of * knew it exists -- after all, they created a specific error message to inform users who violate the allowable range of dates. Hardly what you would describe as an "unexpected" bug.
Yeah, actually they did!
I guess that means Apple themselves deserve to be hacked too then.
Solution
Update to version 3.2.
Seriously? That's what you are going to use to scare people away from OO? It took one click to find the solution to your petty quibble.
"On the Internet, nobody can hear you being subtle." -Linus Torvalds
Being secure by design does not mean it's immune to trojans and software exploits. The two things are not mutually exclusive. You can design a system with an eye on security (for example, not running as root by default, have the default state of network-facing services be "off", that sort of thing) but it does not mean that the software will be immune. There will always be bugs and holes - and on the Mac, there are plenty. There are relatively frequent security updates for OS X (more in the early days, but they have not dried up completely) as potential exploits are discovered and patched.
This isn't even the first trojan for OS X. The hole was patched three years ago though, so only non-updated machines are at risk*.
*note, machines still vulnerable to other OS X security threats, of which there are a few, mainly trojans. Don't download a piece of software from a torrent site claiming to be Microsoft Office.dmg, but is only a few 10's of MB - it's probably a trojan.
Is this a game? Am I supposed to put your words into an order that makes sense?
Please tell me this was posted by a bot and not an actual person.
Apple is actually sandboxing all apps by default in 10.8 "Mountain Lion"
Yes it was an agreement when MS realized that they were about to lose at least 1/2 billion in the Quicktime case so they settled. Part of the settlement was MS continues to make it's office suite for the next 8 years (time has passed and they are still releasing it). Various Windows and Mac technologies would be shared between both corporations. That also ended at the time Vista was released but gave Mac OS X full access to the Win32 API hence they could run a wine level emulator on OS X. This was in the works for Leopard (Run Windows without dual-boot) but was removed from the 200+ features when an agreement was struck with Parallels and VMware not make OS X client VM'able. This has expired as well. Wine developers found proof when OS X set the Finder as the file handler for .exe files.
Cool! Where do I enlist?
Just last week some hipster douche at a party actually said he buys Apple products because virus' are real.
it's technically a bot, but one written by a crazy person.
specifically, it's from a divination app packaged into LoseThos, a 64-bit hobby OS written by a schizophrenic man on orders from god himself. it really has to be seen to be believed.
"They were pure niggers." – Noam Chomsky
Hmm so a 3 year old exploit that hasn't been patched. Well obviously now Microsoft is going to, as quickly as possible, NEVER, EVER, EVER patch it. Apple's support ratings have been slipping, their prices are from some other quantum reality, so really all they have is "magic virus proof product" in their arsenal. Since most users install Word, it's definitely going to stay that way for a long time. I just think it's so hilarious that Apple built next to nothing into their OS for dealing with this situation, there are basically zero diagnostic and manual disinfection tools for macs, and the existing antiviruses for it are a joke. I smell a disaster brewing.
Given the ability to provide necessary functionality and usable/understandable control end-user control over escalation requests, why wouldn't we sandbox everything?
Don't download a piece of software from a torrent site claiming to be Microsoft Office.dmg, but is only a few 10's of MB - it's probably a trojan.
Bloat: your guarantee of genuine Microsoft quality.
Blank until
But macs fail to mount /tmp in a secure way; there is only 1 mount point. One can wonder about the next OS with the option to forbid non-signed apps from running and how that will impact this.
Democracy Now! - uncensored, anti-establishment news
I know at least 10 OSX users and they don't have any basic AV on their system. I quote one of them....."I don't need any AV on it macs don't get infected". At that point my jaw dropped and I walked away. This is the problem with the hype. I am not saying everyone but damn people not even basic AV. As the market share grows of OS* so does the people looking to find exploits.
TFS says there are two vulnerabilities just like TFA does - but only one of the C&C servers in China. The other C&C is in New York, in the good ol' US of A. Given how China seems to get the blame for everything hacky on /. lately I thought it only fair to point that out.
That's because 10.8 "Mountain Lion" is more iOS than OSX - and going forward under the OSX brand, it'll be iOS underneath everything instead of the traditional OSX software.
People thought the naysayers were crying wolf about this, but it's even in the product descriptions/announcements about Mountain Lion - that it will have heavy iOS components replacing the OSX ones and that the Appstore will become front and center on OSX.
A few more versions down the road, and it'll be a walled garden on your desktop to match the ones on your tablet and phone.
Microsoft is no better in this. My last OS is Win7 64-bit. I refuse to touch that vile garbage called Windows 8.
Prefer to use iWork. For regular work it is far better to use than Office.
Hypervisor to the rescue, sandbox the entire OS, and you will never have to worry about getting a virus, simply restart to an earlier snapshot.
Then the only problem is performance will be degraded because it's being virtualized, and we just have to make sure nothing(no malware) can figure out it is in a virtual machine(like blue pill? or was it red pill? and other VM aware exploits) and nothing can break out of the virtual machine and infect the hypervisor.
Once it gets to the hypervisor it's all over
LibreOffice the other fork of OpenOffice and NOT run by Oracle! Even smaller userbase and can still get the updates from OpenOffice(pulls by coders, not users)
Don't download a piece of software from a torrent site claiming to be Microsoft Office.dmg, but is only a few 10's of MB - it's probably a trojan.
Bloat: your guarantee of genuine Microsoft quality.
HAHA, so true!
If you click through and read the MS Kbase on this you'll see that they patched this in Office 2004 and 2008 for Mac back in 2009. It doesn't appear to exist in the current versions of Office:Mac.
The document exploit is also present in Windows versions of Office as well from the same timefreame.
Thought OS was responsible for 3rd party vulnerabilities?
Parent has been labeled troll but hes not wrong; this is the crap that people have been spouting and its nonsense. Show me an OS that cant get viruses, and Ill show you an OS that cant run third party binary code or interpreted code or receive updates.
And here we have again a false silver bullet. Security is hard. Sandboxing (and virtualization) are great, but they're not The Solution.
Seems like every word document is malicious. Word is the "virus", it just has a really crappy vector profile (the user has to pay $200 and install the "virus" manually). Once installed the "virus" will infect any document it opens by saving it in a format only it can read.
Wow. That is brilliant. And insane. I can't believe I hadn't heard of it yet.
No, that link you posted to a web comic we've all seen a hundred times is not "obligatory."
There is a neat little program, that works like the roach motel. Trojans can check in, but they can't check out, that is send anything out on the Internet without warning the user first. The program is called Little Snitch. It allows only specifically permitted programs and services to send data out onto the Internet or even the local network. There are many programs that try to call home for various reasons. There is no reason for a word processing program to access the Internet, especially if the IP address is somewhere in China or Russia. All programs that are not specifically allowed to send data to the Internet, are blocked by default. When a program does try to send something, the user is given the domain name where it wants to send some information. The user is then given a choice to deny access, give access until that program or service quits or deny access completely.
A sufficiently advanced simulation is indistinguishable from reality.
What versions of Office for Mac exhibits the flaw? It would be kind of nice to know what version/patch leve Alienvault Labs used when testing.
The blog post mentions MS09-27 (http://technet.microsoft.com/en-us/security/bulletin/MS09-027) as being the vulnerability. The most recent security bulletin for Office for Mac 2011 is MS11-089 which corresponds to 14.1.4 (111121). The supercession chain backwards in time to MS09-027 is MS11-072, MS11-045, MS11-022, MS11-021,MS10-87, MS10-079, MS10-056, MS10-068. (Ain't that chain of patches scary?)
So, I wanna know, where was the testing done along that chain? At the tip? Or with some version that wasn't current with respect to patches?
Care to share the solution?
A little more security never hurt anyone, neither did a fuzzy tester on your software, good alpha/beta testing, and apparently giving money to hackers for bug exploits (Firefox, Google, that I know of). All of these things combined can help you... granted you are bulletproof but your software and customers will be happier because you did it and found some flaws before you released it.
Imagine what Stuxnet would have done if Siemens put some security (or should I say, closed the holes they introduced) into their devices?
Yes, and being on the service end of these, I can tell you the only damage they do is to the user's pride (or bank account, if they're naive enough to give their credit card info in one case). Mac has been successfully isolating any once-per-decade trojans riding on the back of Word for as long as Word has been around.