Slashdot Mirror

← Back to Stories (view on slashdot.org)

MacControl Trojan Being Used In Targeted Attacks Against OS X Users

Posted by Soulskill on from the thanks-for-waiting-so-patiently dept.

Trailrunner7 writes "Welcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers have now taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world. Researchers have found a new attack that employs two separate pieces of malware, a malicious Word document and some techniques for maintaining persistence on compromised machines, and the campaign is specifically targeted at Mac users. The command-and-control domain involved in the attack is located in China and the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files, according to researchers at AlienVault, who discovered and analyzed the attacks."

36 of 187 comments (clear)

  1. Microsoft (: by Anonymous Coward · · Score: 5, Interesting

    Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course.
    It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it :D

    1. Re:Microsoft (: by Grishnakh · · Score: 4, Interesting

      Since when was the US Government in the business of doing things for the good of humanity?

    2. Re:Microsoft (: by recoiledsnake · · Score: 5, Insightful

      Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course.
      It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it :D

      However, it's an interesting counter-point to the commenters who regularly comment(and get modded up to 11) "How about MS fix security in Windows instead of taking down botnets/shipping antivirus etc.). There is no way to secure an OS from application exploits short of iOS style lockdown, which these very commenters would slag as "TAKING AWAY MY FREEEDOMZZZ". Sorry, but blaming Windows holes has become passe, especially after malware for OS X and Android(run on a Linux kernel which we are told is secure compared to Windows) has come out.

      --
      This space for rent.
    3. Re:Microsoft (: by Nerdfest · · Score: 4, Insightful

      An iOS style lock-down wouldn't help. It could just as easily been another piece of software, they tend to pick those that are widely deployed.

    4. Re:Microsoft (: by mjwx · · Score: 4, Insightful

      There is no way to secure an OS from application exploits including of iOS style lockdown, which these very commenters would slag as "TAKING AWAY MY FREEEDOMZZZ". Sorry, but blaming Windows holes has become passe, especially after malware for OS X and Android(run on a Linux kernel which we are told is secure compared to Windows) has come out.

      Fixed that for you.

      Remember that IOS gets exploited regularly, including remote exploits like JailbreakMe.com.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    5. Re:Microsoft (: by am+2k · · Score: 3, Informative

      The new "gatekeeper" feature would be able to lock down MS Word and the worst that could happen is your documents folder is wiped. But since MS Word would never appear on the Mac App Store users would have installed it with unsigned access. Which would only affect their home directory unless they run as Admin.

      Uh, I don't think you know what you're talking about. Gatekeeper is a new thing in 10.8, which only allows stuff that's signed either with an App Store certificate or a Mac developer certificate. It doesn't handle file access at all.

      Sandboxing (new in 10.7) limits file (and other device) access to only certain areas, but the documents folder is usually off limits.

      If Word would use a Mac developer certificate, starting in 10.8 Apple could pull the kill switch and the application would not launch on any Mac any more. However, that's quite a drastic step and would probably not be done in this case for such a widely-deployed piece of software.

    6. Re:Microsoft (: by tlhIngan · · Score: 2

      If Word would use a Mac developer certificate, starting in 10.8 Apple could pull the kill switch and the application would not launch on any Mac any more. However, that's quite a drastic step and would probably not be done in this case for such a widely-deployed piece of software.

      Incorrect. Gatekeeper has 3 security settings. Most secure is "App Store Only" requiring Apple vetting the app. Default is "App Store and Mac Developer Certificate" which allows App Store apps, as well as 3rd party apps like Photoshop and Microsoft Office. The last setting is basically allow all apps. Even if Apple revokes Microsoft's certificate, the app can always be run in that mode.

    7. Re:Microsoft (: by niktemadur · · Score: 2

      A new threat is found for the Mac platform and it's in a Microsoft product of course.

      What happens when the malicious Word file is opened in, say, Open Office?

      --
      Lil' Thindime, lilting a lacrimose lament, krashes the kwaint konfines of Kokonino Kounty
    8. Re:Microsoft (: by am+2k · · Score: 2

      Incorrect. Gatekeeper has 3 security settings. Most secure is "App Store Only" requiring Apple vetting the app. Default is "App Store and Mac Developer Certificate" which allows App Store apps, as well as 3rd party apps like Photoshop and Microsoft Office. The last setting is basically allow all apps.

      Technically yes, but the second one has been announced to be the default, and you can be pretty sure that 99% of all users won't change any default.

      Even if Apple revokes Microsoft's certificate, the app can always be run in that mode.

      I'm not sure about that. The system might refuse to run an app whose certificate has been revoked even in that mode, since it can differentiate between binaries without a signature and binaries with a revoked signature.

  2. LoL by Architect_sasyr · · Score: 2

    Apple exploit found in the wild... targets Microsoft product running on Apple OS.

    I like the persistence bit though - use the standard plist files to maintain persistence just like any normal piece of code (like maintaining persistence by running a Windows Service).

    --
    Me failed English...
    FreeBSD over Linux. If my comments seem odd, this may explain...
    1. Re:LoL by Architect_sasyr · · Score: 4, Interesting

      I spend my days working as a mac tech, so no, I really do not. I am, however, still highly amused that it happens this way. In much the same fashion as I am amused when wine is used to exploit a linux box.

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    2. Re:LoL by lightknight · · Score: 4, Informative

      That's quite alright. We find things that target Safari on Windows all the time, so I guess it's more of the same.

      --
      I am John Hurt.
    3. Re:LoL by sg_oneill · · Score: 5, Funny

      I spend my days working as a mac tech, so no, I really do not. I am, however, still highly amused that it happens this way. In much the same fashion as I am amused when wine is used to exploit a linux box.

      You may laugh, but its truer than you think. Many many moons ago I was admining a small network of linux desktops for students at the local university. Management , non technnical of course, demanded that internet explorer be installed on them. After protesting loudly and losing the argument, I ended up deploying ie6 across the network via wine. It took aproximately 3 days before they became infested.

      In a strange way, I took that as a surprising confirmation of wine's compatibility.

      In the end I replaced the Mozilla browsers icons with E icons and the office twonks where happy. God I hate tech support

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    4. Re:LoL by omfgnosis · · Score: 4, Interesting

      I still don't understand this attitude, but I can count myself (a Mac user) lucky as a consequence. If I were trying to profit from exploiting home PCs, I would target the Mac first and foremost, as the userbase is substantial (millions), demographically wealthy (compared to the whole market) and typically security-ignorant. That's a perfect storm for exploiting for profit, and I'm frankly astonished it hasn't happened on a large scale yet.

  3. I guess that's what you get for using Microsoft by Grishnakh · · Score: 3, Insightful

    Interesting that this Mac exploit only applies to Mac users who use Microsoft Word. Not saying that Macs are ultra-secure, but maybe the malware authors are just going after the low-hanging fruit, which is Microsoft software, regardless of what platform it's installed on.

    Maybe this is how MS will finally put to rest the notion that Linux is more secure than Windows: they'll release MS Office For Linux, which will then open Linux users up to the same level of insecurity Windows users have had forever.

    1. Re:I guess that's what you get for using Microsoft by bmo · · Score: 4, Insightful

      Interesting that this Mac exploit only applies to Mac users who use Microsoft Word

      When you include a scripting language in your document spec, expect people to use it.

      Good people and bad people.

      --
      BMO

    2. Re:I guess that's what you get for using Microsoft by v1 · · Score: 4, Insightful

      Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.

      --
      I work for the Department of Redundancy Department.
    3. Re:I guess that's what you get for using Microsoft by v1 · · Score: 2

      And in a recent version of office I saw someone receive a word document with macros in it. "DO NOT allow macros to run". She did anyway. Why? Because in their infinite wisdom, it won't ALLOW you to open the document with macros disabled - they give you two options, (1) open it with macros enabled, or (2) don't open it. Brilliant.

      I have YET to run into a user that will listen to me when I tell them to never open those, call me and I will clean them. "But I HAD to have that document right now!" and they open it anyway. And then I have a mess to clean up. Thank you so much MS, create a problem, then implement a solution in a way that the average user will be unwilling to use.

      Making mistakes due to lack of foresight, ok I can kinda get that. But then compounding the problem with just plain bad decisions is much harder to forgive.

      --
      I work for the Department of Redundancy Department.
    4. Re:I guess that's what you get for using Microsoft by Anonymous Coward · · Score: 2, Informative

      Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.

      What makes you sure something equivalent couldn't be done with iWork and Applescript? I mean other than iWork's marketshare, of course.

      The fact that you can't embed AppleScript in an iWork document?

  4. 10,000 hipsters abandon the Mac by hessian · · Score: 5, Funny

    It's gone mainstream. Now that it has viruses, it's like the Miley Cyrus of computing.

    Time to find something more obscure. OpenVMS on an Atom system with a retro GEOS interface. That's the ticket.

    I used to like Apple before it was mainstream, but now I've moved on. Just like with White Ring and fixies.

    --
    Futurist Traditionalism
    1. Re:10,000 hipsters abandon the Mac by Random+Data · · Score: 2

      Wait, fixies are passé now? Awesome, I can ride mine without people demanding I wear tight jeans and a sour expression!

  5. Don't blame Microsoft... by t4ng* · · Score: 3, Insightful

    Any OS that can be pwned by an exploit in *any* software running in user mode is insecure. Sorry, but those are the facts.

    The reason for using an exploit in MS-Office is because is one of the most commonly used software products on Macs since its very beginning. So developing an exploit that uses a commonly used software means a better chance of spreading it.

    1. Re:Don't blame Microsoft... by Shifty0x88 · · Score: 2

      It requires the user to be running as admin to take over the machine.

      which A LOT, A LOT of people do, mainly because they don't know better and secondly because it's a lot easier for them not to switch between accounts

  6. patched three years ago by MushMouth · · Score: 5, Informative

    Actually this is what you get when you shut/put off updates.

  7. Re:Updates? by IKnwThePiecesFt · · Score: 2

    Office 2008 on my Mac opens the Microsoft Software Updater to check for updates once a month (as long as I open a Microsoft product, including the Office suite or RDP).

  8. Meh? by Anubis+IV · · Score: 4, Informative

    Macs had a flurry of trojans that hit them last year too. Apple put out the 10.6.8 update that allowed them to deliver daily anti-malware updates, and then used it to block every variant of the trojan within a matter of hours after it first appeared. Since 10.6 or above has been the default on all new Macs for the last 2.5 years, and Software Update is enabled by default to regularly check for updates, you can bet that the vast majority of Mac users will be receiving an automatic anti-malware update sometime later this week or next to deal with the trojan.

  9. Re:Microsoft! by viperidaenz · · Score: 2

    Didn't Apple force Microsoft to continute developing Office for Mac with some legal bollocks?

  10. Hipsters run Office? by SuperKendall · · Score: 2

    Pretty sure Hipsters are still safe.

    Nerds who mock hipsters however, remain ever in peril from a universe who loves to inflict identical troubles on those who mock.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  11. Re:Sounds like a vulnerability in a Microsoft prod by jenic · · Score: 2

    Really? Aren't we just getting a little paranoid? Why not take it one step further and suggest to sandbox every application inside the VM OS?

    Great idea! Is someone working on that?

  12. Re:Office for Mac? by Centurix · · Score: 3, Funny

    Embrace, Penetrate, Ejaculate.

    The upcoming Microsoft memo.

    --
    Task Mangler
  13. Re:Sounds like a vulnerability in a Microsoft prod by Anonymous Coward · · Score: 2, Informative

    Microsoft patched this in 2009

    however this from OO-2 is still unpatched
    http://secunia.com/advisories/38567/

  14. Re:Still waiting for a real Linux virus by Billly+Gates · · Score: 2

    I do not know what world you live on but where do you think the term "root"kit came from?

    If you guess the account root and its associated Unix then you are correct.

    Linux servers are heavily targeted. I met someone who worked at a bank and all their Suse servers were rootkitted with a virus for the sole purpose of hosting a phishing scheme and stolen credit card database. Sure more viruses target windows to steal the information but where do you think they store the stolen information Linux servers.

    There are plenty of viruses for Unix operating systems

    --
    http://saveie6.com/
  15. Re:Sounds like a vulnerability in a Microsoft prod by goodgod43 · · Score: 2

    Solution
    Update to version 3.2.

    Seriously? That's what you are going to use to scare people away from OO? It took one click to find the solution to your petty quibble.

    --
    "On the Internet, nobody can hear you being subtle." -Linus Torvalds
  16. Re:secure by design by jo_ham · · Score: 2

    Being secure by design does not mean it's immune to trojans and software exploits. The two things are not mutually exclusive. You can design a system with an eye on security (for example, not running as root by default, have the default state of network-facing services be "off", that sort of thing) but it does not mean that the software will be immune. There will always be bugs and holes - and on the Mac, there are plenty. There are relatively frequent security updates for OS X (more in the early days, but they have not dried up completely) as potential exploits are discovered and patched.

    This isn't even the first trojan for OS X. The hole was patched three years ago though, so only non-updated machines are at risk*.

    *note, machines still vulnerable to other OS X security threats, of which there are a few, mainly trojans. Don't download a piece of software from a torrent site claiming to be Microsoft Office.dmg, but is only a few 10's of MB - it's probably a trojan.

  17. Re:Sounds like a vulnerability in a Microsoft prod by otuz · · Score: 3, Interesting

    Apple is actually sandboxing all apps by default in 10.8 "Mountain Lion"

  18. Re:Satan by retchdog · · Score: 2

    it's technically a bot, but one written by a crazy person.

    specifically, it's from a divination app packaged into LoseThos, a 64-bit hobby OS written by a schizophrenic man on orders from god himself. it really has to be seen to be believed.

    --
    "They were pure niggers." – Noam Chomsky