Forgot your password?
typodupeerror
Security Botnet OS X Apple

MacControl Trojan Being Used In Targeted Attacks Against OS X Users 187

Posted by Soulskill
from the thanks-for-waiting-so-patiently dept.
Trailrunner7 writes "Welcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers have now taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world. Researchers have found a new attack that employs two separate pieces of malware, a malicious Word document and some techniques for maintaining persistence on compromised machines, and the campaign is specifically targeted at Mac users. The command-and-control domain involved in the attack is located in China and the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files, according to researchers at AlienVault, who discovered and analyzed the attacks."
This discussion has been archived. No new comments can be posted.

MacControl Trojan Being Used In Targeted Attacks Against OS X Users

Comments Filter:
  • Microsoft (: (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 28, 2012 @06:22PM (#39501987)

    Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course.
    It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it :D

    • Re:Microsoft (: (Score:5, Insightful)

      by recoiledsnake (879048) on Wednesday March 28, 2012 @07:20PM (#39502703)

      Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course.
      It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it :D

      However, it's an interesting counter-point to the commenters who regularly comment(and get modded up to 11) "How about MS fix security in Windows instead of taking down botnets/shipping antivirus etc.). There is no way to secure an OS from application exploits short of iOS style lockdown, which these very commenters would slag as "TAKING AWAY MY FREEEDOMZZZ". Sorry, but blaming Windows holes has become passe, especially after malware for OS X and Android(run on a Linux kernel which we are told is secure compared to Windows) has come out.

      • Re:Microsoft (: (Score:5, Insightful)

        by Nerdfest (867930) on Wednesday March 28, 2012 @07:58PM (#39503063)

        An iOS style lock-down wouldn't help. It could just as easily been another piece of software, they tend to pick those that are widely deployed.

      • by mspohr (589790)

        However, it's an interesting counter-point to the commenters who regularly comment(and get modded up to 11) "How about MS fix security in Windows instead of taking down botnets/shipping antivirus etc.).

        We can now say "How about MS fix security in Windows AND OFFICE" in our rants.

      • Re:Microsoft (: (Score:5, Insightful)

        by mjwx (966435) on Wednesday March 28, 2012 @08:53PM (#39503671)

        There is no way to secure an OS from application exploits including of iOS style lockdown, which these very commenters would slag as "TAKING AWAY MY FREEEDOMZZZ". Sorry, but blaming Windows holes has become passe, especially after malware for OS X and Android(run on a Linux kernel which we are told is secure compared to Windows) has come out.

        Fixed that for you.

        Remember that IOS gets exploited regularly, including remote exploits like JailbreakMe.com.

        • by omfgnosis (963606)

          Since I don't own an iOS device (nor any other "mobile" device [since my laptop isn't mobile apparently]), can you or any other reader satisfy a curiosity of mine?

          Obviously the jailbreaks use a number of vulnerable exploits to gain access; do they also board up the vulnerabilities when they're done? It seems to me that I would want to jailbreak on that basis alone if so, and refuse to use the platform if a known drive-by exploit is out in the wild otherwise.

          • by mjwx (966435)

            Since I don't own an iOS device (nor any other "mobile" device [since my laptop isn't mobile apparently]), can you or any other reader satisfy a curiosity of mine?

            Obviously the jailbreaks use a number of vulnerable exploits to gain access; do they also board up the vulnerabilities when they're done? It seems to me that I would want to jailbreak on that basis alone if so, and refuse to use the platform if a known drive-by exploit is out in the wild otherwise.

            I dont own any iDevices either, but I'd presume not. If anything they add new vulnerabilities such as an SSH server with a default password (Alpine2 IIRC)

          • by Vokkyt (739289)

            Yes and no. The PDF exploits that were used in the past were patched by the jailbreak community. There are cydia packages which closed it on your newly jailbroken device, the assumption being you had your SHSH blobs backed up for a restore to a vulnerable vanilla firmware should you need it. I'll admit it's been awhile since I read up on it, but I think that all the Jailbreakme's used a userland exploit to Jailbreak, and then recommended patching immediately, less the exploit be used against them.

      • Sorry, but blaming Windows holes has become passe

        Maybe it's fallen out of style, but even in Android and OSX, many of the exploits require you actively install something instead of "whoops, I visited a website." In reality, though, we should be blaming application developers for a fair amount of the problem. The exploits are often in PDF/Flash, MS Office, the web browser, etc.

        On the other hand, even if application developers are to blame, it still pushes some of the blame back onto the OS vendors. Because Windows doesn't have a centralized update util

      • Why do you quote your parent,
        and rant like mad,
        and fail to see: it is not Mac OS X, that fails again, but MS WÃrd!
        It is still a *windows* hole because the stupid MS guys never gonna get it.

    • A new threat is found for the Mac platform and it's in a Microsoft product of course.

      What happens when the malicious Word file is opened in, say, Open Office?

  • by Architect_sasyr (938685) on Wednesday March 28, 2012 @06:23PM (#39502003)
    Apple exploit found in the wild... targets Microsoft product running on Apple OS.

    I like the persistence bit though - use the standard plist files to maintain persistence just like any normal piece of code (like maintaining persistence by running a Windows Service).
    • Re:LoL (Score:5, Informative)

      by lightknight (213164) on Wednesday March 28, 2012 @07:04PM (#39502513) Homepage

      That's quite alright. We find things that target Safari on Windows all the time, so I guess it's more of the same.

      • Yes, but no one uses Safari on Windows.

        Many of us Mac users are now avoiding newer versions of Safari on Mac OS X as well. Webkit is a good engine, but Safari has issues, and they're getting worse, not better.

    • by exomondo (1725132)

      Apple exploit found in the wild... targets Microsoft product running on Apple OS.

      From TFA:
      An attacker who successfully exploits this vulnerability could take complete control of an affected system.
      http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/ [alienvault.com]

      Is that an exaggerated statement or does it indicate some kind of privilege escalation bug in OSX?

      • Based on a few of the indicators in the article, I couldn't say for absolute certainty. The indicator:

        - Copies itself into /Library/launched

        implies administrative permissions of some level (you can't just write to /Library/ unless the systems permissions are shot to hell. Likewise: /Applications/Automator.app/Contents/MacOS/DockLight should not be writable to a non-authenticated user (indeed, it is NOT writable on my laptop - admin user, but no authentication etc.). The article has a few typo's in it whic
    • by cpu6502 (1960974)

      You don't really believe OS X is impervious to viruses do you? If they can hack Android linux and Apple iOS to install malware, then they can do the same to their big brothers on the desktop.

      I guess I could mimic the Apple fans and proclaim, "My Commodore Amiga's OS 4 is awesome. It has no viruses!" Of course that's only because nobody wants to target such a small userbase. Ditto linux. Ditto OS X.

  • by Grishnakh (216268) on Wednesday March 28, 2012 @06:25PM (#39502029)

    Interesting that this Mac exploit only applies to Mac users who use Microsoft Word. Not saying that Macs are ultra-secure, but maybe the malware authors are just going after the low-hanging fruit, which is Microsoft software, regardless of what platform it's installed on.

    Maybe this is how MS will finally put to rest the notion that Linux is more secure than Windows: they'll release MS Office For Linux, which will then open Linux users up to the same level of insecurity Windows users have had forever.

    • by bmo (77928) on Wednesday March 28, 2012 @06:32PM (#39502113)

      Interesting that this Mac exploit only applies to Mac users who use Microsoft Word

      When you include a scripting language in your document spec, expect people to use it.

      Good people and bad people.

      --
      BMO

      • by v1 (525388) on Wednesday March 28, 2012 @06:52PM (#39502373) Homepage Journal

        Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.

        • by vux984 (928602)

          Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.

          What makes you sure something equivalent couldn't be done with iWork and Applescript? I mean other than iWork's marketshare, of course.

          • by Grishnakh (216268)

            No one said Apple's stuff was any less stupidly-designed than MS's.

          • Re: (Score:2, Informative)

            by Anonymous Coward

            Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.

            What makes you sure something equivalent couldn't be done with iWork and Applescript? I mean other than iWork's marketshare, of course.

            The fact that you can't embed AppleScript in an iWork document?

      • by Bert64 (520050)

        The scripting language is one of the least concerns...
        The biggest problem is the complexity and age of the file formats. There is plenty of complexity, and lots of crufty old code waiting to be exploited, while on the other hand the format is poorly documented which makes it hard to validate files against a known good spec.

    • by sribe (304414)

      Damn. I have mod points, but there is no "insightful AND funny" +1.

    • Office is installed on all corporate machines, PC and Mac. Corporate espionage is the likely agenda.

    • by exomondo (1725132)

      Interesting that this Mac exploit only applies to Mac users who use Microsoft Word.

      The bug they reference in TFA appears to have been patched years ago, so would appear it's only on old systems that haven't been updated in years.

    • by omfgnosis (963606)

      Presumably it's low-hanging because Word on the Mac shares code with Word on Windows, and it's a more familiar target for malware authors. I doubt Microsoft software in general is especially vulnerable, it's just especially prevalent.

  • Interestingly Office for Mac (at least, the version I have access to) doesn't seem to have automatic updates enabled by default, if it has them at all. It's not my computer, so I'm not going to dig that much - correct me if I'm wrong.

    I've used Libreoffice, Neooffice or OO on my mac, and all of those prompt me to update reasonably regularly - certainly more often than every 3 years! While it can be annoying, it's probably better than a compromised computer.

    ( Insert Microsoft bashing for karma-whore point

    • Office 2008 on my Mac opens the Microsoft Software Updater to check for updates once a month (as long as I open a Microsoft product, including the Office suite or RDP).

      • OK, so I've been playing with 2004 from memory (possibly even earlier), and that's been changed. This means the exploit shouldn't actually affect too many people - if you blindly click "OK" then you'll already be patched. Thanks for confirming.
        • by yuhong (1378501)

          BTW, this is a good time to mention that Office 2004 for Mac ended support after the January 2012 Patch Tuesday, and Office 2008 for Mac (product targeted by this exploit) ends support April 2013.

  • by hessian (467078) on Wednesday March 28, 2012 @06:32PM (#39502107) Homepage Journal

    It's gone mainstream. Now that it has viruses, it's like the Miley Cyrus of computing.

    Time to find something more obscure. OpenVMS on an Atom system with a retro GEOS interface. That's the ticket.

    I used to like Apple before it was mainstream, but now I've moved on. Just like with White Ring and fixies.

    • Wait, fixies are passé now? Awesome, I can ride mine without people demanding I wear tight jeans and a sour expression!
      • Wait, fixies are passé now? Awesome, I can ride mine without people demanding I wear tight jeans and a sour expression!

        I wear my tight jeans on a mountain bike, ironically.

        -AI

    • Pretty sure Hipsters are still safe.

      Nerds who mock hipsters however, remain ever in peril from a universe who loves to inflict identical troubles on those who mock.

  • by t4ng* (1092951) on Wednesday March 28, 2012 @06:33PM (#39502141)

    Any OS that can be pwned by an exploit in *any* software running in user mode is insecure. Sorry, but those are the facts.

    The reason for using an exploit in MS-Office is because is one of the most commonly used software products on Macs since its very beginning. So developing an exploit that uses a commonly used software means a better chance of spreading it.

  • by MushMouth (5650) on Wednesday March 28, 2012 @06:34PM (#39502151) Homepage

    Actually this is what you get when you shut/put off updates.

  • Meh? (Score:5, Informative)

    by Anubis IV (1279820) on Wednesday March 28, 2012 @06:38PM (#39502189)

    Macs had a flurry of trojans that hit them last year too. Apple put out the 10.6.8 update that allowed them to deliver daily anti-malware updates, and then used it to block every variant of the trojan within a matter of hours after it first appeared. Since 10.6 or above has been the default on all new Macs for the last 2.5 years, and Software Update is enabled by default to regularly check for updates, you can bet that the vast majority of Mac users will be receiving an automatic anti-malware update sometime later this week or next to deal with the trojan.

  • If you click through and read the MS Kbase on this you'll see that they patched this in Office 2004 and 2008 for Mac back in 2009. It doesn't appear to exist in the current versions of Office:Mac.

    The document exploit is also present in Windows versions of Office as well from the same timefreame.

A committee is a group that keeps the minutes and loses hours. -- Milton Berle

Working...