MacControl Trojan Being Used In Targeted Attacks Against OS X Users 187
Trailrunner7 writes "Welcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers have now taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world. Researchers have found a new attack that employs two separate pieces of malware, a malicious Word document and some techniques for maintaining persistence on compromised machines, and the campaign is specifically targeted at Mac users. The command-and-control domain involved in the attack is located in China and the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files, according to researchers at AlienVault, who discovered and analyzed the attacks."
Microsoft (: (Score:5, Interesting)
Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course. :D
It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it
Re:Microsoft (: (Score:5, Insightful)
Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course. :D
It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it
However, it's an interesting counter-point to the commenters who regularly comment(and get modded up to 11) "How about MS fix security in Windows instead of taking down botnets/shipping antivirus etc.). There is no way to secure an OS from application exploits short of iOS style lockdown, which these very commenters would slag as "TAKING AWAY MY FREEEDOMZZZ". Sorry, but blaming Windows holes has become passe, especially after malware for OS X and Android(run on a Linux kernel which we are told is secure compared to Windows) has come out.
Re:Microsoft (: (Score:5, Insightful)
An iOS style lock-down wouldn't help. It could just as easily been another piece of software, they tend to pick those that are widely deployed.
Re:Microsoft (: (Score:4, Informative)
The new "gatekeeper" feature would be able to lock down MS Word and the worst that could happen is your documents folder is wiped. But since MS Word would never appear on the Mac App Store users would have installed it with unsigned access. Which would only affect their home directory unless they run as Admin.
Uh, I don't think you know what you're talking about. Gatekeeper is a new thing in 10.8, which only allows stuff that's signed either with an App Store certificate or a Mac developer certificate. It doesn't handle file access at all.
Sandboxing (new in 10.7) limits file (and other device) access to only certain areas, but the documents folder is usually off limits.
If Word would use a Mac developer certificate, starting in 10.8 Apple could pull the kill switch and the application would not launch on any Mac any more. However, that's quite a drastic step and would probably not be done in this case for such a widely-deployed piece of software.
Re: (Score:3)
Incorrect. Gatekeeper has 3 security settings. Most secure is "App Store Only" requiring Apple vetting the app. Default is "App Store and Mac Developer Certificate" which allows App Store apps, as well as 3rd party apps like Photos
Re: (Score:3)
Incorrect. Gatekeeper has 3 security settings. Most secure is "App Store Only" requiring Apple vetting the app. Default is "App Store and Mac Developer Certificate" which allows App Store apps, as well as 3rd party apps like Photoshop and Microsoft Office. The last setting is basically allow all apps.
Technically yes, but the second one has been announced to be the default, and you can be pretty sure that 99% of all users won't change any default.
Even if Apple revokes Microsoft's certificate, the app can always be run in that mode.
I'm not sure about that. The system might refuse to run an app whose certificate has been revoked even in that mode, since it can differentiate between binaries without a signature and binaries with a revoked signature.
Re: (Score:2)
Empahsize mine.
I guess you are big(ly) mistaken here.
Mac users are to a great extend professionals. Ofc, they change the defaults.
In our days you have to do that at any new OS upgrade anyway as most users don't like the new stuff but prefer to the old/previous behaviour.
Re: (Score:2)
Mac users don't "run as admin".
In fact they can't.
Mac users can give themselves an "is admin" flag.
That only means they are in the unix group "wheel" and are registered as "sudoers".
Every process a Mac user starts runs under his user id, not as admin or root. To do so, the process has to ask for permission which requires a root/admin password.
Re: (Score:2)
There is no reason for a word processing program to access the Internet, especially if the IP address is somewhere in China or Russia.
Yes internet access should be gated as you suggest and there are plenty of software firewalls around that do that already, but I'll give you two use cases where a word processor needs to access the internet: 1. A user copies something from a web page and pastes it into the word processor - the clipboard only holds the HTML of the selection, so the word processor has to fetch any image references to embed in the document. 2. A user wants to view or edit a document in a SharePoint (or other) repository - so t
Re: (Score:2)
However, it's an interesting counter-point to the commenters who regularly comment(and get modded up to 11) "How about MS fix security in Windows instead of taking down botnets/shipping antivirus etc.).
We can now say "How about MS fix security in Windows AND OFFICE" in our rants.
Re:Microsoft (: (Score:5, Insightful)
There is no way to secure an OS from application exploits including of iOS style lockdown, which these very commenters would slag as "TAKING AWAY MY FREEEDOMZZZ". Sorry, but blaming Windows holes has become passe, especially after malware for OS X and Android(run on a Linux kernel which we are told is secure compared to Windows) has come out.
Fixed that for you.
Remember that IOS gets exploited regularly, including remote exploits like JailbreakMe.com.
Re: (Score:2)
Since I don't own an iOS device (nor any other "mobile" device [since my laptop isn't mobile apparently]), can you or any other reader satisfy a curiosity of mine?
Obviously the jailbreaks use a number of vulnerable exploits to gain access; do they also board up the vulnerabilities when they're done? It seems to me that I would want to jailbreak on that basis alone if so, and refuse to use the platform if a known drive-by exploit is out in the wild otherwise.
Re: (Score:2)
Since I don't own an iOS device (nor any other "mobile" device [since my laptop isn't mobile apparently]), can you or any other reader satisfy a curiosity of mine?
Obviously the jailbreaks use a number of vulnerable exploits to gain access; do they also board up the vulnerabilities when they're done? It seems to me that I would want to jailbreak on that basis alone if so, and refuse to use the platform if a known drive-by exploit is out in the wild otherwise.
I dont own any iDevices either, but I'd presume not. If anything they add new vulnerabilities such as an SSH server with a default password (Alpine2 IIRC)
Re: (Score:2)
Yes and no. The PDF exploits that were used in the past were patched by the jailbreak community. There are cydia packages which closed it on your newly jailbroken device, the assumption being you had your SHSH blobs backed up for a restore to a vulnerable vanilla firmware should you need it. I'll admit it's been awhile since I read up on it, but I think that all the Jailbreakme's used a userland exploit to Jailbreak, and then recommended patching immediately, less the exploit be used against them.
Re: (Score:2)
Sorry, but blaming Windows holes has become passe
Maybe it's fallen out of style, but even in Android and OSX, many of the exploits require you actively install something instead of "whoops, I visited a website." In reality, though, we should be blaming application developers for a fair amount of the problem. The exploits are often in PDF/Flash, MS Office, the web browser, etc.
On the other hand, even if application developers are to blame, it still pushes some of the blame back onto the OS vendors. Because Windows doesn't have a centralized update util
Re: (Score:2)
Why do you quote your parent,
and rant like mad,
and fail to see: it is not Mac OS X, that fails again, but MS WÃrd!
It is still a *windows* hole because the stupid MS guys never gonna get it.
Re: (Score:3)
A new threat is found for the Mac platform and it's in a Microsoft product of course.
What happens when the malicious Word file is opened in, say, Open Office?
Re:Microsoft (: (Score:5, Interesting)
Since when was the US Government in the business of doing things for the good of humanity?
Re: (Score:2)
Bernard Abbott: We are the United States Government! We don't do that sort of thing.
Martin Bishop: You're just gonna have to try.
Bernard Abbott: All right, I'll see what I can do.
Whistler: Thank you very much. That's all I ask.
Re: (Score:2)
Every time it's in their perceived interests, or the perceived interests of the state actor regardless of established policy. In other words, once in a while.
LoL (Score:3)
I like the persistence bit though - use the standard plist files to maintain persistence just like any normal piece of code (like maintaining persistence by running a Windows Service).
Re:LoL (Score:5, Informative)
That's quite alright. We find things that target Safari on Windows all the time, so I guess it's more of the same.
Re: (Score:2)
Yes, but no one uses Safari on Windows.
Many of us Mac users are now avoiding newer versions of Safari on Mac OS X as well. Webkit is a good engine, but Safari has issues, and they're getting worse, not better.
Re: (Score:2)
Apple exploit found in the wild... targets Microsoft product running on Apple OS.
From TFA:
An attacker who successfully exploits this vulnerability could take complete control of an affected system.
http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/ [alienvault.com]
Is that an exaggerated statement or does it indicate some kind of privilege escalation bug in OSX?
Re: (Score:2)
- Copies itself into
implies administrative permissions of some level (you can't just write to
Re: (Score:2)
You don't really believe OS X is impervious to viruses do you? If they can hack Android linux and Apple iOS to install malware, then they can do the same to their big brothers on the desktop.
I guess I could mimic the Apple fans and proclaim, "My Commodore Amiga's OS 4 is awesome. It has no viruses!" Of course that's only because nobody wants to target such a small userbase. Ditto linux. Ditto OS X.
Re: (Score:2)
Re: (Score:2)
Re:LoL (Score:5, Interesting)
Re:LoL (Score:5, Funny)
You may laugh, but its truer than you think. Many many moons ago I was admining a small network of linux desktops for students at the local university. Management , non technnical of course, demanded that internet explorer be installed on them. After protesting loudly and losing the argument, I ended up deploying ie6 across the network via wine. It took aproximately 3 days before they became infested.
In a strange way, I took that as a surprising confirmation of wine's compatibility.
In the end I replaced the Mozilla browsers icons with E icons and the office twonks where happy. God I hate tech support
Re: (Score:2)
As a web developer who's tried to use WINE to work with IE, and specifically IE6, I can say with confidence that the compatibility you experienced ends before accurately (per IE6) rendering websites. If only Trident as a whole were as portable as its security flaws.
Re: (Score:2)
Isn't cleaning them up just a case of killing all the wine-server processes then deleting and replacing the contents of the fake C: drive?
Re: (Score:2)
Apparently, you're wrong about OS X: someone does want to target it, as seen in the article. And they picked the lowest-hanging fruit, which of course is Microsoft applications running on that platform.
I'm sure there's plenty of other exploits in OS X, but why bother finding those when you can just take advantage of yet another security hole in MS products?
Re: (Score:2)
A trojan works by tricking you into downloading and installing the malware. MS Office was probably picked not because of any inherent vulnerability but because
1. It's widely deployed and
2. People expect their computer to tell them that Microsoft Office wants updating. Microsoft products always want updating.
Adobe products would be an even better choice. Click on a link and up pops a window that tells you you need to install the latest Flash player. The average user doesn't think twice about this becau
Re: (Score:2)
I don't think there's any desktop OS that does such a thing. As long as processes have access to the data owned by that user, there's nothing preventing them from at least mucking with your data. If the user is running as root, then the process can modify system data and break in that way, getting full access to everything on the system. I don't believe Mac OSX has a root/user divide the way most Linux distros do, nor does Windows on the desktop (it frequently does in corporate environments though).
Re: (Score:2)
OS X definitely has a root/user divide, but the default user still has "administrator" privileges which are far more permissive than they should be. The fact is, it's possible to devise a more hardened security regime and maintain home user usability, but it's very hard and would require a kind of cooperation from developers that even Apple probably can't command.
Probably at this point the only way it'll ever happen is for a security-oriented OS to inadvertently take the market by storm (killer app or whath
Re: (Score:2)
AmigaOS is a single user os with virtually none of the security features present in modern systems, if anyone put the effort in to target it i doubt it would stand up very well.
Linux doesn't have a small userbase by any means, it just has a small userbase on the desktop. In other markets, linux is actually huge.
Similarly while OSX may have a relatively small marketshare, it comes bundled with software which is very widely used such as Apache.
Re: (Score:2)
Amiga actually had a lot of viruses. It was the #1 virus platform before Windows 95 (and its successors). Almost all of them were boot block viruses, which spread via bootable copied game floppies from one machine to the next, not the remote-installed stuff.
Re:LoL (Score:5, Interesting)
I still don't understand this attitude, but I can count myself (a Mac user) lucky as a consequence. If I were trying to profit from exploiting home PCs, I would target the Mac first and foremost, as the userbase is substantial (millions), demographically wealthy (compared to the whole market) and typically security-ignorant. That's a perfect storm for exploiting for profit, and I'm frankly astonished it hasn't happened on a large scale yet.
Re: (Score:2)
But numbers of people aren't the only numbers. The reason I pointed out relative wealth was because not everyone's identity is equally valuable to a thief.
I guess that's what you get for using Microsoft (Score:4, Insightful)
Interesting that this Mac exploit only applies to Mac users who use Microsoft Word. Not saying that Macs are ultra-secure, but maybe the malware authors are just going after the low-hanging fruit, which is Microsoft software, regardless of what platform it's installed on.
Maybe this is how MS will finally put to rest the notion that Linux is more secure than Windows: they'll release MS Office For Linux, which will then open Linux users up to the same level of insecurity Windows users have had forever.
Re:I guess that's what you get for using Microsoft (Score:5, Insightful)
Interesting that this Mac exploit only applies to Mac users who use Microsoft Word
When you include a scripting language in your document spec, expect people to use it.
Good people and bad people.
--
BMO
Re:I guess that's what you get for using Microsoft (Score:5, Insightful)
Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.
Re: (Score:2)
Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.
What makes you sure something equivalent couldn't be done with iWork and Applescript? I mean other than iWork's marketshare, of course.
Re: (Score:2)
No one said Apple's stuff was any less stupidly-designed than MS's.
Re: (Score:2, Informative)
Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.
What makes you sure something equivalent couldn't be done with iWork and Applescript? I mean other than iWork's marketshare, of course.
The fact that you can't embed AppleScript in an iWork document?
Re: (Score:2)
There is NO excuse for that.
Re: (Score:3)
And in a recent version of office I saw someone receive a word document with macros in it. "DO NOT allow macros to run". She did anyway. Why? Because in their infinite wisdom, it won't ALLOW you to open the document with macros disabled - they give you two options, (1) open it with macros enabled, or (2) don't open it. Brilliant.
I have YET to run into a user that will listen to me when I tell them to never open those, call me and I will clean them. "But I HAD to have that document right now!" and the
Re: (Score:2)
If there's no consequences for her behavior, then she has no reason not to behave that way, since you're apparently on the hook for cleaning up her mess.
Can't you make cleaning her mess low-priority and get to it after a week or so, leaving her unable to do her job in that time? And make sure all the blame is squarely on her shoulders?
Re: (Score:2)
Besides being a good way to get chewed out/disciplined/fired, BofH-style IT isn't very ethical.
And if you still want to take the selfish approach, think about it... an office secretary with a macro virus loose on her machine, imagine how fast that would propagate around the office? turn one headache into many?
Re: (Score:2)
I'm not saying don't fix her machine, but it shouldn't be top priority. Are you really so underworked that you have time to drop everything and fix her machine when she screws up yet again (or someone like her)? If so, then fine; the company has seen the need to have spare people around just to deal with this kind of problem. But most places seem to have more important stuff for their IT people to do than fix dumb problems their users create.
And no, you shouldn't allow her to have a virus loose on her ma
Re: (Score:2)
Doesn't work like that. The best you could do would be to giver her a loaner, preferably a P4 with 256MB RAM. If she's got pull she might be able to get that swapped out for a brand new laptop though, which might also be okay - then you give her a few days to get used to a good system, then yank it away and give her back her old one. She'll be miserable either way.
Re: (Score:2)
Haven't tried that in the recent version, but in previous versions of MS Office one could open the file in question via the application's "Open file" dialogue and press the Shift key while clicking on the "Open" button. That way (AutoStart) macros in that document won't execute.
Re: (Score:2)
The scripting language is one of the least concerns...
The biggest problem is the complexity and age of the file formats. There is plenty of complexity, and lots of crufty old code waiting to be exploited, while on the other hand the format is poorly documented which makes it hard to validate files against a known good spec.
Re: (Score:2)
Yea, this particular vulnerability has nothing to do with macros.
Re: (Score:2)
Damn. I have mod points, but there is no "insightful AND funny" +1.
Re: (Score:2)
Office is installed on all corporate machines, PC and Mac. Corporate espionage is the likely agenda.
Re: (Score:2)
Interesting that this Mac exploit only applies to Mac users who use Microsoft Word.
The bug they reference in TFA appears to have been patched years ago, so would appear it's only on old systems that haven't been updated in years.
Re: (Score:2)
Presumably it's low-hanging because Word on the Mac shares code with Word on Windows, and it's a more familiar target for malware authors. I doubt Microsoft software in general is especially vulnerable, it's just especially prevalent.
Updates? (Score:2)
I've used Libreoffice, Neooffice or OO on my mac, and all of those prompt me to update reasonably regularly - certainly more often than every 3 years! While it can be annoying, it's probably better than a compromised computer.
( Insert Microsoft bashing for karma-whore point
Re: (Score:3)
Office 2008 on my Mac opens the Microsoft Software Updater to check for updates once a month (as long as I open a Microsoft product, including the Office suite or RDP).
Re: (Score:2)
Re: (Score:2)
BTW, this is a good time to mention that Office 2004 for Mac ended support after the January 2012 Patch Tuesday, and Office 2008 for Mac (product targeted by this exploit) ends support April 2013.
10,000 hipsters abandon the Mac (Score:5, Funny)
It's gone mainstream. Now that it has viruses, it's like the Miley Cyrus of computing.
Time to find something more obscure. OpenVMS on an Atom system with a retro GEOS interface. That's the ticket.
I used to like Apple before it was mainstream, but now I've moved on. Just like with White Ring and fixies.
Re: (Score:3)
Re: (Score:2)
Wait, fixies are passé now? Awesome, I can ride mine without people demanding I wear tight jeans and a sour expression!
I wear my tight jeans on a mountain bike, ironically.
-AI
Hipsters run Office? (Score:3)
Pretty sure Hipsters are still safe.
Nerds who mock hipsters however, remain ever in peril from a universe who loves to inflict identical troubles on those who mock.
Don't blame Microsoft... (Score:3, Insightful)
Any OS that can be pwned by an exploit in *any* software running in user mode is insecure. Sorry, but those are the facts.
The reason for using an exploit in MS-Office is because is one of the most commonly used software products on Macs since its very beginning. So developing an exploit that uses a commonly used software means a better chance of spreading it.
Re: (Score:2)
It requires the user to be running as admin to take over the machine.
which A LOT, A LOT of people do, mainly because they don't know better and secondly because it's a lot easier for them not to switch between accounts
patched three years ago (Score:5, Informative)
Actually this is what you get when you shut/put off updates.
Meh? (Score:5, Informative)
Macs had a flurry of trojans that hit them last year too. Apple put out the 10.6.8 update that allowed them to deliver daily anti-malware updates, and then used it to block every variant of the trojan within a matter of hours after it first appeared. Since 10.6 or above has been the default on all new Macs for the last 2.5 years, and Software Update is enabled by default to regularly check for updates, you can bet that the vast majority of Mac users will be receiving an automatic anti-malware update sometime later this week or next to deal with the trojan.
Re: (Score:2)
I wonder if MS will patch Office 2008 Mac on older Mac OS X like 10.5.8.
Old exploit (Score:2)
The document exploit is also present in Windows versions of Office as well from the same timefreame.
Re: (Score:3)
Re: (Score:2)
Prefer to use iWork. For regular work it is far better to use than Office.
Re: (Score:2)
Really? Aren't we just getting a little paranoid? Why not take it one step further and suggest to sandbox every application inside the VM OS?
Great idea! Is someone working on that?
Re:Sounds like a vulnerability in a Microsoft prod (Score:4, Interesting)
Apple is actually sandboxing all apps by default in 10.8 "Mountain Lion"
Re: (Score:2)
Given the ability to provide necessary functionality and usable/understandable control end-user control over escalation requests, why wouldn't we sandbox everything?
Re: (Score:2)
And here we have again a false silver bullet. Security is hard. Sandboxing (and virtualization) are great, but they're not The Solution.
Re: (Score:2)
Not likely; OO.o has a much smaller number of known users than MS Office, so there probably aren't many malware writers bothering with it.
However, MS always seems to have a bad habit of totally ignoring security with their architectural decisions, such as their macro language use in MSO. Someone more knowledgeable than me could comment on how OO.o's (and LO's) macro language compares with MSO's in regard to security.
Re: (Score:2, Informative)
Microsoft patched this in 2009
however this from OO-2 is still unpatched
http://secunia.com/advisories/38567/
Re: (Score:2)
Solution
Update to version 3.2.
Seriously? That's what you are going to use to scare people away from OO? It took one click to find the solution to your petty quibble.
Re:Office for Mac? (Score:4, Funny)
Embrace, Penetrate, Ejaculate.
The upcoming Microsoft memo.
Re: (Score:2)
It's still a vulnerability in OS X. Poorly secured third-party executables should not allow access to the system. Regardless of whether it's Apple's OS or otherwise.
Re: (Score:2)
For Macs, yes, it was mostly bullshit.
Re: (Score:3)
Being secure by design does not mean it's immune to trojans and software exploits. The two things are not mutually exclusive. You can design a system with an eye on security (for example, not running as root by default, have the default state of network-facing services be "off", that sort of thing) but it does not mean that the software will be immune. There will always be bugs and holes - and on the Mac, there are plenty. There are relatively frequent security updates for OS X (more in the early days, but
Re: (Score:2)
Don't download a piece of software from a torrent site claiming to be Microsoft Office.dmg, but is only a few 10's of MB - it's probably a trojan.
Bloat: your guarantee of genuine Microsoft quality.
Re: (Score:2)
Thought OS was responsible for 3rd party vulnerabilities?
Parent has been labeled troll but hes not wrong; this is the crap that people have been spouting and its nonsense. Show me an OS that cant get viruses, and Ill show you an OS that cant run third party binary code or interpreted code or receive updates.
Re: (Score:2)
Do you count PHP Worms? Linux runs many webservers that spread various kinds of php worms and spam machines.
The exploits were in poorly configured PHP instances, and poorly written PHP applications, but even if those worms didn't care what OS their server was running, the worms still technically ran on linux (at least some of the time).
Re: (Score:2)
Considering the sheer stupidly large amount of hits I get from compromised machines trying to SSH into my server, I'd say that there are linux viruses out there.
Re: (Score:2)
Re: (Score:2)
The concept of self-propagation is lost on you, eh?
Re: (Score:2)
I do not know what world you live on but where do you think the term "root"kit came from?
If you guess the account root and its associated Unix then you are correct.
Linux servers are heavily targeted. I met someone who worked at a bank and all their Suse servers were rootkitted with a virus for the sole purpose of hosting a phishing scheme and stolen credit card database. Sure more viruses target windows to steal the information but where do you think they store the stolen information Linux servers.
There are
Re: (Score:2)
Root kits are not viruses. They are security exploits, but they must be manually installed by somebody who already has at least user privilege on the machine. I would be willing to bet money that the issue at the bank was not a virus, but a rootkit... possibly a trojan.
My point still stands. I would like somebody to please identify *ANY* linux virus that has ever been caught "in the wild" and has compromised even a modest percentage of actual Linux machines in existence.
Bear in mind that by virus,
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
it's technically a bot, but one written by a crazy person.
specifically, it's from a divination app packaged into LoseThos [losethos.com], a 64-bit hobby OS written by a schizophrenic man on orders from god himself. it really has to be seen [youtube.com] to be believed.
GREAT IDEA! however (Score:2)
But macs fail to mount /tmp in a secure way; there is only 1 mount point. One can wonder about the next OS with the option to forbid non-signed apps from running and how that will impact this.
Re: (Score:2)
I am not saying everyone but damn people not even basic AV.
What exactly is "basic AV"? Does that refer to a program that automatically downloads known malware signatures, and checks email attachments and downloaded software against them before allowing them to execute?
Because if so, MacOS/X includes that functionality now -- so your Mac buddies probably have basic AV, even if they don't know it. No monthly tribute to Symantec (et al) is required.
Re: (Score:2)
At this point, installing Mac "antivirus" is probably the most surefire way to get some crapware or virus. Although I guess you could go with norton (not sure how thats materially different from those).