Jeong Wook Oh of Microsoft's Malware Protection Center reports that his team has stumbled across a new piece of malware targeting Apple OS X computers. It exploits a remote code execution vulnerability in the Office productivity suite which Microsoft actually patched back in June 2009 (MS09-027). Almost three years later, not all machines have the patch installed, thus leading to the spread of this new hacker tool.
"The vulnerability is a stack-based buffer overflow - the attack code could corrupt variables and return addresses located on the stack," Oh wrote. "As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well."
Oh said that the malware, a Mac OS X version of backdoor, is probably targeting only Snow Leopard or lower versions of Mac OS X, as it fails when trying to execute on OS X Lion machines. He believes the attacker had knowledge about the target environment beforehand -- knowledge that includes the target operating system, application patch levels and more.
Like other backdoor trojans, this new malware grants remote control access to the infected computer. The main payload file is a standard executable for Mac OS X called launch-hse. "This binary is a command and control (C&C) agent that communicates with a C&C server (master) to perform unauthorized actions that are similar to other C&C bot clients," he explained. "The function names give clues that might indicate that this binary is connecting to a C&C server, parses command from it and performs file retrieval or creates process."
Ultimately Mac users will see an increase in malware attacks as the platform grows in popularity. Oh said that exploiting Mac OS X isn't much different from other operating systems, and even though Mac OS X has introduced many mitigation technologies to reduce risk, the end-user's protection against security vulnerabilities has a direct correlation with updating installed applications. That means keeping software up-to-date so that hackers don't slip in between cracks that were patched long ago.
