Microsoft Detects New Malware Attacking Mac OS X

Jeong Wook Oh of Microsoft's Malware Protection Center reports that his team has stumbled across a new piece of malware targeting Apple OS X computers. It exploits a remote code execution vulnerability in the Office productivity suite which Microsoft actually patched back in June 2009 (MS09-027). Almost three years later, not all machines have the patch installed, thus leading to the spread of this new hacker tool.

"The vulnerability is a stack-based buffer overflow - the attack code could corrupt variables and return addresses located on the stack," Oh wrote. "As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well."

Oh said that the malware, a Mac OS X version of backdoor, is probably targeting only Snow Leopard or lower versions of Mac OS X, as it fails when trying to execute on OS X Lion machines. He believes the attacker had knowledge about the target environment beforehand -- knowledge that includes the target operating system, application patch levels and more.

Like other backdoor trojans, this new malware grants remote control access to the infected computer. The main payload file is a standard executable for Mac OS X called launch-hse. "This binary is a command and control (C&C) agent that communicates with a C&C server (master) to perform unauthorized actions that are similar to other C&C bot clients," he explained. "The function names give clues that might indicate that this binary is connecting to a C&C server, parses command from it and performs file retrieval or creates process."

Ultimately Mac users will see an increase in malware attacks as the platform grows in popularity. Oh said that exploiting Mac OS X isn't much different from other operating systems, and even though Mac OS X has introduced many mitigation technologies to reduce risk, the end-user's protection against security vulnerabilities has a direct correlation with updating installed applications. That means keeping software up-to-date so that hackers don't slip in between cracks that were patched long ago.

  • mobrocket
    the guy's last name is "OH"
    thats wicked
  • cee2cee
    More proof that Mac users are the more clueless ones. Sure, PCs have to deal with monthly patches, but I feel bad for those on Macs that incorrectly think they're safe and don't update and then something like this happens.
  • rantoc
    Fun is that Microsoft actually patched it back in June 2009 (MS09-027). Seems the mac users believe their invulnerable and don't understand the need to patch security leaks in their "magic" machines, much thanks to the false marketing with the TV commercials and all. Crack tend to make people jump of roofs, not patching security holes is just as clever!
  • Parsian
    Except a very small professional content producing margin of Apple OSX users, everybody else uses Macs so they dont have to know or learn or concern themselves with technicalities. THis is a prime example of such population and why they are deluded with the illusion of no viruses in Macs. They cant even update through their automated updating system.
  • internetlad
    and once again, we find that the weakest link in security is the user itself.

    Seriously, computers, just form skynet already and wipe us out.
  • eddieroolz
    The header is full of irony.
  • tramit
    Why wouldn't you update software to a program?
  • danimal_the_animal
    WAKE UP!

  • atmos929
    Mac OS X Service Pack 2 comming up...

    ... Do they even use updates like that? Will they have to?
  • Cazalan
    Windows getting too secure by default. Easier to go for the weakest link. iPad/Mac.