More Mac malware attacking minority groups in China

Filed Under: Apple, Data loss, Featured, Malware, OS X, SophosLabs, Vulnerability

Microsoft WordOver the last year, SophosLabs, has talked about attacks against minority groups in China that use old vulnerabilities in Microsoft Office, that already have patches available for them.

We have seen several attacks in the past.

Earlier this week, the folks at AlienVault saw another attack using the same vulnerability in Office products on Mac OS X, targeting the Uyghur people of East Turkestan.

The vulnerability, known as MS09-027, was patched by Microsoft back in June 2009, and allowed remote code execution in Microsoft Word.

That means simply opening a boobytrapped Word document on an unpatched computer could run malicious code on your Mac. While you are distracted, reading the contents of a Word file, malware is being invisibly and silently installed onto your computer.

Contents of Word document

Although many Mac users might clutch onto the hope that their operating system will ask for an administrator's username and password before installing any software, you won't see any such message pop-up with an attack like this as it is a userland Trojan and you will not be prompted for administrator credentials.

This is because neither the /tmp/ nor /$HOME/Library/LaunchAgents folders on Mac OS X require root privileges. Software applications can run in userland with no difficulties, and even open up network sockets to transfer data.

Word DOC code

Sophos products detect the malicious documents as Troj/DocOSXDr-B and the dropped malware as the Mac Trojan horse OSX/Agent-AADL.

OSX/Agent-AADL obviously went through some development during this campaign because we saw three distinct versions. The first was the most interesting:

Word DOC Trojan code

In later versions of the Trojan, the function and variable names were stripped out and the shell script filenames were further hidden/obfuscated.

Once again, Mac users need to remember to not be complacent about the security of their computers. Although there is much less malware for Mac than there is for Windows, that is going to be no compensation if you happen to be targeted by an attack like this.

Mac users, just like Windows users, need to pay attention to the latest security patches and ensure that their software is kept properly up-to-date.

If you're not already doing so, run anti-virus software on your Macs. If you're a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.

, , , , ,

You might like

4 Responses to More Mac malware attacking minority groups in China

  1. Rob · 965 days ago

    easy, don't use microsoft programs in your mac :)

  2. Grenville Grimace · 965 days ago

    Nice try at another typical Sophos anti-Mac FUD article, but considering that only three people in all of China can afford a Mac so it isn't really an issue.

    Better luck next time.

    • Paul Ducklin · 965 days ago

      Not sure if you're trying to insult China, for being poor; Apple, for having products that are too expensive for China; or the author of this article, for failing to notice one or both of the previous facts.

      Interestingly, a survey I read somewhere (take it, indeed, with a grain of salt, but it seems it was a real survey of 1500+ randomly selected consumers in China) from late 2011 that reported that 5% of laptops sold in China are Macs, and that 20% of respondents "were considering Macs" for their next laptop purchase.

      If, as you say, there are three Macs in China, and that's 5% of the laptops in total, then, hey, there are 60 laptops in all of China...which sounds, ah, a trifle on the low side, wouldn't you say?

    • TED · 964 days ago


      Where have you been? China is loaded with money, and yes it has seeped down to the mid masses. With a couple billion people you think only a couple thousand have money, it's bad there but not that bad. It is not North Korea. Here is a link to an Apple store in China built out of bamboo and rice patty plants.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.