More Mac malware attacking minority groups in China

Microsoft WordOver the last year, SophosLabs, has talked about attacks against minority groups in China that use old vulnerabilities in Microsoft Office, that already have patches available for them.

We have seen several attacks in the past.

Earlier this week, the folks at AlienVault saw another attack using the same vulnerability in Office products on Mac OS X, targeting the Uyghur people of East Turkestan.

The vulnerability, known as MS09-027, was patched by Microsoft back in June 2009, and allowed remote code execution in Microsoft Word.

That means simply opening a boobytrapped Word document on an unpatched computer could run malicious code on your Mac. While you are distracted, reading the contents of a Word file, malware is being invisibly and silently installed onto your computer.

Contents of Word document

Although many Mac users might clutch onto the hope that their operating system will ask for an administrator’s username and password before installing any software, you won’t see any such message pop-up with an attack like this as it is a userland Trojan and you will not be prompted for administrator credentials.

This is because neither the /tmp/ nor /$HOME/Library/LaunchAgents folders on Mac OS X require root privileges. Software applications can run in userland with no difficulties, and even open up network sockets to transfer data.

Word DOC code

Sophos products detect the malicious documents as Troj/DocOSXDr-B and the dropped malware as the Mac Trojan horse OSX/Agent-AADL.

OSX/Agent-AADL obviously went through some development during this campaign because we saw three distinct versions. The first was the most interesting:

Word DOC Trojan code

In later versions of the Trojan, the function and variable names were stripped out and the shell script filenames were further hidden/obfuscated.

Once again, Mac users need to remember to not be complacent about the security of their computers. Although there is much less malware for Mac than there is for Windows, that is going to be no compensation if you happen to be targeted by an attack like this.

Mac users, just like Windows users, need to pay attention to the latest security patches and ensure that their software is kept properly up-to-date.

If you’re not already doing so, run anti-virus software on your Macs. If you’re a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.