While the lion’s share of malware, viruses and trojans are still aimed at Windows operating systems, with more people using Mac and iOS devices, the more that hackers will find it worth their time to target Mac users. One new trojan uses a flaw in Microsoft Word to gain access to Mac OS X’s ready and waiting back door.
The targeted attack relies upon a critical security vulnerability discovered in Microsoft Word back in 2009, which allowed remote code execution (MS09-027).
In a nutshell, if you open the boobytrapped Word document, a Trojan horse gets dropped onto your Mac opening a backdoor for remote hackers. Furthermore, a decoy document called file.doc is also dumped onto your drive.
The nature of the decoy document, which claims to be about Human Rights abuses in Tibet by the Chinese, is sure to raise some eyebrows.
Inevitably there will be speculation that this attack is related to ‘Ghostnet’, the alleged campaign by China to spy via the internet on pro-Tibet organisations, including the Tibetan government-in-exile and the private office of the Dalai Lama.
If that’s the case, then it would seem that ‘Ghostnet’ is now targeting Mac users inside organisations sympathetic to Tibet and banned Chinese groups.
And don’t be fooled into thinking that you are protected by Mac OS X itself, which will ask for an administrator’s username and password to install software. You won’t see any prompt for credentials when this malware installs, as it is a userland Trojan.
Neither the /tmp/ nor /$HOME/Library/LaunchAgents folders on Mac OS X require root privileges - meaning that software applications can run in userland with no difficulties, and even open up network sockets to transfer data.
Sophos anti-virus products detect the malformed Word documents as Troj/DocOSXDr-A and the Mac backdoor Trojan horse as OSX/Bckdr-RLG. The servers that the malware attempts to communicate with have been categorised by Sophos as malware repositories since at least 2009.