The Latest in IT Security

MS09-027 Target: Mac OSX & Tibetan NGOs

11
Apr
2012

Lately, the number of malware targeting Mac OSX has been rising. A new malware that exploits an old vulnerability has been found.

A new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/MS09-027!exploit.

Once executed, OSX/MS09-027!exploit, will drop the following files:

•    /tmp/launch-hs
•    /tmp/launch-hse
•    /tmp/file.doc

The file launch-hs are a script that executes the file launch-hse and file.doc. Once the file.doc has been executed, it will cause distraction to the user to hide its malicious activity in the background.

[Figure 1 – Decoy Doc File]

Inspecting the file OSX/MS09-027!exploit, you can notice that there is another Doc file embedded on its body. The non-malicious Doc file contains article about the Tibetan situation.

[Figure 2 – Decoy File Embedded on OSX/MS09-027!exploit]

The first variant of the dropped file launch-hse drops a copy of itself as “DockLight” in
/Applications/Automator.app/Contents/MacOS. It then creates “com.apple.DockActions.plist” in the /user/%user%/Library/LaunchAgents/, to ensure that the backdoor is active on the system.

It contacts the remote server “2012.slyip.net”, and it is capable of performing the following commands:

•    Download/Upload files to Command and Center
•    Execute a command using /bin/sh

The second variant of the dropped file launch-hse drops a copy of itself as “launched” in
/Library. It then creates “com.apple.FolderActionsxl.plist” in the /user/%user%/ Library/LaunchAgents/, to ensure that the backdoor is active on the system.

It contacts the remote server “freetibet2012.xicp.net”, and it is capable of performing the following commands:

•    Delete/Execute a file
•    Download/Upload files to Command and Center
•    Execute a command using /bin/sh

How to Remove OSX/MS09-027!exploit:

1) Kill the running process.

Using spotlight, type-in Activity Monitor and filter by searching “DockLight” or “launched”, select it and click Quit Process.

2) Delete OSX/MS09-027!exploit files and components.

Go to /tmp/, delete the following files:

•    launch-hs
•    launch-hse
•    file.doc

Go to /Applications/Automator.app/Contents/MacOS, delete the following file:

•    DockLight
Or

Go to /Library, delete the following file:

•    launched

Go to /user/%user%/library/LaunchAgents/, delete the following files:

•    com.apple.FolderActionsxl.plist or
•    com.apple.DockActions.plist

Ensure that your Total Defense Products are updated with the latest signatures at all times.

Related posts:
  1. More Mac Malware (Word Exploit) Targeting NGOs
  2. Mac OS X Threat Masquerading as Image Files
  3. Criminals gain control over Mac with BackDoor.Olyx
  4. Notes on internal MacOS anti-malware tool (aka XProtect)
  5. Another Tibetan-Themed Malware Email Campaign Targeting Windows and Macs

Written by GLOBAL SECURITY ADVISOR RESEARCH BLOG
0 Comments

Leave a reply


Categories

FRIDAY, APRIL 19, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments