Lately, the number of malware targeting Mac OSX has been rising. A new malware that exploits an old vulnerability has been found.
A new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/MS09-027!exploit.
Once executed, OSX/MS09-027!exploit, will drop the following files:
• /tmp/launch-hs
• /tmp/launch-hse
• /tmp/file.doc
The file launch-hs are a script that executes the file launch-hse and file.doc. Once the file.doc has been executed, it will cause distraction to the user to hide its malicious activity in the background.
[Figure 1 – Decoy Doc File]
Inspecting the file OSX/MS09-027!exploit, you can notice that there is another Doc file embedded on its body. The non-malicious Doc file contains article about the Tibetan situation.
[Figure 2 – Decoy File Embedded on OSX/MS09-027!exploit]
The first variant of the dropped file launch-hse drops a copy of itself as “DockLight” in
/Applications/Automator.app/Contents/MacOS. It then creates “com.apple.DockActions.plist” in the /user/%user%/Library/LaunchAgents/, to ensure that the backdoor is active on the system.
It contacts the remote server “2012.slyip.net”, and it is capable of performing the following commands:
• Download/Upload files to Command and Center
• Execute a command using /bin/sh
The second variant of the dropped file launch-hse drops a copy of itself as “launched” in
/Library. It then creates “com.apple.FolderActionsxl.plist” in the /user/%user%/ Library/LaunchAgents/, to ensure that the backdoor is active on the system.
It contacts the remote server “freetibet2012.xicp.net”, and it is capable of performing the following commands:
• Delete/Execute a file
• Download/Upload files to Command and Center
• Execute a command using /bin/sh
How to Remove OSX/MS09-027!exploit:
1) Kill the running process.
Using spotlight, type-in Activity Monitor and filter by searching “DockLight” or “launched”, select it and click Quit Process.
2) Delete OSX/MS09-027!exploit files and components.
Go to /tmp/, delete the following files:
• launch-hs
• launch-hse
• file.doc
Go to /Applications/Automator.app/Contents/MacOS, delete the following file:
• DockLight
Or
Go to /Library, delete the following file:
• launched
Go to /user/%user%/library/LaunchAgents/, delete the following files:
• com.apple.FolderActionsxl.plist or
• com.apple.DockActions.plist
Ensure that your Total Defense Products are updated with the latest signatures at all times.
Leave a reply