New Malware Found Exploiting Mac OS X Snow Leopard

Many Mac users recently have found themselves stumbling out of the darkness, shielding their eyes from the spotlight that attackers and malware writers are now shining on them. Malware having been a rarity on OS X, it’s taking some time to adjust, but while that’s happening the attackers are busy honing their game. Microsoft researchers have analyzed a new piece of malware that’s targeting  Macs running Snow Leopard and found that the malware uses a multi-stage attack that’s similar to typical Windows malware infection routines.

Snow LeopardMany Mac users recently have found themselves stumbling out of the darkness, shielding their eyes from the spotlight that attackers and malware writers are now shining on them. Malware having been a rarity on OS X, it’s taking some time to adjust, but while that’s happening the attackers are busy honing their game. Microsoft researchers have analyzed a new piece of malware that’s targeting  Macs running Snow Leopard and found that the malware uses a multi-stage attack that’s similar to typical Windows malware infection routines.

The vulnerability that the malware exploits is a three-year-old flaw in Office for OS X that Microsoft patched in June 2009. It’s a stack-based buffer overflow and the malware that Microsoft researchers found is using that bug has an entry point for executing two-stage shellcode on the machine that eventually leads to the installation of a bot that connects to a remote command-and-control server. Microsoft’s researcher found that the exploit in this specific piece of malware doesn’t work on versions of OS X newer that Snow Leopard because the particular address it uses to write to isn’t writable in OS X Lion.

“As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy ‘stage 1’ shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well,” Jeong Wook Oh of the Microsoft Malware Protection Center, said in a blog post on the malware.

“This target address is important, as, with Snow Leopard, we could confirm that it was used to exploit a specific location on the heap that is writable and also executable. The point is, that with Lion, that specific memory address can’t be written, so the exploit fails. We can assume that this malware itself is targeting only Snow Leopard or lower versions of Mac OSX. That means the attacker had knowledge about the target environment beforehand. That includes the target operating system, application patch levels, etc.”

The first stage shellcode triggers the second part of the shellcode, which is where the real fun begins. That portion of the code creates a series of files on the infected machine, each of which performs a separate function. The most important of the files is named “/tmp/launch-hse” and it’s the end payload of the attack. Oh’s analysis found that the file is a binary that serves as an agent to communicate with the C&C server owned by the attacker.

The bot has the ability to perform a number of actions on the infected machine, including deleting files, gathering information about the OS version, RAM size and other data and uninstalling itself from the Mac. 

Suggested articles

Discussion

  • tm on

    I believe the word that best describes my emotion is "schadenfreude".

  • Anonymous on

    Meh, I think this sentence pretty much sums up this article....

    "The vulnerability that the malware exploits is a three-year-old flaw in Office for OS X that Microsoft patched in June 2009."

    /me :shakehead:

  • Jim on

    Yeah right... Microsoft pointing out flaws in its own software for the Macintosh... Please pass the grain of salt.

  • Anonymous on

    I don't have Kaspersky protection on my mac/snowleopard.  Besides upgrading hard drive to Lion, any suggestions for me?

  • Anonymous on

    Lion is awful, it’s the first OS X I don’t like at all. It’s buggy and makes your Mac act like an iPad.

  • Anonymous on

    @Bill Cole's advice is sound, but omits a couple of points: ClamX AV, a free anti-virus scanner for Macs, will presumably find and quarantine any files written by this malware, considering it was patched 3 years ago by Microsoft so its definitions are pretty plain. Barring that, you can also download VirusBarrier (a commercial product) from the App Store for free and run that. Also, you can buy and learn to use a product called Little Snitch which will happily notify you of any software that attempts to connect out of your computer without your express permission.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.