Many Mac users recently have found themselves stumbling out of the darkness, shielding their eyes from the spotlight that attackers and malware writers are now shining on them. Malware having been a rarity on OS X, it’s taking some time to adjust, but while that’s happening the attackers are busy honing their game. Microsoft researchers have analyzed a new piece of malware that’s targeting Macs running Snow Leopard and found that the malware uses a multi-stage attack that’s similar to typical Windows malware infection routines.
The vulnerability that the malware exploits is a three-year-old flaw in Office for OS X that Microsoft patched in June 2009. It’s a stack-based buffer overflow and the malware that Microsoft researchers found is using that bug has an entry point for executing two-stage shellcode on the machine that eventually leads to the installation of a bot that connects to a remote command-and-control server. Microsoft’s researcher found that the exploit in this specific piece of malware doesn’t work on versions of OS X newer that Snow Leopard because the particular address it uses to write to isn’t writable in OS X Lion.
“As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy ‘stage 1’ shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well,” Jeong Wook Oh of the Microsoft Malware Protection Center, said in a blog post on the malware.
“This target address is important, as, with Snow Leopard, we could confirm that it was used to exploit a specific location on the heap that is writable and also executable. The point is, that with Lion, that specific memory address can’t be written, so the exploit fails. We can assume that this malware itself is targeting only Snow Leopard or lower versions of Mac OSX. That means the attacker had knowledge about the target environment beforehand. That includes the target operating system, application patch levels, etc.”
The first stage shellcode triggers the second part of the shellcode, which is where the real fun begins. That portion of the code creates a series of files on the infected machine, each of which performs a separate function. The most important of the files is named “/tmp/launch-hse” and it’s the end payload of the attack. Oh’s analysis found that the file is a binary that serves as an agent to communicate with the C&C server owned by the attacker.
The bot has the ability to perform a number of actions on the infected machine, including deleting files, gathering information about the OS version, RAM size and other data and uninstalling itself from the Mac.