Posted by: David Harley | March 29, 2012

The (OS)X-Files

Just a little clarification on the two main instances of malware reported by AlienVaults et al, since there seems to be a little confusion.

The OSX malware that DrWeb and ESET call Lamadai, F-Secure calls Olyx, Sophos calls AftDr and Trend calls Rhino (note that I’m not using any one vendor’s full naming convention here – see Mac & Windows Targeted Attacks: East of Java – and I don’t know what other vendors call it) exploits an old, already-patched Java vulnerability CVE-2011-3544.

The attack described by AlienVaults here (and referenced by Mac Virus, F-Secure, and GMA News), while it seems to be the work of the the same gang, is apparently based on an even more elderly MS-Office vulnerability MS09-027 revisited especially for the benefit of OSX users. It’s not the subject of the ESET analysis, and at the time of AlienVault’s post, didn’t appear to be detected by any AV. However,  several samples have been shared with AV companies, so this is changing: Intego has already announced that it detects the threat as W97/CodeExec.gen, and VirusTotal currently shows  9/43 companies detecting an MD5 provided by F-Secure. I’m not going to check other MD5s right now as the information is likely to become quickly outdated.

By the way, it’s been said (I think by CNET) that this is the first time that documents have been used to exploit OS X systems. That’s actually a matter of definition: while I can’t think offhand of examples of Word docs used to carry an OSX-specific payload (and the Intego blog confirms that APT-type booby-trapped docs are new to OS X),  I can certainly remember instances of OS X systems being the source of macro virus infections in the early noughties, though not in anything like the volumes that pre-OSX systems did the same in the ’90s.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: