May 21, 2013 - 04:00 PM EDT — AAPL: 439.66 (-3.27, -0.74%) | NASDAQ: 3498.965 (+33.722, +0.97%)

Mac ‘LuckyCat’ trojan variant spreads via Microsoft Word documents

Monday, April 16, 2012 · 10:54 am · 27 Comments

“A new version of a backdoor trojan for Apple’s OS X operating system takes advantage of an exploit in Microsoft Word to spread,” Sam Oliver reports for AppleInsider.

“The latest variant of the attack known as ‘LuckyCat’ was discovered and detailed by Costin Raiu, Kasperskky lab expert,” Oliver reports. “He found that a dummy infected machine was taken over by a remote user who started analyzing the machine and even stole some documents from the Mac.”

Oliver reports, “The new Mac-specific trojan, named ‘Backdoor.OSX.SabPub.a,’ uses a Java exploit to infect targeted machine. It spreads through Microsoft Word documents that exploit a vulnerability known as “‘CVE-2009-0563.’”

Read more in the full article here.

Categories: News

Tags: LuckyCat, mac, Mac OS X, malware, OS X, trojan

Thank You for supporting MacDailyNews!

 Apple 13.3" MacBook Air dual-core Intel Core i7 2.0GHz, 8GB RAM, 512GB Flash Storage, Intel HD Graphics 4000, Mac OS X Lion (Z0ND-20GHZ8GB512) only $2,159.99
 Secret Sale Exclusive for MacMall Valued Customers Only
 Apple 15.4" MacBook Pro (with Retina display) quad-core Intel Core i7 2.3GHz/16GB RAM/256GB FS/IntelHD Graphics4000/OS X Lion (Z0MK-15-2.3-16-256RT) only $2,333.99
 Apple Blowouts: Up to $649 OFF on Last Gen Macs. Prices start at $1,999.99 w/ Free Upgrade to OS X Mountain Lion & Free FedEx Overnight ends 02/08 6:15PM PST.
 Apple 13.3" MacBook Pro dual-core Intel Core i7 2.9GHz, 8GB RAM, 750GB 5400-rpm hard drive, Intel HD Graphics 4000, Ships with Mountain Lion (MD102LL/A) only $1,419.97

Comment Feed

27 Comments

Guy who doesn't giv a fk

Monday, April 16, 2012 - 11:05 am · Reply

Who the fk needs flash, serves all u idiots right for allowing this stupid shit to run on your computer. Same goes for words documents, that’s why we have pages
- I despair
  
  Monday, April 16, 2012 - 11:21 am · Reply
  
  Good grief, yet another pithy, pertinent and intelligent comment…….. Please go back to commenting on YouTube videos.
- dslarsen
  
  Monday, April 16, 2012 - 11:31 am · Reply
  
  What does Flash have to do with this? I didn’t see anything about Flash in the article, except a reference to the Flashback trojan.
  - Guy who doesn't giv a fk
    
    Tuesday, April 17, 2012 - 9:07 am · Reply
    
    mabe you need to read full articles rather than skimming these shorter length articles
TowerTone

Monday, April 16, 2012 - 11:16 am · Reply

I don’t want a Trojan at my backdoor!
(even if it ‘calls’ itself “Luckycat”…..)
wzinc

Monday, April 16, 2012 - 11:19 am · Reply

I guess there are security issues on the Mac. . . through third-party software. Still nothing but POC’s in the native software.
- GM
  
  Monday, April 16, 2012 - 11:33 am · Reply
  
  Yup. And unfortunately it’s not going away.
mccfr

Monday, April 16, 2012 - 11:35 am · Reply

Solution.

Don’t run Microsoft Word.

There you go.
- progressiveagentprovocateur
  
  Monday, April 16, 2012 - 12:41 pm · Reply
  
  It is said to spread through MS Word files- not the Word Application. TextEdit and Pages, among others, can open Word files.
  - mccfr
    
    Monday, April 16, 2012 - 12:56 pm · Reply
    
    My mistake.
    
    I assumed it was a VBA thing. Didn’t read the story properly.
Thelonious Mac

Monday, April 16, 2012 - 11:39 am · Reply

I think it is important to note that the 2 primary methods of attacking a Mac are:

1. Social Engineering – essentially hacking the user.
2. Weaknesses in 3rd party products. – especially any product that can accept and execute any kind of code.

Actual OS X viruses, worms, trojans, etc. are unicorns. They exist in the imaginations of security software vendors who must by definition sell FUD.

Anyone who says the Mac is no more safe than Windows isn’t reading the daily threat blogs and has not heard of things like TDL-4. Also anyone that maintains that the Mac is only more secure due to obscurity is unaware of how much a functioning Mac botnet is worth in the underworld. They must also acknowledge the counter argument I.e. that Windows machines are inherently less secure due to sheer numbers.

Nonetheless, it would be foolish to implement any security polices and practices not equal to those you would implement in a comparable Windows environment. It won’t kill ya to be cautious.
- LordRobin
  
  Monday, April 16, 2012 - 12:32 pm · Reply
  
  It’s also important to note how trivially easy it is to remove this crap once discovered. It’s not like Windows where software can bury itself deep in the registry, where it takes something akin to an exorcism to get rid of it.
  
  ——RM
  - qka
    
    Monday, April 16, 2012 - 11:21 pm · Reply
    
    I remember when MS first introduced the Registry. A colleague was trying to explain how wonderful it was, and I kept asking why not individual config files, which is what Apple would go on to do with .plist files in OS X.
- althegeo
  
  Monday, April 16, 2012 - 2:17 pm · Reply
  
  1
mxnt41

Monday, April 16, 2012 - 11:42 am · Reply

I’m not an apologist, but ultimately, for me, even if Apple ends up being no more secure than any other system, and it was all “security through obscurity” I’ve still had many, many years without all the hassles that go with Windows.
HolyMackerel

Monday, April 16, 2012 - 11:48 am · Reply

What is Word?
Thelonious Mac

Monday, April 16, 2012 - 11:48 am · Reply

By the way… Turn off JAVA. You don’t really need it. If you do, turn it on for the duration of the need, then turn it back off. Hopefully you abandoned Flash long ago.
DudeMac

Monday, April 16, 2012 - 11:49 am · Reply

That’s an easy one… don’t use Microsoft Office for Mac unless absolutely necessary and use LibreOffice OR iWork instead and steer clear of *.doc where applicable!
mrfergus

Monday, April 16, 2012 - 12:06 pm · Reply

I never upgrade from an unsolicited link, instead go directly to the web site, in this case Adobe, to see if your soft ware is current.
dinjin201

Monday, April 16, 2012 - 12:17 pm · Reply

And THIS is why Apple is pushing sandboxing onto app makers.
IT22

Monday, April 16, 2012 - 12:41 pm · Reply

So, are they saying that the Java holes that were just plugged for the Flashback thing don’t apply? Or would you only be vulnerable IF you didn’t apply the recent upgrade plugs? Can someone clarify?

Apple needs to have a talk with the Java people. I bet Steve would have been on the horn ASAP.
Chicken Little

Monday, April 16, 2012 - 1:59 pm · Reply

Before we all start panicking, has anyone taken the time to follow the links, and read the vulnerability info?

It appears to be the case that:

1. The Word vulnerability they are referring to is from three years ago, and applies to older versions for both Windows and Mac, including Word 2004 and 2008. No mention of Word 2011.

2. There doesn’t seem to be any mention of the recent Java fixes being applied to the Kaspersky test system that is infected. Seems like an important piece of information to have.

Unless there is more info somewhere, this could be another case of an AV company trying to make headlines, rather than a very serious problem. Too bad we don’t have enough information to actually determine that.
- vanfruniken
  
  Monday, April 16, 2012 - 2:20 pm · Reply
  
  You seem to infer that Mac users should just keep current with Office versions (and pay up in the mean time).
  
  IMHO many new Mac users no longer have Office on their machines. If they do, it is because they got tricked into it by incompentent salespeople.
  Mac users who have upgraded MacOSX with each new version may still have an old version installed, e.g.,
  Our only copy of Office runs on my wife’s 2002 iMac. Sometimes Word starts up unintentionally, but we don’t actually use it. It could as well be deleted altogether.
  - Chicken Little
    
    Monday, April 16, 2012 - 6:59 pm · Reply
    
    Not at all. I was simply pointing out that there isn’t much useful information available about this. Do we know that MSFT hasn’t patched Word 2004 or 2008? Do we know that this attack isn’t blocked by the latest Java update? I have yet to find any evidence one way or another. This whole thing came from some “security researcher’s blog” on the Kaspersky web site. Some technical information there, but not enough for anyone to be able to determine how series this threat really is.
    
    That was my point.
    
    To your point, if you stay on down rev software long enough, you aren’t going to be able to get security fixes for it. That’s just reality. I don’t see how that’s going to change.
althegeo

Monday, April 16, 2012 - 2:16 pm · Reply

If it’s a Trojan and it attacks Microsoft Word docs, isn’t it a Microsoft Word Trojan?
Ted

Tuesday, April 17, 2012 - 6:02 pm · Reply

I just finished listening to Pauldotcom.com Security Weekly episode 283 podcast with Paul Asadoorian, Larry Pesce, and Carlos Peres. Paul and Larry are corporate pentesters, with Paul also being the Tenable Security evangelist and Carlos being the lead researcher of post exploitation for Tenable Security who bring you the Nesus vulnerability scanner.

These guys were talking over the Mac and the current malware hitting OS X and all three all agree it is time to run AV on a Mac. They were just laughing how all the Mac fanboys discount using AV even after this new large hit on OS X and the obvious future of coming malware that will be coming to OS X.
- Chicken Little
  
  Wednesday, April 18, 2012 - 11:43 am · Reply
  
  So I did some more digging, and the article this links to describes their experiments with a Mac that apparently doesn’t have the latest Java patches, and refers to a Word vulnerability that was patched back in 2009. Of course, the author didn’t point that out, because in the anti-Malware business, you don’t do yourself any favors by pointing out that if your software is up-to-date, the “huge problem” isn’t really a huge problem.
  
  OS X does have an anti-malware system built-in called “X-protect,” and while it didn’t prevent the apparently large number of machines from being infected, neither did any other 3rd-party anti-Malware software on the Mac.
  
  No platform is completely safe from malware. To think that the Mac is invulnerable is delusional. That doesn’t mean there is some huge wave of Mac malware coming any second now.
  
  http://daringfireball.net/2011/05/wolf
  
  Bottom line: On the Mac, as with any platform, don’t be an idiot.
  
  1. Do run software update regularly, do keep your third-party software current.
  2. Avoid high-risk technologies like Java and Flash, and don’t download “cracked” versions of commercial software from “Warez” sites.
  
  This will avoid most problems. If you feel that running a third-party AV product makes you more secure, go for it.