Surveillance spyware migrates from Windows to Mac OS X via trojans

“Researchers have uncovered a malware-based espionage campaign that subjects Mac users to the same techniques that have been used for years to surreptitiously siphon confidential data out of Windows machines,” Dan Goodin reports for Ars Technica.

“The recently discovered campaign targets Mac-using employees of several pro-Tibetan non-governmental organizations, and employs attacks exploiting already patched vulnerabilities in Microsoft Office and Oracle’s Java framework, Jaime Blasco, a security researcher with Alien Vault, told Ars,” Goodin reports. “Over the past two weeks, he has identified two separate backdoor trojans that get installed when users open booby-trapped Word documents or website links included in e-mails sent to them. Once installed, the trojans send the computer, user, and domain name associated with the Mac to a server under the control of the attackers and then await further instructions.”

Goodin reports, “Blasco’s findings, which are documented in blog posts here and here, are among the first to show that Macs are being subjected to the same types of advanced persistent threats (APTs) that have plagued Windows users for years—not that the shift is particularly unexpected. As companies such as Google increasingly adopt Macs to limit their exposure to Windows-dependent exploits, it was inevitable that the spooks conducting espionage on them would make the switch, too.”

More info the full article here.

MacDailyNews Take: Bring on the Gatekeeper! And, hey, let’s be careful out there.

[Thanks to MacDailyNews Reader “Edward Weber” for the heads up.]

Related articles:
Security experts: Apple did OS X Mountain Lion’s Gatekeeper right – February 16, 2012
OS X Mountain Lion’s Gatekeeper slams the door on Mac trojans – February 16, 2012
OS X trojan variant preys on Mac users with unpatched Java – February 27, 2012
Apple releases OS X Mountain Lion Developer Preview; public release coming in late summer 2012 – February 16, 2012
Warning: Flashback Trojan horse spreading; Mac users should be wary of Flash installers – September 28, 2011
Apple updates OS X Lion, Snow Leopard malware definitions to address new trojan – September 26, 2011
New OS X trojan horse sends screenshots, files to remote servers – September 23, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Apple malware: 6 years of crying wolf – May 6, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011
Sophos details new Mac OS X Trojan – February 28, 2011
Warning: Mac users beware of yet another trojan masquerading as video codec – June 11, 2009
CNN blows it; gets all worked up about a Mac Trojan that isn’t the first nor is it the last – April 23, 2009
Mac trojan expands to affect pirated versions of Photoshop CS4 – January 26, 2009
Intego: Mac trojan horse found in pirated Apple iWork ‘09 – January 22, 2009
New Mac OS X Trojan horse identified – June 23, 2008
Mac OS X Scareware trojan ‘MacSweep from Imunizator’ tries to scam Mac users – March 29, 2008
Mac trojan makers churn out slightly modified versions to evade anti-malware detection – November 08, 2007
Mac DNS Changer Trojan [OSX/Puper] relatively simple; works like the Windows version – November 01, 2007
New Mac OS X Trojan warning – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004


  1. So despite the headline, the only people who need to worry about this particular vulnerability are those who have old, unpatched versions of Java or MS Office. Which would have been handy and factual know from the headline.

    Still, this isn’t so bad. Whereas TUAW goes for both a ridiculous link-bait headline and scaremongering within the article itself, which I found odd.


    1. I didn’t find it odd – TUAW runs a lot of sensationalist articles, including many that have a negative-biased angle towards Apple. Very strange. Valid criticism of Apple is good for their customers, but sensationalist nonsense is not (unless you’re just trying to post link-bait).

  2. Er… let me get this straight. You have to go to their virus compromised site… in tibet…. and you get an unrequested word document, that you have to download and open to get the trojan.

    Do you have to accent or enter password for this??

    Since I am mostly running Lion, I do not have MS word anymore. I have to open in Pages. Would that make me immune to this??

    Maybe I do not need word anymore. ???

    Any thoughts here??


    1. The official name of this malware is Trojan.OSX.Tibet.A. As the name notes, it is being aimed ONLY at users in Tibet. IOW this is China doing surveillance on people in Tibet, seeing as Tibet has NEVER wanted to be annexed to China, but China doesn’t care, they just want to PWN Tibet, so there. Or, as I often state:

      China = Criminal Nation.

      The only people who can catch this drive-by infection are those using an OLD version of Java. Sadly, there are a lot of people who never update their software, which is very very NAUGHTY!

      This same Java security hole is being used by a version of the Flashback Trojan as well.

      (Remember when Java was supposed to be secure by default?! Isolated from your OS?! <-hahaha)

  3. Here we go again. Bring on the avalanche of claims that Mac OS X is “more insecure” than any other platform (despite the complete and utter lack of any evidence to support this claim).

    In 2005, I had a very heated argument with a press operator, who insisted that Macs will have just as many viruses as Windows XP within a year or two. That was 7 years ago. Still hasn’t happened, obviously.

    1. No, the problem here is that JAVA is insecure.

      Thankfully, Apple provided a patched version of Java that kills off this security hole several months ago. Anyone up-to-date with Apple’s provided Java can go back to napping.

    2. In 2005, I had a very heated argument with a press operator, who insisted that Macs will have just as many viruses as Windows XP within a year or two.

      Thank Symantec for that LIE, written to sell their Worst-In-Class Mac anti-malware. They perpetrated it in March of 2005. Symantec’s BS inspired me to start studying and writing about Mac security:

      Mac-Security Blog

  4. But…threats are real…some undetectable & there are firms that sell these exploits to governments and who else I don’t know. These exploits include ones for Macs & iOS.

    The article did not say how a normal Mac user could detect such things, regardless of being patched or not. Suppose you get an infected file from a co-worker on a USB key?

    LittleSnitch, ESET and other software can lend a hand at checking. LittleSnitch can tell you that some software is calling out of your Mac ‘Do you want to allow this?”

    There needs to be more information about practical lightweight apps and techniques for Mac users.

    1. Sorry, BoC, without a copy of the actual code that is a Mac or iOS virus, your claim doesn’t hold water. I’m going to claim that there are no Mac or iOS viruses out there and all you have to do to prove me wrong is give an example of one. And a Trojan is not the same thing as a virus, btw. Any kid with an Applescript can make a trojan. Show me the proof before I’ll believe what you say.

  5. I didn’t worry about this stuff when I was a windows only user and I won’t worry now.

    The only real concern are the outfits springing up who sell zero day exploits to governments but that is a whole other discussion!

  6. Why sound like dummies? It is a warning, it isn’t a claim about Mac vulnerability.

    This article at least should let people know that hackers are at work to get to you via email or by visiting websites and blogs.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.