ESET analyzes the Office-based Trojan threat for OS X

Security company ESET watches the newly found Trojan for OS X establish connections and receive commands to steal information.

Recently new Trojan variants for OS X were found that take advantage of old and patched vulnerabilities to install and execute information-stealing code on affected systems. One of the newest ones uses Office documents as an installation vector and may be called OS X/Lamadai.A or OSX/Olyx depending on the malware scanner being used.

When this malware was found, security company AlienVault issued an initial analysis of the threat, describing it as a Command and Control (C&C) based Trojan that originates from China and is being used to target non-government organizations based in Tibet.

In light of this new malware development and following AlienVault's analysis of the threat, security company ESET has investigated the Trojan further.

While one can analyze malware threats by dissecting the binaries and picking out strings and other clues as to its functions, another approach is to install and run it and see what it does. This is exactly what ESET did, and in doing so found some rather interesting results.

ESET observed that once the Trojan installs it will establish a connection to a hard-coded remote C&C server located in China, and will wait in "busy" loop where it attempts to maintain its connection with the server. The server can then be used to issue commands to the infected system for uploading or downloading files, or execute scripts and commands -- the basics for allowing someone to remotely target a system, browse around on it, and steal information.

ESET also noticed that the Trojan is sophisticated enough to use several encryption routines for its communication with the C&C server, which may make some attempts at identifying the C&C activity midstream difficult to do, and also uses checksums to verify the information it downloads or uploads. In essence, this is not just a quickly attempt to get random information, but has been designed specifically to preserve the data it is trying to steal.

Commands received from the remote C&C server
The commands issued to the infected system suggest a person is correcting and refining the commands and determining where to go on the system for the information being sought (click for larger view). ESET

The most interesting aspect of ESET's analysis was the discovery that the C&C server appears to be run by a human on the other end of the line. When the connection was established to the C&C, ESET noticed incoming commands, which included typos followed by corrections, and the use of the BSD directory listing (ls) and present working directory (pwd) commands, which showed someone was poking around and determining what to do next.

Once the person on the other end had found the location of the ESET computer's Keychain file, he or she began issuing instructions to upload the keychain along with other files on the system, very clearly demonstrating the main purpose of this threat is to knowingly and directly steal information.

ESET has covered its findings in detail on its threat blog.

While this threat is one of the first to show direct and successful targeting of data on OS X systems through remote connections, its presence and these analyses of its behavior should not be cause for alarm. All of the recent Trojan horses found for OS X take advantage of old software vulnerabilities that have been patched for quite some time (in some cases the fixes have been available for years). By simply keeping your system up to date, it will not be affected by these new malware threats.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    ARTICLE DISCUSSION

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    Hot on CNET

    The Next Big Thing

    Consoles go wide and far beyond gaming with power and realism.