In June 2009, Microsoft issued security update MS09-027, which fixed a remote code execution vulnerability in the Mac version of Microsoft Office. Despite the availability of the bulletin (and the passage of time), not every machine is up to date yet – which is how nearly three years later, malware has emerged that exploits the issue on machines running Office on Mac OS X. Fortunately, our data indicates that this malware is not widespread, but during our investigation we found a few interesting facts we’d like to share with you.

For our investigation, we used a malware sample (SHA1: 445959611bc2480357057664bb597c803a349386) that is detected as Exploit:MacOS_X/MS09-027.A.

Overall execution flow

Figure 1 - Overall Execution Flow

Firstly, the vulnerability is a stack-based buffer overflow - the attack code could corrupt variables and return addresses located on the stack. As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well.

This target address is important, as, with Snow Leopard, we could confirm that it was used to exploit a specific location on the heap that is writable and also executable. The point is, that with Lion, that specific memory address can't be written, so the exploit fails.

We can assume that this malware itself is targeting only Snow Leopard or lower versions of Mac OSX. That means the attacker had knowledge about the target environment beforehand. That includes the target operating system, application patch levels, etc.

Stage 1 shellcode

Figure 2 Stage 1 Shellcode

This stage 1 shellcode leads to stage 2 shellcode, which is located in memory. The stage 2 shellcode is actually where the infection of the system occurs. The stage 2 shellcode creates three files:

  • /tmp/launch-hs
  • /tmp/launch-hse
  • /tmp/file.doc

 File creation by stage 2 shellcode

Figure 3 File Creation by Stage 2 Shellcode

As you can see from the above picture, the exploit attack code uses typical Unix style shellcode to run system calls. So far, this is nothing new.

Later in the shellcode, the file "/tmp/launch-hs" is executed by a system call to "execve" to execute commands. The contents of "/tmp/launch-hs" should be a shell script or executable.

Figure 4 Execution of /tmp/launch-hs script file

We looked into the the contents of the "/tmp/launch-hs", and it appears like following:

Contents of "/tmp/launch-hs" script

Figure 5 /tmp/launch-hs script contents

It is just a tiny shell script that runs "/tmp/launch-hs" and and opens "/tmp/file.doc". The file "/tmp/launch-hse" should be the main binary that contains all the malicious code. Also "/tmp/file.doc" is a fake document file that will be displayed to the user to deceive the user from seeing any abnormalities or malicious symptoms.

The main payload file is "/tmp/launch-hse" - it is a Mach-O format, or standard executable format, for Mac OSX. This binary a command and control (C&C) agent that communicates with a C&C server (master) to perform unauthorized actions that are similar to other C&C bot clients. The function names give clues that might indicate that this binary is connecting to a C&C server, parses command from it and performs file retrieval or creates process.

Peek into the function names gives you an idea

Figure 6 Peek into the function names gives you an idea.

The main difference about this malware is that it is written for Mac OSX. For example, if you look into a "RunFile" function, which runs a command on the infected machine, you can see that it's a Mac OSX version of backdoor. Basically it runs a command supplied from the C&C server.

RunFile function

Figure 7 RunFile function

No operating system that exists outside a laboratory is entirely immune to malware. As different operating systems continue to gain in popularity they attract more attention from would-be attackers – especially since, as we see in the example analysis above, the techniques and understanding needed to do so may be much the same as those used against other platforms. And even though an operating system may include many risk-reducing mitigation technologies, any machine’s defenses against vulnerabilities are directly related to how current its security updates for applications are kept.

If you're using Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac or Open XML File Format Converter for Mac, be sure to update using the latest product updates. For this specific vulnerability, you can visit the Microsoft Security Bulletin MS09-027 page and download the update.

Jeong Wook (Matt) Oh
MMPC