Successful Windows malware ported to Mac

Successful Windows malware ported to Mac

Summary: The XSLCmd backdoor, popular in targeted Windows attacks, has been around for weeks at a minimum and still no anti-malware products detect it.

SHARE:
TOPICS: Security, Apple
21

A very long blog entry by FireEye Labs analyzes a new Mac version of the XSLCmd backdoor that has been around since at least 2009. The Mac version shares a significant portion of code with the Windows version.

In this and a follow-up blog, FireEye cites Forrester in claiming that 52 percent of newly issued computers in the enterprise are Macs. Even if Mac use isn't growing in a broad market sense, it is the clear leader in the premium segment of the market, the segment addressing the higher-ups in enterprises, who are also the best targets for targeted attacks.

The backdoor "...has been used extensively in targeted attacks over the past several years, having been updated many times in the process." It allows a remote attacker to launch a shell, do file listings and transfers, install executables and configure updates. But the Mac version has two new features: key logging and screen capture.

The OS X version was submitted to VirusTotal on August 10. No products found it then and, as of the scan at 2014-09-04 16:40:56 UTC, there were still no products that detect it.

The program analysis by FireEye Labs which follows is detailed and lengthy and we won't go into it in detail.

XSL.CMD.files
Files created by OSX.XSLCmd - source: FireEye

There are characteristics of OSX.XSLCmd that make it look as if it is older than one month. The main hint at this is the lack of support for OS X 10.9, the current version. The version checking indicates that it is written for version 10.8 and attempts to support versions older than that. In fact, this specific sample "..uses an API from the private Admin framework that is no longer exported in 10.9, causing it to crash."

FireEye identifies the authors of the program as "GREF," a name they coined owing to the group's use of Google references in their work. (For example, they have faked "google.com" in referrer headers and hidden web exploit code inside code blocks for Google Analytics.)

FireEye believes that GREF is the only group using this malware, on Windows or Mac. "Historically, GREF has targeted a wide range of organizations including the US Defense Industrial Base (DIB), electronics and engineering companies worldwide, as well as foundations and other NGO’s, especially those with interests in Asia."

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • But...

    That's impossible!
    Apple product are immune to viruses. Ebola included!
    TheCyberKnight
    • Ebola is no laughing matter

      Especially if one lives or works in West Africa. The current Ebola epidemic is close to spiraling out of control.
      Rabid Howler Monkey
      • Ebola is no laughing matter

        I second that.

        @TheCyberKnight. You should be utterly ashamed at making such a sick comment.
        5735guy
      • Hey, look over there - a butterfly!

        Interesting that a rabid Apple fan should suddenly become the conscience of the world when it comes to Ebola. Or is that just an opportunistic distraction?

        Key message? Yet another piece of malware that targets Apples.
        Postulator
        • I didn't bring up Ebola

          And I was genuinely shocked at the lighthearted reference to it given the current situation in West Africa.

          As for "yet another piece of malware that targets Apples", the malware targets OS X versions that are no longer supported by Apple. Either upgrade your Mac to OS X 10.9 or pull the Ethernet plug and disable wifi. In addition, Mac users running OS X 10.9 (and, especially, OS X 10.8 if still "connected") would be wise to avoid using the Gatekeeper option of "Anywhere" and stick to software in the Mac App Store and from identified developers.
          Rabid Howler Monkey
    • Still True..

      still true.. it only works on old, out-dated versions of the apple OS..
      redwolfe_98
  • Successful Windows malware ported to Mac

    Those Apple commercials said this doesn't happen on Macs.
    Loverock.Davidson
  • Article: "lack of support for OS X 10.9"

    Let's see, OS X 10.9, Mavericks, was released on October 22, 2013. That's close to a year ago. How many Mac users in enterprises or SMBs are still running OS X 10.8 or earlier?

    Sorry, but this is like the "higher-ups in enterprises" using laptops running Windows XP SP3, but without continued custom support from Microsoft.
    Rabid Howler Monkey
  • Looks to be more "reconceived" than ported

    There's a lot of Mac specific architecture being tapped for the reboot-based launch of the attack file.... they're using a plist to do that.

    Whoever did this, mostly created it whole cloth to do the same thing,rather than ported.
    Mac_PC_FenceSitter
    • and you know this how?

      Why do you think you know more about this than FireEye?
      larry@...
      • I don't

        My conclusion comes from reading the link you provided, and by and large agreeing with its contents.
        Mac_PC_FenceSitter
        • which, if you read it, provides

          an extraordinary level of detail. As a software developer who specializes in Mac and Windows web client, server, and POS systems, I do believe I am qualified to understand the contents of their long blog entry, and draw some technical conclusions about their description of the implementation.... which suggests a very different mechanism for anchoring the restart init of the malware... in Windows they're using the local user registry hive to get the init (probably microsoft/windows/currentversion/runonce), and on Mac they're using a plist.

          Http and Https appear to be called natively, and uses native key logging APIs to the Mac, and new domain names were used for the fake domain entries.

          It is not difficult to conclude that substantial original effort went into this. There is some code reuse - the design of the INI file looks like classic Windows code, but some of the other init and storage files are classically put where a Mac and UNIX knowledgeable developer will put them.
          Mac_PC_FenceSitter
          • Lawyered!

            As they say in how I met your mother
            Emacho
  • OS X security threat. Such a rarity it warrants a Headline article....

    The instances of OS X being compromised are very rare.

    UNIX and Linux based operating systems are inherently more secure than Windows but we need to put it in to context. No platform is impervious to threats.

    This article is no than fodder for the Apple-Haters and Micro $hills.
    5735guy
    • LOL fanboy...

      you and your silly myths...

      "UNIX and Linux based operating systems are inherently more secure than Windows"

      http://windowsitpro.com/windows/security-expert-windows-7-more-secure-mac-os-x
      siskol
      • Here we go again digging up desperate links....

        Knowing F**K all what you are talking about.

        I guess Google is your best friend.
        5735guy
    • i think you mean security is assumed to be better on macs

      while others would say that Apple has not taken security as seriously as other companies.

      Apple still does not have a paid but bounty system. they are notoriously closed about security issues and often ignore problems for months or longer after an issue has been reporter.

      in the past they have instructed employees at apple stores to basically lie about viruses and just this week they tried to blame users for having weak passwords and not using 2 factor authentication as that was the icloud hack fail point. even though 2 factor authentication as set up by apple did not apply to this type of log in.

      goto fail?

      apple just is not serious about security yet. Im talking about their mindset and culture, not about how many hackers attack their low marketshare. Apple has actively cultivated a mindset that Macs cannot be compromised and don't need malware defenses and defend their image above security as a priority
      Emacho
  • No Detection

    "as of the scan at 2014-09-04 16:40:56 UTC, there were still no products that detect it"
    i suppose that if no av-program flags a file, it is ignored..

    when i checked the hashs for the latest POS malware, that US-cert posted, virusotal had no record of them, so i assume they haven't been scanned, at VT..
    redwolfe_98
  • Buy An Apple

    apple could make and advertisement out of this: "worried about malware? get the new apple OS"..

    i don't keep up on news about apple, but i heard that they were coming out with a new OS that is going to finally put microsoft out of business..
    redwolfe_98