It’s sort of hard to believe, but it appears Mac OS X is being victimized by another trojan virus, this time delivered by Microsoft Word. Hot on the heels of the Flashback Virus hoo-hah, this new one (called “LuckyCat”) takes advantage of an exploit in MS Word that allows the virus to spread by way of something called the “CVE-2009-0563” vulnerability. Or, in other words, Microsoft is bringing its greatest talent to the Mac: Leaving huge holes wide open through which jerks can mule their crappy malware. Here’s a bit more on the subject from Kaspersky Lab Expert Costin Raiu, who wrote a blog post on the subject:
[quote]One of the biggest mysteries is the infection vector of these attacks. Given the highly targeted nature of the attack, there are very few traces. Nevertheless, we found an important detail which is the missing link: Six Microsoft Word documents, which we detect as Exploit.MSWord.CVE-2009-0563.a. In total we have six relevant Word .docs with this verdict — with four dropping the MaControl bot. The remaining two drop SabPub. The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named “8958.doc”. This suggests it was extracted from a Word document or was distributed as a Doc-file.[/quote]
Here’s the really important part: “SabPub is still an active attack and we expect the attackers will release new variants of the bot with new C2s over the next days/weeks.”
Worst of all, there’s no current intel on how to find out if you’re infected or how to remove it. I think it’s a given that we’ll see an update soon for either OS X or MS Office (or both), but in the mean time, handle MS Word docs with care.