OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New CallMe malware discovered

Published February 13th, 2013 at 2:11 PM EDT , modified February 13th, 2013 at 4:34 PM EDT

Intego announced today the discovery of a new Mac trojan, which they are calling OSX/CallMe.A. This malware is spread through maliciously-crafted Microsoft Word documents that, when opened, result in a backdoor being installed. The backdoor in question sounds very simple, giving the hackers the ability to run commands (through a bash shell) and steal the user’s Address Book data.

Fortunately, this malware poses very little risk to anyone, for two reasons. First, it’s yet another case of an attack targeted specifically at Tibetan activists. If you’re not a Tibetan activist, you’re not likely to ever see this malware, much like the other bits of malware that have been aimed at Tibetans (Tibet, Sabpab and Dockster).

Even if you’re a Tibetan activist, though, you still aren’t likely to fall victim, for a second reason: the malware relies on exploiting CVE-2009-0563, a very old Microsoft Word vulnerability. Microsoft released an update that fixed this vulnerability in affected versions of Word back in June of 2009. So, the only people who have any chance at all of being infected with this malware are Tibetan activists who haven’t installed any Microsoft Office updates in almost 4 years. I’m sure there are a few of them out there, but probably not very many. Everyone else can rest easy, knowing that we’re safe from this one.

Tags: , , ,

13 Comments

  • Someone says:

    Let me guess: it steals your Address Book data to send spam to your contacts?

  • aalien says:

    I bet almost all activists are using Open Office… I wonder if this only affects Microsoft or any other file compatible products?

  • Someone says:

    Any idea why it’s called CallMe?

  • aalien says:

    I think this virus calls home and send data about the activist location…
    Possibly don’t even do nothing else, other than sending ip, address (map or dns server)…
    Maybe it’s just a “ping virus”…

  • aalien says:

    …Then they can enter in the activist computer from the backdoor the “ping virus” just created… If the location is not based in the “hacker criteria” they don’t even exploit it…
    But it’s just my thoughts… Maybe the Govern it’s the “hacker”…

  • Someone says:

    It doesn’t really make sense… it doesn’t have anything to do with phones, does it?

    Who names malware anyway?

  • Iamthewalrus says:

    Thanks for your site. I found it today wondering if I needed antivirus software, and what the risks are relative to Windows (my historical perspective). You are bookmarked.
    Thanks again.

  • Someone says:

    @ Iamthewalrus: you can say that again!!

  • aalien says:

    @Someone:
    I don’t need a cell phone to call you. I can simply yell or write you a letter. I think the name it’s based in the “type” not in the “consequence”…

  • aalien says:

    Most internet still uses phone lines but in future I think we will exclude this “pre-historic” connection and use radio waves only…

    Who discovers the virus give the name. It’s like astronomy/science, you discover a planet or species and you have the right to name it…

  • Someone says:

    Ah, I see… Well, that makes sense…

This post is more than 90 days old and has been locked. No further comments are allowed.