Windows, Linux and Mac OS X are being targeted in a cross-platform malware attack, according to security experts.
Researchers at F-Secure spotted the attack on a Colombian transport site. The attack begins with a signed Java applet and a social engineering ploy in the form of a dialog box prompting the user to run an application despite its digital certificate not being verified.
“The JAR file checks if the user’s machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform,” blogged Karmina Aquino, a senior analyst with F-Secure. “All three files for the three different platforms behave the same way. They all connect to 22.214.171.124 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux and Windows, respectively.”
While the functionality of the backdoor Trojan is the same regardless of which operating system it is running on, the impact on Mac machines may be limited, noted Lysa Myers, a researcher with Mac-focused security vendor Intego.
“There is one part of the OS X version that is particularly notable: It is a PPC binary only, so it will require Rosetta in order to run on an Intel machine,” she blogged. “This is likely to severely limit prevalence of the OS X version.”
Rosetta is a dynamic binary translator for Mac OS X that allows PowerPC apps to run on certain Intel-based Macs without modification. It was released by Apple in 2006 when it moved off the PowerPC platform. Mac OS X 10.6, aka Snow Leopard, does not include Rosetta by default but retains an option for the user to include it. Mac OS X 10.7known as Liondoes not support or include Rosetta at all.
“Its also interesting to note that the components of this threat are created with readily available hack-tools, namely TrustedSec Social Engineering Toolkit and MetaSploit,” Myers said. “This is not something that was cleverly handcrafted, but something that was generated with tools made by other people. And given that the OS X component is not intended for current hardware, its likely that the person who planted this threat was not especially technically savvy.”
Both the command-and-control server and the hacked Colombian site have been reported, F-Secures Acquino added.
Because of its ubiquity, Java has become a favorite target of attackers. For example, just recently, the notorious Blackhole exploit kit added an exploit for CVE-2012-1723, which was patched by Oracle in June, to its arsenal of weapons.
While most malware still targets Windows, if malicious hackers want to maximize their chances of snaring a victim, it makes sense for them to develop a multi-platform attack, said Graham Cluley, senior technology consultant at Sophos.
“This isn’t, of course, the first cross-platform malware that we have seen,” blogged Cluley. “For instance, in 2010 we saw the Boonana malware which similarly used a malicious Java applet to deliver a cross-platform attack that attempts to download further malware on Windows, Unix and Mac OS X.”