Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Exploit Found That Customizes Attack For Windows, Mac, and Linux

Posted by Soulskill on from the making-everyone-feel-special dept.

phaedrus5001 writes with this quote from Ars: "Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform."

13 of 204 comments (clear)

  1. lol by Anonymous Coward · · Score: 0, Informative

    Java !

  2. COLOMBIAN....not "Columbian" by Anonymous Coward · · Score: 2, Informative

    Please learn how to spell.

    1. Re:COLOMBIAN....not "Columbian" by Anonymous Coward · · Score: 2, Informative

      Maybe it was a website about the bus lines in Columbia, South Carolina.

    2. Re:COLOMBIAN....not "Columbian" by Baloroth · · Score: 3, Informative

      Ironically, "Columbia" is the correct spelling in English (taken from "Columbus"). "Colombia" is the Spanish spelling (taken from "Colón"). Since English doesn't have the "ó", we use a "u" instead. Now, being a proper name you can use either (English is very flexible), but the English spelling is "Columbia".

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    3. Re:COLOMBIAN....not "Columbian" by John+Hasler · · Score: 5, Informative

      Perhaps, but in American "Columbia" refers either to the river or to the district while "Colombia" refers to the nation in South America. "Columbia" is also an archaic term for the USA, as in "Columbia Gem of the Ocean".

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  3. Most Macs are probably immune. by Anonymous Coward · · Score: 0, Informative

    Mac OS X doesn't ship with Java anymore.

    1. Re:Most Macs are probably immune. by EliSowash · · Score: 1, Informative

      Eh? How do you figure? Macs run Apple's version of Java...which means, they'd dutifully execute this applet. If you'd have said 'Mac users have to be running Rosetta in order to be infected' I'd give you your street cred back.

    2. Re:Most Macs are probably immune. by Yaztromo · · Score: 4, Informative

      That'd be news to the millions getting new macs and using Java.

      The GP is correct. Apple stopped shipping Java with OS X with the release of Lion.

      That said, if you try to run something the requires Java, OS X will offer to download and install it for you. However with the latest OS X updates the Java browser plug-in and Java Web Start are now disabled by default, and have to be explicitly enabled by the user in the Java Preferences app. And if they do explicitly enable it, it will auto-disable itself again if it hasn't been used in some time.

      That's a lot of extra hoops to jump through to get this to work on a modern, up-to-date Mac. Then again, the people who develop and propagate malware such as this tend to target those who don't keep their systems up-to-date, ensuring it is still a concern for many users (with those at most risk being the ones least knowledgable to do much about it, or even be aware that anything is wrong).

      Yaz

  4. Only older Macs. by used2win32 · · Score: 4, Informative

    Quoted: "Surprisingly for such an advanced exploit, it was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out about five years ago. Rosetta is no longer even supported on Lion, the most recent version of OS X."

    Rosetta not supported on Lion and not installed by default in Snow Leopard.

    So no current Macs and only older Macs that use Rosetta risk infection. That number has to be pretty low...

    I don't any *nix user has much to worry about either...

    --
    Procrastination; I'll think of a sig tomorrow.
  5. Interesting author in source code by sl4shd0rk · · Score: 5, Informative

    If you google getParameter( "ILIKEHUGS" ); from the screen shot in TFA, you can find a java file which looks suspiciously like the one in TFA. I lold at the header comment. I don't think this is a 'new' exploit:
    /**
      * Original Author: Thomas Werth
      * Modifications By: Dave Kennedy, Kevin Mitnick
      * This is a universal Applet which determintes Running OS
      * ...

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  6. Re:Blah by kiriath · · Score: 3, Informative

    Well, OS X is built on BSD so technically they kinda do?

  7. Re:Blah by AliasMarlowe · · Score: 4, Informative

    They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

    Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  8. Re:Columbian transport website? by Anonymous Coward · · Score: 2, Informative

    This is an open source tool called SET its used for penetration testers -- Applet code here -- https://svn.secmaniac.com/social_engineering_toolkit/src/webattack/java_applet/