Web Exploit Found That Customizes Attack For Windows, Mac, and Linux

← Back to Stories (view on slashdot.org)

Web Exploit Found That Customizes Attack For Windows, Mac, and Linux

Posted by Soulskill on Tuesday July 10, 2012 @06:23AM from the making-everyone-feel-special dept.

phaedrus5001 writes with this quote from Ars: "Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform."

40 of 204 comments (clear)

Min score:

Reason:

Sort:

Columbian transport website? by Kenja · 2012-07-10 06:25 · Score: 4, Funny

Is that where the "domestic pharmaceutical procurement facilitators" meet?

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Columbian transport website? by Anonymous Coward · 2012-07-10 08:05 · Score: 2, Informative
  
  This is an open source tool called SET its used for penetration testers -- Applet code here -- https://svn.secmaniac.com/social_engineering_toolkit/src/webattack/java_applet/
2. Re:Columbian transport website? by Anonymous Coward · 2012-07-10 13:57 · Score: 2, Insightful
  
  Yep, just more hype and FUD clickbait.
  It's an ordinary Java applet, with all the rights and controls of every other Java applet, except this applet was a pen-tester written by TrustedSec, then found by "researchers" from F-Secure. It downloads a file specific to the OS it's running on and....
  ...no more information from F-Sec
  This has beat up written all over it.
Blah by mystikkman · 2012-07-10 06:25 · Score: 5, Funny

When are the malware writers going to support BSD?
1. Re:Blah by kiriath · 2012-07-10 06:54 · Score: 3, Informative
  
  Well, OS X is built on BSD so technically they kinda do?
2. Re:Blah by Gerzel · 2012-07-10 07:27 · Score: 3, Interesting
  
  No it isn't. The largest BSD distro is Machintosh!
3. Re:Blah by hairyfeet · 2012-07-10 07:36 · Score: 5, Interesting
  
  The sad part is the BSD guys would write them a thank you note for bothering to remember them.
  So can we ALL just accept now there is no "Magical OS" that makes one immune from malware please? All OSes are EXTREMELY complex piles of code, having to support tens of thousands of drivers, scheduling and tasking, hell I doubt even Linus can tell you when you launch program Foo every single interaction that is taking place in the system, there is simply more there than any one person can know.
  Now that the retard that made XP run by default as admin has been sent packing on the short bus all three major OSes have limited users, hell Windows even has the browser run as a low rights entity to help lower the risk. Now that all three major OSes have common sense defaults ultimately it all comes down to the USER and whether they will take the time to actually think or will simply allow anything to run. I've seen it a billion times in the shop, a fully patched and AVed machine get infected NOT because of the OS but because it was the USER that refused to listen to the warnings being given him/her and choosing instead to run it anyway.
  At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run. i think we can all agree having some corporation own our machines would be a BAD thing so all we can do is warn users, try to make ever hardened systems, and be ready to clean up the messes when they happen. After Android became a hit it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here and I for one will be interested to see how the community reacts.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
4. Re:Blah by scialex · 2012-07-10 07:46 · Score: 2
  
  We'll show them; The year of the Plan-9 desktop is at hand.
5. Re:Blah by AliasMarlowe · 2012-07-10 07:55 · Score: 4, Informative
  
  They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???
  Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
6. Re:Blah by Compaqt · 2012-07-10 08:21 · Score: 5, Insightful
  
  I haven't tried the exploit, but again:
  On my machine, all the important stuff is in the /home directory.
  There's nothing really interesting in the "system". I don't even really care about the system. It's just an ISO download away from reinstall.
  My files, on the other hand, are what's important.
  
  --
  I'm not a lawyer, but I play one on the Internet. Blog
7. Re:Blah by Em+Adespoton · 2012-07-10 08:25 · Score: 3, Insightful
  
  They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???
  Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.
  Same argument goes for Windows and OS X -- and the argument is wrong. You can have software that happily installs in your home directory and has full access to userland files -- which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.
  From what I've seen, the stuff normally dropped on Linux systems tends to be shell scripts and the like, and they don't tend to look like much in screen shots.
8. Re:Blah by Pf0tzenpfritz · 2012-07-10 08:59 · Score: 2
  
  Now that all three major OSes have common sense defaults ultimately it all comes down to the USER [...] and I for one will be interested to see how the community reacts.
  Pah... We'll just patch the user each first tuesday of the month. No big difference...
  
  --
  Oh, the beautiful gloss of greality!
9. Re:Blah by wmbetts · 2012-07-10 10:00 · Score: 4, Insightful
  
  1) Disable Java by default. I have yet to have a website that I use regularly not work, because Java doesn't run. Whitelist the sites you want to Java on.
  2) Don't blindly click and enter your password at every prompt
  Those two things alone would make you immune to this.
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
10. Re:Blah by Baseclass · 2012-07-10 10:55 · Score: 2
  
  NoScript
  
  --
  ^^vv<><>BA
11. Re:Blah by strikethree · 2012-07-10 11:34 · Score: 3, Interesting
  
  which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.
  I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.
  You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
12. Re:Blah by Em+Adespoton · 2012-07-11 06:17 · Score: 2
  
  which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.
  I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.
  You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?
  OK, now let's look at what I said and what you said.
  Me: Most of what is actually important to you is accessible from userland
  You: There's a meme right now about how the only important files to the user are in the user's own directory
  See the difference?
  What I was pointing out is that malware can do most of what it needs to do these days without ever leaving userland. For those tasks like setting up a rootkit, hosts poisoning, cross-user spreading, etc. that DO require more privileges (but which are a small piece of the attack space these days), there's always social engineering and privilege escalation.
  The reason the "meme" is here is that it's not a meme -- these days, organized computer criminals are mostly using malware to exfiltrate data, hold data hostage ("ransomware"), run botnets, send spam, and mine bitcoins -- and NONE of these operations require root. The argument is a direct response to the longstanding "I run linux, and I set up my privilege separation properly, so I'm safe from malware" "meme" which turns out to be mostly beside the point these days.
  It's kind of like saying "drunk driving is not an issue for me because I drive a tank, and no drunk driver is going to damage my tank" -- completely missing the point that you shouldn't (just) be worried about your vehicle (the OS) being damaged by an attack, but the contents of that vehicle, even when they're somewhere else.
  Sure, rootkits are a problem. Securing your OS is a sensible part of layered security (just like securing your hardware). But someone stating that they're safe from malware attack while their userland security is virtually nonexistent is disingenuous at best.
  System level infection is only far worse than userland if you've got a system level infection. If you keep getting userland infections, it doesn't really matter whether it's because the entire system is compromised or just that there's a hole in your userland security that keeps getting exploited remotely. The end result is the same (even if the potential damage from a system level infection is greater).
  As an aside, I actually find that the main issue on Linux is not userland infection at all -- it's service-based infection; MySQL injections, compromised LAMP installs, etc. Same rule goes, as Apache is basically just another user: the attacker gains full access to this space, and can snarf the data, use the service for their own purposes, store their own stuff there, and generally use your computer service as if it was their own.
COLOMBIAN....not "Columbian" by Anonymous Coward · 2012-07-10 06:28 · Score: 2, Informative

Please learn how to spell.
1. Re:COLOMBIAN....not "Columbian" by Anonymous Coward · 2012-07-10 06:38 · Score: 2, Informative
  
  Maybe it was a website about the bus lines in Columbia, South Carolina.
2. Re:COLOMBIAN....not "Columbian" by saveferrousoxide · 2012-07-10 06:48 · Score: 2
  
  Because! Damnit. Though I would argue more for spelling proper nouns as the originator would spell them (assuming the phonetics work out -- and the alphabet, but transliteration is a whole different ballgame) since, ya know, it's their name an' all.
3. Re:COLOMBIAN....not "Columbian" by Baloroth · 2012-07-10 06:56 · Score: 3, Informative
  
  Ironically, "Columbia" is the correct spelling in English (taken from "Columbus"). "Colombia" is the Spanish spelling (taken from "Colón"). Since English doesn't have the "ó", we use a "u" instead. Now, being a proper name you can use either (English is very flexible), but the English spelling is "Columbia".
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
4. Re:COLOMBIAN....not "Columbian" by Cinder6 · 2012-07-10 07:05 · Score: 2
  
  I initially read this as "Coulombian transport website", which had me confused...
  
  --
  If you can't convince them, convict them.
5. Re:COLOMBIAN....not "Columbian" by jsepeta · 2012-07-10 07:32 · Score: 2
  
  or run by the dedicated fanbois of Christopher Columbus?
  
  --
  Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
6. Re:COLOMBIAN....not "Columbian" by John+Hasler · 2012-07-10 07:37 · Score: 5, Informative
  
  Perhaps, but in American "Columbia" refers either to the river or to the district while "Colombia" refers to the nation in South America. "Columbia" is also an archaic term for the USA, as in "Columbia Gem of the Ocean".
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
7. Re:COLOMBIAN....not "Columbian" by sosume · 2012-07-10 07:43 · Score: 2
  
  Wrong. Although both are named after Columbus, the US capital is the District of Columbia, whereas the South American country is Colombia. You have me feeding though.
if (linux) by Ynot_82 · 2012-07-10 06:32 · Score: 5, Funny

if(linux) { exec 'su - root' || die 'shit, I had to try something...'; }
1. Re:if (linux) by TheGratefulNet · 2012-07-10 06:53 · Score: 2
  
  no conditional checks for arduinos?
  for shame! feeling so left out...
  
  --
  
  --
  "It is now safe to switch off your computer."
Finally some multi-platform support by GameboyRMH · 2012-07-10 06:33 · Score: 4, Funny

Now if only the major business software companies were this considerate...

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Java = security nightmare by Anonymous Coward · 2012-07-10 06:34 · Score: 2, Insightful

"java applet".
So in other words, if you VOLUNTEER to run their malware, their malware runs. Wow. Whoda thunk it.
Java = security nightmare. javascript not much less so. Anyone halfway security conscious only runs scripts based on a whitelist of trusted sites.
1. Re:Java = security nightmare by amicusNYCL · 2012-07-10 06:51 · Score: 5, Insightful
  
  You're right, the Java programming language is not a security threat to computers in general. The Java Runtime Environment, and its various browser implementations, however, is definitely a threat. Just like PDF documents are not a threat, but Acrobat Reader is definitely a threat. See here for proof (spoiler: Java was the #1 infection vector, at 37%; Acrobat #2 at 32%).
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Only older Macs. by used2win32 · 2012-07-10 06:40 · Score: 4, Informative

Quoted: "Surprisingly for such an advanced exploit, it was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out about five years ago. Rosetta is no longer even supported on Lion, the most recent version of OS X."

Rosetta not supported on Lion and not installed by default in Snow Leopard.

So no current Macs and only older Macs that use Rosetta risk infection. That number has to be pretty low...

I don't any *nix user has much to worry about either...

--
Procrastination; I'll think of a sig tomorrow.
Interesting author in source code by sl4shd0rk · 2012-07-10 06:49 · Score: 5, Informative

If you google getParameter( "ILIKEHUGS" ); from the screen shot in TFA, you can find a java file which looks suspiciously like the one in TFA. I lold at the header comment. I don't think this is a 'new' exploit:
/** * Original Author: Thomas Werth * Modifications By: Dave Kennedy, Kevin Mitnick * This is a universal Applet which determintes Running OS * ...

--
Join the Slashcott! Feb 10 thru Feb 17!
Re:Most Macs are probably immune. by beelsebob · 2012-07-10 07:01 · Score: 2

Macs do indeed run apple's version of java... If you have jumped through the hoops of clicking the "disabled plugin" button that replaces the applet, then typing in your password. Macs absolutely do not have to be running rosetta (a tech that doesn't even exist any more) to get infected, as neither Java, nor the binary delivered is a PPC binary.
Malware for Linux? by Anonymous Coward · 2012-07-10 07:06 · Score: 5, Funny

The year of the Linux desktop has arrived!
Re:Most Macs are probably immune. by Yaztromo · 2012-07-10 07:13 · Score: 4, Informative

That'd be news to the millions getting new macs and using Java.
The GP is correct. Apple stopped shipping Java with OS X with the release of Lion.
That said, if you try to run something the requires Java, OS X will offer to download and install it for you. However with the latest OS X updates the Java browser plug-in and Java Web Start are now disabled by default, and have to be explicitly enabled by the user in the Java Preferences app. And if they do explicitly enable it, it will auto-disable itself again if it hasn't been used in some time.
That's a lot of extra hoops to jump through to get this to work on a modern, up-to-date Mac. Then again, the people who develop and propagate malware such as this tend to target those who don't keep their systems up-to-date, ensuring it is still a concern for many users (with those at most risk being the ones least knowledgable to do much about it, or even be aware that anything is wrong).
Yaz
Re:Most Macs are probably immune. by Ossifer · 2012-07-10 07:18 · Score: 2

More correctly:
1. Macs ship with a hook that offers to install Java if you ever attempt to use it.
2. OSX does not disable Java itself, but the Safari application disables the use of Java applets. If you run Firefox, this doesn't happen at all.
Re:Infected Linux? by marcosdumay · 2012-07-10 07:22 · Score: 2

F-Secure wans't eager to tell us the details. It doesn't work anymore on OSX, no word about Linux.
Anyway, it wasn't a proof of concept. It was found on the wild.

--
Rethinking email
very convincing by Cyko_01 · 2012-07-10 07:39 · Score: 5, Funny

On linux you need to download the source code from the repository and compile it yourself
Re:Most Macs are probably immune. by hobarrera · 2012-07-10 07:56 · Score: 2

Most Linux distros don't ships the java applet thingy either.
Re:Linux by wmbetts · 2012-07-10 09:41 · Score: 2

I had a friend that did a demonstration of just that. He built an exploit while he was up there doing the talk. It took a couple hours, but when he was done he had a functional 0day. Believe it or not people actually do what he's describing. If the good guys are doing it for pentesting I'd guess the bad guys are doing it as well.

--
"Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
Re:Web exploit drops a different trojan by Riceballsan · 2012-07-10 15:11 · Score: 2

well the greater concern is what the virus is and intends to do. Something doesn't need a root password to say, run an individual keylogger for what that user types, ftp that log file in addition to everything in ~/Documents to a server in sealand, or whatever. If just ruining someones day is the goal rm -rf ~ would pretty much be the kiss of death. Linux's greater strength in the more robust, harder to break root privileges compared to windows, actually doesn't really come into play until linux hits a point where it is targeted well enough to use antivirus software. The main thing I see windows virus's doing with admin rights, is disabling windows updates and preventing AV software from getting the new updates, to ensure it's own position at being ahead in the arms race, stays the same.