Web Exploit Found That Customizes Attack For Windows, Mac, and Linux

← Back to Stories (view on slashdot.org)

Web Exploit Found That Customizes Attack For Windows, Mac, and Linux

Posted by Soulskill on Tuesday July 10, 2012 @06:23AM from the making-everyone-feel-special dept.

phaedrus5001 writes with this quote from Ars: "Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform."

20 of 204 comments (clear)

Min score:

Reason:

Sort:

Columbian transport website? by Kenja · 2012-07-10 06:25 · Score: 4, Funny

Is that where the "domestic pharmaceutical procurement facilitators" meet?

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Blah by mystikkman · 2012-07-10 06:25 · Score: 5, Funny

When are the malware writers going to support BSD?
1. Re:Blah by kiriath · 2012-07-10 06:54 · Score: 3, Informative
  
  Well, OS X is built on BSD so technically they kinda do?
2. Re:Blah by Gerzel · 2012-07-10 07:27 · Score: 3, Interesting
  
  No it isn't. The largest BSD distro is Machintosh!
3. Re:Blah by hairyfeet · 2012-07-10 07:36 · Score: 5, Interesting
  
  The sad part is the BSD guys would write them a thank you note for bothering to remember them.
  So can we ALL just accept now there is no "Magical OS" that makes one immune from malware please? All OSes are EXTREMELY complex piles of code, having to support tens of thousands of drivers, scheduling and tasking, hell I doubt even Linus can tell you when you launch program Foo every single interaction that is taking place in the system, there is simply more there than any one person can know.
  Now that the retard that made XP run by default as admin has been sent packing on the short bus all three major OSes have limited users, hell Windows even has the browser run as a low rights entity to help lower the risk. Now that all three major OSes have common sense defaults ultimately it all comes down to the USER and whether they will take the time to actually think or will simply allow anything to run. I've seen it a billion times in the shop, a fully patched and AVed machine get infected NOT because of the OS but because it was the USER that refused to listen to the warnings being given him/her and choosing instead to run it anyway.
  At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run. i think we can all agree having some corporation own our machines would be a BAD thing so all we can do is warn users, try to make ever hardened systems, and be ready to clean up the messes when they happen. After Android became a hit it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here and I for one will be interested to see how the community reacts.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
4. Re:Blah by AliasMarlowe · 2012-07-10 07:55 · Score: 4, Informative
  
  They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???
  Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
5. Re:Blah by Compaqt · 2012-07-10 08:21 · Score: 5, Insightful
  
  I haven't tried the exploit, but again:
  On my machine, all the important stuff is in the /home directory.
  There's nothing really interesting in the "system". I don't even really care about the system. It's just an ISO download away from reinstall.
  My files, on the other hand, are what's important.
  
  --
  I'm not a lawyer, but I play one on the Internet. Blog
6. Re:Blah by Em+Adespoton · 2012-07-10 08:25 · Score: 3, Insightful
  
  They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???
  Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.
  Same argument goes for Windows and OS X -- and the argument is wrong. You can have software that happily installs in your home directory and has full access to userland files -- which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.
  From what I've seen, the stuff normally dropped on Linux systems tends to be shell scripts and the like, and they don't tend to look like much in screen shots.
7. Re:Blah by wmbetts · 2012-07-10 10:00 · Score: 4, Insightful
  
  1) Disable Java by default. I have yet to have a website that I use regularly not work, because Java doesn't run. Whitelist the sites you want to Java on.
  2) Don't blindly click and enter your password at every prompt
  Those two things alone would make you immune to this.
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
8. Re:Blah by strikethree · 2012-07-10 11:34 · Score: 3, Interesting
  
  which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.
  I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.
  You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
if (linux) by Ynot_82 · 2012-07-10 06:32 · Score: 5, Funny

if(linux) { exec 'su - root' || die 'shit, I had to try something...'; }
Finally some multi-platform support by GameboyRMH · 2012-07-10 06:33 · Score: 4, Funny

Now if only the major business software companies were this considerate...

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Only older Macs. by used2win32 · 2012-07-10 06:40 · Score: 4, Informative

Quoted: "Surprisingly for such an advanced exploit, it was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out about five years ago. Rosetta is no longer even supported on Lion, the most recent version of OS X."

Rosetta not supported on Lion and not installed by default in Snow Leopard.

So no current Macs and only older Macs that use Rosetta risk infection. That number has to be pretty low...

I don't any *nix user has much to worry about either...

--
Procrastination; I'll think of a sig tomorrow.
Interesting author in source code by sl4shd0rk · 2012-07-10 06:49 · Score: 5, Informative

If you google getParameter( "ILIKEHUGS" ); from the screen shot in TFA, you can find a java file which looks suspiciously like the one in TFA. I lold at the header comment. I don't think this is a 'new' exploit:
/** * Original Author: Thomas Werth * Modifications By: Dave Kennedy, Kevin Mitnick * This is a universal Applet which determintes Running OS * ...

--
Join the Slashcott! Feb 10 thru Feb 17!
Re:Java = security nightmare by amicusNYCL · 2012-07-10 06:51 · Score: 5, Insightful

You're right, the Java programming language is not a security threat to computers in general. The Java Runtime Environment, and its various browser implementations, however, is definitely a threat. Just like PDF documents are not a threat, but Acrobat Reader is definitely a threat. See here for proof (spoiler: Java was the #1 infection vector, at 37%; Acrobat #2 at 32%).

--
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Re:COLOMBIAN....not "Columbian" by Baloroth · 2012-07-10 06:56 · Score: 3, Informative

Ironically, "Columbia" is the correct spelling in English (taken from "Columbus"). "Colombia" is the Spanish spelling (taken from "Colón"). Since English doesn't have the "ó", we use a "u" instead. Now, being a proper name you can use either (English is very flexible), but the English spelling is "Columbia".

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Malware for Linux? by Anonymous Coward · 2012-07-10 07:06 · Score: 5, Funny

The year of the Linux desktop has arrived!
Re:Most Macs are probably immune. by Yaztromo · 2012-07-10 07:13 · Score: 4, Informative

That'd be news to the millions getting new macs and using Java.
The GP is correct. Apple stopped shipping Java with OS X with the release of Lion.
That said, if you try to run something the requires Java, OS X will offer to download and install it for you. However with the latest OS X updates the Java browser plug-in and Java Web Start are now disabled by default, and have to be explicitly enabled by the user in the Java Preferences app. And if they do explicitly enable it, it will auto-disable itself again if it hasn't been used in some time.
That's a lot of extra hoops to jump through to get this to work on a modern, up-to-date Mac. Then again, the people who develop and propagate malware such as this tend to target those who don't keep their systems up-to-date, ensuring it is still a concern for many users (with those at most risk being the ones least knowledgable to do much about it, or even be aware that anything is wrong).
Yaz
Re:COLOMBIAN....not "Columbian" by John+Hasler · 2012-07-10 07:37 · Score: 5, Informative

Perhaps, but in American "Columbia" refers either to the river or to the district while "Colombia" refers to the nation in South America. "Columbia" is also an archaic term for the USA, as in "Columbia Gem of the Ocean".

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
very convincing by Cyko_01 · 2012-07-10 07:39 · Score: 5, Funny

On linux you need to download the source code from the repository and compile it yourself