Security provider Symantec has discovered a multi-platform java-based malware strain that seeks to infect machines running both Windows and Mac operating systems.
The clever malware can detect which operating system a targeted system is running and commence the infection with the appropriate code.
"We have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS," writes Symantec's Takashi Katsuki.
This most recent example of malicious code which can infect the Mac operating system joins the now infamous "Flashback" trojan and its variants "SabPub" - thought to have infected more than 600,000 units - and "Flashback.S", which can stealthily infect an OS X system without requesting a password.
"When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type malware written in Python. However, if the threat is running on a Windows operating system, it downloads a standard Windows executable file dropper. Both droppers drop a Trojan horse program that opens a back door on the compromised computer," Katsuki explains.
Though Python is not typically utilized in the development of malware, it does provide an advantage for attacks against Mac units.
"The Trojan only checks whether it is a Windows operating system or not in this code, but the downloaded Python dropper checks again whether it is a Mac operating system or not. If it is running on Linux or some other operating system, the threat does nothing. Python is not a popular script to write malware in, but it works fine on a Mac operating system because Python has already been installed by default," Katsuki says.
The malware proceeds to deliver one of two Trojan backdoor payloads, depending on the detected operating system, and the Python version for Mac is designed to evade intrusion detection software.
"The back door Trojan for the Mac operating system written in Python can control the 'polling times', which is related to how many times it gets commands from the server at certain time intervals. The author has done this in order to avoid IDS or IPS detection by reducing network communication. The network connection is also encrypted by RC4 or compressed by Zlib," said Katsuki.
Multi-platform malware is not entirely new, but with the increasing popularity of Apple products in the marketplace, there is an incentive for malware authors to save time and resources by developing strains that are capable of infecting multiple operating systems.