The Rise of Multi-Platform Malware

Thursday, July 12, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

The malware factories are still evolving, and every day security firms detect threats that show new and sophisticated techniques employed to evade protection systems.

A unique web exploit is in the wild, and its particularity is that in the deployment phase it is able to detect the OS of the host and choose the appropriate malware to launch to infect it.

The malware targets Windows, Linux and Mac OSs, so no one is safe, that is the result of the discovery made by the experts of the security firm F-Secure who have isolated what is considered a multi-platform backdoor on a Colombian Transport website.

Multi-platform attacks are rare, but they represent a considerable evolution to be considered. Multi-platform malware represents a great evolution for cyber crime because they provide the opportunity for an attacker to infect a greater number of machines.

The mechanism is simple: Using a JAR, the malware is able to identify the OS and then download the right files to infect the targeted machine.

After identifying the type of operating system a unit is running, a Java class file will download the appropriate malware, with the purpose to open a backdoor to allow remote access to the machine.

The following is reportedly the source code of the applet used to distinguish the OS running on targeted machine.

(click image to enlarge)

Of course, the attack must be completed with a social engineering exploit in order to allow the unit to accept the malicious file when the user is prompted to run a seemingly benign signed applet.

(click image to enlarge)

The malicious files developed for each type of OS connect to the same Command & Control server that F-Secure has localized at IP address 186.87.69.249.

The F-Secure blog post reported also the following info to qualify the malware:

  • Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
  • Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
  • Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
  • Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)
  • The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta.

We must specify that this isn’t the first multi-platform malware detected. In 2010 for example the Boonana malware was detected which also used a malicious Java applet to spread itself.

Malware of this type will increase in number in coming months, and no platform is immune, so it is desirable that internet users are aware of the threat and take appropriate precautions.

Cross-posted from Security Affairs

Possibly Related Articles:
12963
Viruses & Malware
Information Security
malware Javascript Windows Remote Access Linux Applet backdoor Mac OS X multi-platform
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.