Wednesday, July 11, 2012

Web exploit figures out what OS victim is using, customizes payload

News has come out that a new web exploit can drop a virus that is custom tailored for the OS...including Linux.

Malicious code inside this Java file loads a different trojan depending on the operating system used by the target. via F-Secure
F-Secure security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan according to the platform detected.


This was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the detected OS, the applet then downloads the appropriate files.


A quote from the security firm:
"All three files for the three different platforms behave the same way," the researchers wrote in this blog post. "They all connect to 186.87.69.249 to get additional code to execute. The ports are 8080, 8081, and 8082 for OS X, Linux, and Windows respectively."
Windows being on this list is pretty much self-explanitory. Mac OS X has grown in popularity over the past few months, and now has been attacked by malware targeted for that system. It is rather rare to see Linux viruses, but they do happen. As Linux (on the desktop) also grows in popularity, the rate of infections by new viruses can also go up. Most notably these from last year that infected some of the top Linux developers, but single attacks that have the ability to infect any one of the three OSes are even more rare.


To my surprise for such an advanced exploit, it was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out about five years ago (Apple then teamed up with Intel, ending the line of PowerPC based macs). Rosetta is no longer even supported on Lion, the most recent version of OS X.


The F-Secure post said the hacked website and the server used to control infected machines have been reported.


Source: Ars Technica