Cross-platform malware exploits Java to attack PCs and Macs

Cross-platform malware exploits Java to attack PCs and Macs

Summary: The same Java vulnerability used in the infamous Flashback malware is now being used as an attack vector for a single piece of malware that can infect both Windows and Mac OS X computers.

SHARE:

Security vendors have discovered a new piece of malware that attacks both PCs and Macs. It uses the same Java security vulnerability exploited by the Flashback malware that infected hundreds of thousands of Macs. While the attack vector is the same as in Flashback, this Java applet checks which OS it is running on and downloads suitable malware for it.

Malware writers love using a cross-platform plugin as an attack vector because it allows them to target more than one operating system, and thus more potential users. Since Java has been having security problems for a while now, it shouldn't be too much of a surprise it is now being used in an attack targeting both Windows and Mac computers.

This particular malware exploits the Java vulnerability to download further malicious code onto your computer, as you can see above. A backdoor Trojan written in C++ is installed on Windows while a similar Trojan written in Python called update.py (extracted from install_flash_player.py) is installed on Mac OS X.

Both droppers result in a Trojan that opens a back door on the compromised computer, allowing remote hackers to secretly send commands, upload code to the victim's computer, steal files, and run commands without the user's knowledge. The two Trojans are downloaded from the same server.

The Trojan only checks whether it is running on Windows once, but the downloaded Python dropper checks again whether it is running on a Mac or not. If it is running on Linux or some other operating system, the threat does nothing. Python is not often used to write malware, but in this case it works fine on Macs since Python is installed by default.

The Mac one can control how many times it gets commands from the server at certain time intervals (polling times), in order to avoid IDS or IPS detection. The network connection is also encrypted by RC4 or compressed by Zlib. The threat has the following functions: download files, list files and folders, open a remote shell, sleep, upload files.

In addition to using an antivirus, you can check if your Mac is infected by looking for these two files (both can be safely deleted):

/Users/Shared/update.sh (shell script) /Users/Shared/update.py (Python script)

The Windows one sends the following information back to the remote attacker: CPU details, Disk details, Memory usage, OS version, and user name. The Trojan can also download a file and execute it, or open a shell to receive commands.

Patches for this Java vulnerability have been available since February 14 for Windows, Linux, and Unix computers. Apple released a patch in early April, before the Flashback botnet was discovered. Apple has not issued a Java security update for users running versions of Mac OS X prior to 10.6 (Snow Leopard) because it wants to upgrade to a newer version of its operating system. These users can only protect themselves by disabling Java.

If you don't use Java, you also should disable it. Even if you don't have it installed, always get the latest security updates for your operating system and software, whether it's from Microsoft, Apple, or any other company.

For reference, Sophos detects this threat as Mal/20113544-A and Mal/JavaCmC-A. Symantec detects the Java Applet malware as Trojan.Maljava, the droppers as Trojan.Dropper, and the back door Trojans as Backdoor.Trojan.

See also:

Topics: Software Development, Apple, Hardware, Malware, Open Source, Operating Systems, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments
Log in or register to join the discussion
  • Oh the irony, er agony...

    I guess the number of Macs was just insufficient. I can't help but wonder how many Windows user will prove to be just as lax in their habits as the Mac user base. I am guessing about a factor of 10x.

    Where's Ed Bott's diatribe about this new development for Flashback malware?
    Splork
    • Given Windows has 10 times the market share.

      Why would you be surprised if it has 10 times the number of affected systems? Yes, quite a large number of Windows users are lax in their security habits. Which is something many of us have been saying for quite some time.
      ye
      • Oh!

        Thanks for pointing out that all the noise over how Mac users are stupid because they "believe" that their Macs are immune to malware is just that: noise. So you're actually going on record as saying Windows is just as vulnerable and Windows users, by your own admission, are just as statistically likely to be stupid?

        Thanks for negating and obviating literally hundreds, if not thousands, of post in the Flashback blogs by good ole Ed Botts :)

        You made my day! That's another first for you, ye.
        Splork
      • But doesn't that destroy.

        Windows' mythical superiority? We've heard for the last few weeks that Windows is/was immune to this. Yet right here we see Windows is just as bad (security wise) as OS X. How will the "faithful" ever recover their Superiority complex?
        Jumpin Jack Flash
      • It's not noise at all.

        @Splork:

        Mac users think their systems are immune. We've heard it countless times before.
        ye
      • We have?

        @Jumpin Jack Flash:

        [i]We've heard for the last few weeks that Windows is/was immune to this.[/i]

        If anything I think what we've "heard" was in the same manner as Apple (the company) claiming their systems can't become infected from Windows malware.
        ye
      • "We have?" the reprise

        First of all, let me thank all of the MS apologists that have voted down anyone that correctly correlated that the Flashback problem for Windows and Macs is platform agnostic, which was the actually pointed out in the article. I guess this especially distasteful to all the gleeful posters that piled on that the Mac users are stupid because they got infected. But, hey, that's just too bad. Statistically, there exists a huge fraction of users for both that are clueless.

        @ye

        "[i]Mac users think their systems are immune. We've heard it countless times before[/i]"

        True. But I have heard countless times that Windows is sooo much better at security now and the chances of malware infections for W7 is extremely low. Perhaps the very same feeling of immunity now exists in the Windows users camp?

        I am guessing that all of those nifty W7 security features, such as sandboxing IE and safe mode, etc. can all be bypassed by this exploit. I haven't read otherwise and really don't care to research that either.

        For the record, I have never believed that any OS is invulnerable. Not my 3 Macs. Not my 3 Windows machines. Nor my Linux computers. But what I do know is that most of the people on this site simply cannot bear any truthful information that conflicts with their personal opinion about mighty Windows. Those are the people that ultimately will feel the pain of their veiled view of reality when it bites them where it hurts.

        Hint: the hurting will come and you're seeing just the start.
        Splork
        • Windows is better

          Security wise. The flashback trojan did infect Windows and it did also infect machines running GNU/Linux, as the tallyfrom Kasperly showed these infections back then. They number of infections for Windows 0.3% and Linux 0.7% were insignificant, due to the market share Windows still holds, that 0.3% especially is insignificant.

          The flashback trojan did pass the 1% infection rate, which is massive, and has never been achieved on the Windows platform by any piece of malware.

          The problem with java based exploits is twofold, one prior to Lion, java was installed by default AND Apple themselves were responsible for the code. Both of these are not the case on the Windows platform.
          sjaak327
      • Where?

        @Splork:

        [i]But I have heard countless times that Windows is sooo much better at security now and the chances of malware infections for W7 is extremely low. Perhaps the very same feeling of immunity now exists in the Windows users camp?[/i]

        I'd have to disagree. At least not from anyone credible. I see comments saying Windows 7 security has improved over previous versions of Windows. And those statements would be correct.

        I've also read many comments, by many posters, that Windows users are aware their systems are not invulnerable. And therefore they run A/V software.

        [i]I am guessing that all of those nifty W7 security features, such as sandboxing IE and safe mode, etc. can all be bypassed by this exploit. I haven't read otherwise and really don't care to research that either.[/i]

        Protected Mode (what is "safe mode", other than the repair mode on boot?) doesn't protect code from running. It protects from modifications. Thus while it may not prevent the execution it may protect against modification.
        ye
      • Where? Right here on ZDNet

        @ye:
        http://www.zdnet.com/blog/hardware/vista7-more-secure-than-linux-and-mac-os-x/4146
        anothercanuck
      • Did you bother to read what your link referneces?

        @anothercanuck:

        It doesn't appear you did.
        ye
      • Well...

        I don't know so much, the PC version of Java was patched a LONG time ago. I don't see it should impact as hard, even given the size of the PC market share.

        I don't think the attitude of Mac users had any impact - there was no patch or way of detecting it, while there are many trying to blame Mac users, they don't have any suggestions for Mac users that would have actually helped. It is just crass naming calling at this point.

        I think this story has pretty much played out at this point. It didn't prove the point for antivirus, despite what's been said, as none of it was effective before Apple's (eventual) patch. All it did prove is operating system flaws are rare these days, and the biggest threat is third party plugins - especially those shipped by default. The Mac isn't immune to this and, Mac or PC, this is an area that needs diligence. What is really unforgivable is Apple actually have the advantage here (Microsoft don't have a lot of control over what additional software OEMs ship with their systems) and still managed to screw it up (they took FAR too long with this known flaw).
        jeremychappell
      • Funny, he said no such thing at all.

        @Splork

        He made [b]no[/b] mention of Mac users at all.

        As for whether an OS is vulnerable or not, [b]Mac users[/b] (as well as the Linux "advocates" out there) have been the ones claiming that "their" operating systems were 100% proof against [b]all[/b] malware attacks, or worse tried to brush any weaknessses & vulnerabilities as "merely social engineering tricks".

        In contrast, Windows users for [b]years[/b] have said that no OS is 100% fool-proof, but that you can severely reduce your vulnerability to malware via:
        -- "safe" online practices, such as being careful of sites you visit/software you download/email links you follow
        -- being aware of the online policies of your bank/financial instution/government entities like the IRS, in order to avoid social engineering vulnerabilities
        -- keeping your software & OS updated when the vendor releases patches, preferably using automatic updates

        And guess what? Now Mac users are finding out that they have to follow the [b]same[/b] steps in order to help protect themselves against malware. The only difference? Microsoft [b]never[/b] told its customers they were 100% immune, but Apple had a whole slew of ads & commercials that made the now-refuted claim.

        The upshot? Now it truly comes down to personal preference when it comes to hardware & OS: you pick the PC (Windows/Linux/OS X/other) that best fits [b]your[/b] needs, wants, desires, & software.
        spdragoo@...
      • Winheads have been saying Windows is most secure

        @thread

        Splork is right... some smug Winheads have been on the brag lately that claim Windows is the most secure and even rubbing it in the nose of Macheads since this whole Flashback botnet news hit the scene. Basically saying "Microsoft takes security seriously and Apple does not!". I have seen it here and on Cnet in the various articles that usually start these entertaining flamewars.
        JuggerNaut_z
    • What?

      "If anything I think what we've "heard" was in the same manner as Apple (the company) claiming their systems can't become infected from Windows malware."

      @ye,

      So tell me where in the article it says this is (in your words) "Windows malware". This article starts off saying the exploit is cross platform and never says it's "Windows malware". The statement that Macs can't be infected by "Windows malware" is true. Doesn't mean they are immune to all malware, just malware that targets the Windows platform.
      benched42
      • Re:What?

        This article upset me.
        Now I couldn't brag "Windows don't get Mac's malwares" anymore.

        Sad day.
        Samic
      • A small problem

        For those people who went and deliberately installed Java on Windows, as MS got rid of that slow, buggy mess 10 years ago - Apple apparently only figured this out in 2010.

        The real problem for Macs is Apple installed Java by default (until very late 2010) - their own "special" edition that is months behind in bug fixes and patches. That makes them a lot more vulnerable. For the vast majority of the world's computers users, java is just coffee as it's never been near their Windows computer.
        tonymcs@...
    • Nice going Splork!

      My comments get removed when I start throwing facts around, so I'll refrain from stating the obvious (to you and me, anyway).

      Wear those negative votes like a badge of honor.
      Info-Dave
      • Aw, you guys are too nice

        Not only did you down vote my previous comment into obscurity, you flagged me as well.

        I'm touched.
        Info-Dave
    • Kind of a deceptive argument.

      If only 10% of all computer users (no matter the OS) are lax in keeping current on their patches, then [b]of course[/b] it would stand to reason that the OS with a larger user base would have a higher [b]actual[/b] number of "lax" users than the OS with a smaller base. But that doesn't mean that one user group is "better" or "worse" than the other.

      If you were told that, say, 10% of the populations of both Spain (~46 million) and the USA (~313 million) believed the world was flat, would you claim that the US population was less intelligent, because over 31 million Americans believed that but only 4.6 million Spaniards did... or would you recognize that, because the percentages are equal, that their populations have the [b]same[/b] chance of believing in such an obvious fallacy?
      spdragoo@...