Cross-platform malware exploits Java to attack PCs and Macs
Summary: The same Java vulnerability used in the infamous Flashback malware is now being used as an attack vector for a single piece of malware that can infect both Windows and Mac OS X computers.
Security vendors have discovered a new piece of malware that attacks both PCs and Macs. It uses the same Java security vulnerability exploited by the Flashback malware that infected hundreds of thousands of Macs. While the attack vector is the same as in Flashback, this Java applet checks which OS it is running on and downloads suitable malware for it.
Malware writers love using a cross-platform plugin as an attack vector because it allows them to target more than one operating system, and thus more potential users. Since Java has been having security problems for a while now, it shouldn't be too much of a surprise it is now being used in an attack targeting both Windows and Mac computers.
This particular malware exploits the Java vulnerability to download further malicious code onto your computer, as you can see above. A backdoor Trojan written in C++ is installed on Windows while a similar Trojan written in Python called update.py (extracted from install_flash_player.py) is installed on Mac OS X.
Both droppers result in a Trojan that opens a back door on the compromised computer, allowing remote hackers to secretly send commands, upload code to the victim's computer, steal files, and run commands without the user's knowledge. The two Trojans are downloaded from the same server.
The Trojan only checks whether it is running on Windows once, but the downloaded Python dropper checks again whether it is running on a Mac or not. If it is running on Linux or some other operating system, the threat does nothing. Python is not often used to write malware, but in this case it works fine on Macs since Python is installed by default.
The Mac one can control how many times it gets commands from the server at certain time intervals (polling times), in order to avoid IDS or IPS detection. The network connection is also encrypted by RC4 or compressed by Zlib. The threat has the following functions: download files, list files and folders, open a remote shell, sleep, upload files.
In addition to using an antivirus, you can check if your Mac is infected by looking for these two files (both can be safely deleted):
/Users/Shared/update.sh (shell script) /Users/Shared/update.py (Python script)
The Windows one sends the following information back to the remote attacker: CPU details, Disk details, Memory usage, OS version, and user name. The Trojan can also download a file and execute it, or open a shell to receive commands.
Patches for this Java vulnerability have been available since February 14 for Windows, Linux, and Unix computers. Apple released a patch in early April, before the Flashback botnet was discovered. Apple has not issued a Java security update for users running versions of Mac OS X prior to 10.6 (Snow Leopard) because it wants to upgrade to a newer version of its operating system. These users can only protect themselves by disabling Java.
If you don't use Java, you also should disable it. Even if you don't have it installed, always get the latest security updates for your operating system and software, whether it's from Microsoft, Apple, or any other company.
For reference, Sophos detects this threat as Mal/20113544-A and Mal/JavaCmC-A. Symantec detects the Java Applet malware as Trojan.Maljava, the droppers as Trojan.Dropper, and the back door Trojans as Backdoor.Trojan.
See also:
- New Flashback variant silently infects Macs
- New version of Mac OS X Trojan exploits Word, not Java
- New targeted Mac OS X Trojan requires no user interaction
- Over 600,000 Macs infected with Flashback Trojan
- Russian security firm says Flashback infection rates still high
- How big a security risk is Java? Can you really quit using it?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Oh the irony, er agony...
Where's Ed Bott's diatribe about this new development for Flashback malware?
Given Windows has 10 times the market share.
Oh!
Thanks for negating and obviating literally hundreds, if not thousands, of post in the Flashback blogs by good ole Ed Botts :)
You made my day! That's another first for you, ye.
But doesn't that destroy.
It's not noise at all.
Mac users think their systems are immune. We've heard it countless times before.
We have?
[i]We've heard for the last few weeks that Windows is/was immune to this.[/i]
If anything I think what we've "heard" was in the same manner as Apple (the company) claiming their systems can't become infected from Windows malware.
"We have?" the reprise
@ye
"[i]Mac users think their systems are immune. We've heard it countless times before[/i]"
True. But I have heard countless times that Windows is sooo much better at security now and the chances of malware infections for W7 is extremely low. Perhaps the very same feeling of immunity now exists in the Windows users camp?
I am guessing that all of those nifty W7 security features, such as sandboxing IE and safe mode, etc. can all be bypassed by this exploit. I haven't read otherwise and really don't care to research that either.
For the record, I have never believed that any OS is invulnerable. Not my 3 Macs. Not my 3 Windows machines. Nor my Linux computers. But what I do know is that most of the people on this site simply cannot bear any truthful information that conflicts with their personal opinion about mighty Windows. Those are the people that ultimately will feel the pain of their veiled view of reality when it bites them where it hurts.
Hint: the hurting will come and you're seeing just the start.
Windows is better
The flashback trojan did pass the 1% infection rate, which is massive, and has never been achieved on the Windows platform by any piece of malware.
The problem with java based exploits is twofold, one prior to Lion, java was installed by default AND Apple themselves were responsible for the code. Both of these are not the case on the Windows platform.
Where?
[i]But I have heard countless times that Windows is sooo much better at security now and the chances of malware infections for W7 is extremely low. Perhaps the very same feeling of immunity now exists in the Windows users camp?[/i]
I'd have to disagree. At least not from anyone credible. I see comments saying Windows 7 security has improved over previous versions of Windows. And those statements would be correct.
I've also read many comments, by many posters, that Windows users are aware their systems are not invulnerable. And therefore they run A/V software.
[i]I am guessing that all of those nifty W7 security features, such as sandboxing IE and safe mode, etc. can all be bypassed by this exploit. I haven't read otherwise and really don't care to research that either.[/i]
Protected Mode (what is "safe mode", other than the repair mode on boot?) doesn't protect code from running. It protects from modifications. Thus while it may not prevent the execution it may protect against modification.
Where? Right here on ZDNet
http://www.zdnet.com/blog/hardware/vista7-more-secure-than-linux-and-mac-os-x/4146
Did you bother to read what your link referneces?
It doesn't appear you did.
Well...
I don't think the attitude of Mac users had any impact - there was no patch or way of detecting it, while there are many trying to blame Mac users, they don't have any suggestions for Mac users that would have actually helped. It is just crass naming calling at this point.
I think this story has pretty much played out at this point. It didn't prove the point for antivirus, despite what's been said, as none of it was effective before Apple's (eventual) patch. All it did prove is operating system flaws are rare these days, and the biggest threat is third party plugins - especially those shipped by default. The Mac isn't immune to this and, Mac or PC, this is an area that needs diligence. What is really unforgivable is Apple actually have the advantage here (Microsoft don't have a lot of control over what additional software OEMs ship with their systems) and still managed to screw it up (they took FAR too long with this known flaw).
Funny, he said no such thing at all.
He made [b]no[/b] mention of Mac users at all.
As for whether an OS is vulnerable or not, [b]Mac users[/b] (as well as the Linux "advocates" out there) have been the ones claiming that "their" operating systems were 100% proof against [b]all[/b] malware attacks, or worse tried to brush any weaknessses & vulnerabilities as "merely social engineering tricks".
In contrast, Windows users for [b]years[/b] have said that no OS is 100% fool-proof, but that you can severely reduce your vulnerability to malware via:
-- "safe" online practices, such as being careful of sites you visit/software you download/email links you follow
-- being aware of the online policies of your bank/financial instution/government entities like the IRS, in order to avoid social engineering vulnerabilities
-- keeping your software & OS updated when the vendor releases patches, preferably using automatic updates
And guess what? Now Mac users are finding out that they have to follow the [b]same[/b] steps in order to help protect themselves against malware. The only difference? Microsoft [b]never[/b] told its customers they were 100% immune, but Apple had a whole slew of ads & commercials that made the now-refuted claim.
The upshot? Now it truly comes down to personal preference when it comes to hardware & OS: you pick the PC (Windows/Linux/OS X/other) that best fits [b]your[/b] needs, wants, desires, & software.
Winheads have been saying Windows is most secure
Splork is right... some smug Winheads have been on the brag lately that claim Windows is the most secure and even rubbing it in the nose of Macheads since this whole Flashback botnet news hit the scene. Basically saying "Microsoft takes security seriously and Apple does not!". I have seen it here and on Cnet in the various articles that usually start these entertaining flamewars.
What?
@ye,
So tell me where in the article it says this is (in your words) "Windows malware". This article starts off saying the exploit is cross platform and never says it's "Windows malware". The statement that Macs can't be infected by "Windows malware" is true. Doesn't mean they are immune to all malware, just malware that targets the Windows platform.
Re:What?
Now I couldn't brag "Windows don't get Mac's malwares" anymore.
Sad day.
A small problem
The real problem for Macs is Apple installed Java by default (until very late 2010) - their own "special" edition that is months behind in bug fixes and patches. That makes them a lot more vulnerable. For the vast majority of the world's computers users, java is just coffee as it's never been near their Windows computer.
Nice going Splork!
Wear those negative votes like a badge of honor.
Aw, you guys are too nice
I'm touched.
Kind of a deceptive argument.
If you were told that, say, 10% of the populations of both Spain (~46 million) and the USA (~313 million) believed the world was flat, would you claim that the US population was less intelligent, because over 31 million Americans believed that but only 4.6 million Spaniards did... or would you recognize that, because the percentages are equal, that their populations have the [b]same[/b] chance of believing in such an obvious fallacy?