McAfee yawns at pornographic OpenOffice virus sample

McAfee yawns at pornographic OpenOffice virus sample

Summary: Anti-virus experts are giving a collective thumbs-down to a proof-of-concept virus targeting OpenOffice and StarOffice, dismissing the creation as a silly publicity stunt.

SHARE:
TOPICS: Security
7

BadBunny - OpenOffice/StarOfficeAnti-virus experts are giving a collective thumbs-down to a proof-of-concept virus targeting OpenOffice and StarOffice, dismissing the creation as a silly publicity stunt.

Sophos, an anti-virus company with headquarters in the U.K., first warned about the "in the wild" BadBunny sample, which infects the target when an OpenOffice Draw file is opened.

A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux, Sophos said.

  • On Windows, the worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
  • On Ma cOS, itworm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb)
  • On Linux, the worm drops badbunny.py as an XChat script and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files.

Sophos said the dropped XChat and mIRC scripts are used to replicate and distribute the virus, and they initiate DCC transfers to others of the original badbunny.odg OpenOffice file.

McAfee researcher Vinoo Thomas has written dismissively about BadBunny:

In all likelihood this virus will not be seen in the wild. Such proof of concepts are written more to show off the so-called elite skills of the author and are usually submitted to AntiVirus vendors by the virus authors to get media attention. Nowadays with all the keen media interest in computer security, all it takes is to add a bell or whistle and a little proof of concept makes headlines.

This virus group had previously released a proof of concept virus targeting StarOffice christened StarOffice/StarDust which downloaded a picture of the porn star Sylvia Saint. In this variant it downloads something on similar lines - a pornographic image of a man dressed as a rabbit making out with a scantily clad woman in the woods. Sigh!

Still, McAfee has released definition updates for the virus, which is programed to launch denial-of-service attacks against a list of anti-virus vendor sites.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • These "proof of concepts"

    are getting lamer and lamer. This proof of concept means that, if I browse to a website, click on a link and see a pornographic image, that fully qualifies as a worm. I am just glad that ZDnet is not full of these worms, oh no, wait, it is, theres a picture of some guy named Ryan at the top of the page, time to reformat the hard drive and re-install. :-D

    The last one was, if you download a script, give it execute permission and then run it as root, it will do bad things, therefore this qualifies as a proof-of-concept Linux virus, click here to buy our AV solution for Linux.

    Next thing you know, a web page that tells a person to reformat their drive, and they do it will be classified as a proof-of-concept Trojan.

    TripleII
    TripleII-21189418044173169409978279405827
  • Gee try and play it down some more

    So Open Office is exploitable - big surprise.

    I'm more surprised by the effort to pretend this isn't a problem. If it was MS anything then people would be predicting the end of the world. Either tone down your reaction to MS problems or beef up your reaction to this one.
    TonyMcS
    • It isn't that big a deal...

      A year ago we saw the Stardust virus, which was the first malware for StarOffice. That's the one which downloads the picture of the Czech porn star.

      Stardust and BadBunny aren't exploiting any software vulnerabilities. This is just the way that macros are designed to work. It's the user who decides whether they're going to allow the macro to execute or not.

      Yes, it is unusual in so much as most malware is targeted against Microsoft apps and OSes - so it is newsworthy from that point of view. But no-one should think that the sky is falling because of BadBunny. We've had no reports of any users being hit by this, and don't expect to.

      This is just one drop of water in a thunderstorm of malware.

      Regards
      Graham Cluley, Senior technology consultant, Sophos
      gcluley
      • Laughable Excuse!

        As if the vast majority of Windows exploits recently didn't require user input as well?

        "This is just the way that macros are designed to work. It's the user who decides whether they're going to allow the macro to execute or not."

        I guess we can now take social engineering off the list of malware...
        rkuhn040172@...
  • Sophos agrees it isn't a threat

    As we noted in our official announcement, SB/BadBunny-A is not spreading in the wild. Some media reports have incorrectly suggested that it is - although we made clear that the closest it would ever get in the wild is by the photograph being taken in woodland.

    The virus writing gang behind this one (the D00MRiderz VX group) seem to have written this just to show off their continuing interest in all things OpenOffice/StarBasic. We've seen several examples of malware from them in the past - none of which have proved a threat. In many ways this a throwback to the days of old when viruses were electronic graffiti. Now they're usually driven by money rather than testosterone.

    By the way, great blog Ryan. Me and the guys at SophosLabs always enjoy reading it.

    Regards
    Graham Cluley, senior technology consultant, Sophos
    gcluley
  • PLAIN ENGLISH!!!!!

    CANT' YOU FOLKS SPEAK IN PLAIN ENGLISH THAT A LAY-PERSON CAN UNDERSTAND? YOUR ARTICLE: "McAfee YAWNS AT PORNOGRAPHIC OpenOffice VIRUS" MAKES NMO SENSE TO ME! WHAT THE HELL ARE YOU TALKING ABOUT? I'VE ABOUT HAD IT WITH ZDNET AND I'M ABOUT READY TO UNSUBSCRIBE! TALK TO YOUR WRITERS AND CONTRIBUTERS AND LET THEM KNOW UNLESS THE AVERAGE PERSON UNDERSTANDS...IT'S NOTHING BUT DRIBBLE!
    dillyb
  • Yawn

    McAfee is just another Symantec. Trust them as much as the other one. FYI, PLAIN ENGLISH, don't use caps, it is the same as yelling and people tend to ignore you. If this article is that difficult for you to understand, then perhaps you should get some remedial reading help.
    Mr Roboto