Cross-platform Trojan attacks Windows, Intel Macs, Linux

Cross-platform Trojan attacks Windows, Intel Macs, Linux

Summary: A second cross-platform Trojan downloader has been discovered that detects if you're running Windows, Mac OS X, or Linux, and then downloads the corresponding malware for your platform. Unlike the first one, which supported PowerPC Macs, this one does Intel x86 Macs.


Cross-platform Trojan attacks Windows, Intel Macs, Linux
Earlier this week I wrote about a new cross-platform Trojan downloader that detects if you're running Windows, Mac OS X, or Linux, and then downloads the corresponding malware for your platform. At the time, I noted that the Mac payload for that particular attack was a PowerPC binary, meaning it required Rosetta on an Intel-based platform to execute. A second attack has been discovered that includes an Intel x86 payload for Macs. Today's news shows that the first find wasn't an isolated incident.

Just like last time, the Trojan downloader checks your operating system so it can pick which malware to download onto your computer. The Web-based social engineering attack relies on a malicious Java applet to install backdoors on Windows, Mac, and Linux computers. When you first visit such a compromised site, you are prompted to install the Java applet, which unsurprisingly hasn't been signed with a certificate. If you do so, the applet checks which operating system you have (Windows, Mac OS X, or Linux) and then drops a corresponding Trojan for your platform.

F-Secure, which first found the Web exploit, detects the initial malware as Trojan-Downloader:Java/GetShell.A. The respective payloads for Windows, Mac, and Linux are detected as follows: Backdoor:W32/TES.A, Backdoor:OSX/TESrel.A, and Backdoor:Linux/GetShell.A. The Trojan downloader was written using the Social-Engineer Toolkit (SET), an open-source and publicly-available Python tool designed for penetration testing.

The security firm says the payloads remain the same, with only their implementations changed. The Windows payload is in the form of a shellcode which is executed using the SET module shellcodeexec.binary, but has the same behavior. Instead of connecting to a remote server to get additional shellcode to execute (which then opens a reverse shell), the OS X binary immediately opens a reverse shell, which attackers can then leverage with ease. The Linux binary remains the same except that it is using a different server.

Malware writers love using a cross-platform plugin as an attack vector because it allows them to target more than one operating system, and thus more potential users. It shouldn't surprise you that Java is being used: the platform has loads of security holes, and it runs on all the major operating systems.

See also:

Topics: Security, Apple, Linux, Malware, Microsoft, Operating Systems, Windows

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • 1 of many Rules

    If you didn’t go looking for it, don’t install it!
    • This is not what we were told

      by many Linux Fanbois. And some of them put stake on their reputation also. The other day somebody said only Windows Users would install malware when the topic was about Android malware.
      Ram U
      • swami.NET says it true

        He read it on the internet
        So that must make it true
        True as loud, noisy little boy blue
        Come toot your horn, little boy blue

    • How are naive computer users supposed to know these rules?

      That was the whole point of first OS X and then Linux: naive computer users could click willy nilly on links, executables, attachments, with absolutely no fear of ever being infected by malware. They didn't need to learn "1 of many rules".

      Huh. Turns out reality is more nuanced. Whodathunkit?

      PS Really daikon, you should take this as very good news. It means that Linux has now gained enough marketshare to be unsafe. Just more proof that Linux was only ever "secure" because it didn't have enough marketshare to be on the radar. Congrats, this must be a very happy day for you.
      • Malware is not a virus!

        Linux is very well-protected(not immune) to viruses not all of the dangers and attacks and malwares(who dares to say such nonsence?!)
        and when exactly linux became an OS for stupid people?! you MS fans always say linux is difficult for non geek people but now it has become an OS for noobs?! plz enlighten me
        • Yes malware is not a virus!

          And when was the last time Windows was infected by a virus?
          • For instance worms are

            a kind of virus turn off your antivirus and see what happens to your system!
            But i can make a trojan and you are stupid enough to use it! how in the hell linux can protect you from your stupidity?!
          • For instance worms are

            a kind of virus turn off your antivirus and see what happens to your system!
            But i can make a trojan and you are stupid enough to use it! how in the hell linux can protect you from your stupidity?!
          • When? Probably today

            As in, most of the existing viruses are still doing their dirty deeds. Odd that.
        • If the best thing you have

          Is a semantic argument over the meaning of words, it is really best to give up.

          The traditional computer virus doesn't exist any more...and hasn't existed in quite some has been at least 10 years since the last traditional virus was discovered in the is really time to stop using this lame argument.
          Doctor Demento
          • demento, memento stuxnet?

            Hey doctor,
            Both conficker and stuxnet could replicate themselves, so they were viruses as well.
          • If we are being pedantic, you have the wrong definition of a virus

            "Both conficker and stuxnet could replicate themselves"

            The ability to replicate is not the defining characteristic of a virus. Conficker and Stuxnet were NOT viruses.

            Stuxnet: worm

            Conficker: worm

            There have been no successful Windows viruses for over 10 years.
          • It depends on how you want to categorize them

            If you are really persistent to put worms into another category so linux is well protected(no one can say it is immune) against "worms and viruses" ;)
            Anyway this new system sux there is a lot of errors and we can't change or delete our comments!
          • Why?

            Viruses from 10+ years ago are still doing fine. Besides, it all depends on what you call a virus or not; even Mcafee is somewhat sketchy on what it thinks is a virus or is a worm.

            Maybe you don't get out much, but there's a reason why these malware remover bits and bobs have virus (under whatever definition) signatures. Either that, or they're more than lazy and just keep building up a pile of useless information for their jollies.
        • Very good

          But not entirely accurate. A virus IS a form of malware... trojans, worms, and viruses are all forms of malware... so technically YES malware IS a virus. However there are not many systems that are affected by any sort of virus - trojans and worms are a different story and yes they CAN and have affected Mac and Linux based PCs as well as Windows based PCs.
      • Whole point???

        If you think the whole point of a platform is that it is totally immune from any danger from clicking links then you are somewhat deluded.

        The whole point of my computer is to do stuff.

        That stuff doesn't get interrupted by me having to deal with viruses cause I am using OS X.

        Yeah I could click on a malware link one day, but statistically speaking the chances of that happening are quite low.

        Statistically speaking the chances of a Windows computer getting malware or a virus are very high.

        The experience of the computer users I know and my own experience show this to be the case.

        Also since this is evidence of existing malware for OS X & Linux and not something new it does not represent the point at which the magic change you are claiming happens, it is more evidence that market share is a stupid argument.

        Mac malware started way way back.

        Look at where Norton & Symantec started their product line, it wasn't Windows.

        I used Symantec Anti-Virus on Macs decades ago when there were Mac viruses.

        Funny how Macs were there first, and Windows apologists are conveniently ignorant of where their wonderful technologies came from.

        Whie you are at it you may look at where Word & Excel started their existance. It wasn't Windows either.

        Apple gave you Word & Excel - now thank them for it.

        Macs are not yet to get attacked, they are yet to suffer a serious attack on the Windows scale.

        It's not Market Share, it may be stupidity of the malware writers I admit, and maybe the Mac will one day be attacked with great success.

        Security is always to some extent an illusion. I'll bet your house's defences no matter how well secured could be breached given enough effort.

        But for now in the real world It's still OS X for safety and reliability, and Windows would be a dumb choice.
      • Linux and Market Share.

        For the less informed, Linux has had a larger percentage of Web Server Market Share (almost 2 to 1) then Windows for several years now. So the idea of security through obscurity is really not an accurate statement. Let’s be a little more informed on Web presence Market Share before we make an inaccurate statement. We all know that Windows has desktop Market Share locked up. But when we are talking Web Market Share Windows is really falling far behind the Various different OS's (Android {Linux}, Symbian, RIM, iOS, etc. And let’s face facts where do we get Trojans, Virus, etc from; Oh, that is right they come from the Web.

        Here is good site to help Break down real OS usage.
      • Only if you believe FUD from anti-virus companies...

        ...who's prime source for being is creating sales...

        There's been no proof Linux desktops have been compromised by this.

        We only have todd's bottom and F-Secure's word for it and we all should know what they amount to.
      • Writing cross-platform malware is not hard.

        As people have have been writing cross-platform software for years.
        The trick is getting the malware onto user's systems. Its an easy trick with Windows as evidenced by the billions of Windows computers that have been infected with malware over the years. Go to one web site, don't even click on the site, and boom, Windows is owned.

        But, do you have any evidence there is even 1 infected Linux computer outside of a lab?
        Please provide links.
        And don't even bother using spam email as evidence, as it was recently shown, anything, and everything, in a spam email can be faked, so there is no reliable evidence there.
      • Most linux users are not running under an admistrator account

        They are also not conditioned to clicking yes to authorize every thing even when they they don't understand what they are authorizing. That said, there are a lot of Windows refugees coming into the Linux and Mac communities who are conditioned to be very susceptible to social engineering tricks like this. the seasoned Linux users would not have been in any danger from this social engineering tactic. A human weakness is not an indication in the weakness of the security of a system. Computers have to be able to run code or they will be indistinguishable from bricks in purpose. Give a user authority to run code and let him run malware code and no security in the world can protect the system.

        I know you know this. The question is: Why are you acting as if you don't?